AZ-900 Practice Test Bank: 200+ Qs with Answers

Section 1.1: Understanding the Microsoft Azure Fundamentals certification path

The Microsoft Azure Fundamentals certification, tested through exam AZ-900, sits at the entry point of the Azure certification path. It is designed for candidates who are new to cloud computing, new to Azure, or both. That means the exam does not assume you are an administrator, developer, or architect. However, do not misread “fundamentals” as “casual.” Microsoft expects you to understand the language of cloud services well enough to make accurate distinctions. The exam is ideal for students, business stakeholders, sales professionals, project managers, and technical beginners preparing for role-based Azure certifications later.

From an exam-prep perspective, AZ-900 serves two functions. First, it validates broad awareness of cloud concepts such as elasticity, scalability, consumption-based pricing, and shared responsibility. Second, it builds a foundation for later certifications by introducing the service categories and governance tools that appear in more advanced exams. Even if you plan to continue to Azure Administrator, Azure Developer, or security-focused paths, this exam establishes the core mental map you will reuse later.

What the exam tests here is your ability to recognize major categories and explain them at a business and technical summary level. You are not expected to configure complex environments. You are expected to know what Azure is, why organizations adopt cloud services, and how Microsoft structures its cloud offerings. Candidates often fall into a trap by studying only product names. Product names matter, but the certification path begins with concept fluency. If you know the purpose of a service family, you can answer more questions even when a scenario is phrased differently.

Exam Tip: Think of AZ-900 as a “why and what” exam, not a “how to implement every step” exam. If an answer option sounds highly procedural or deeply technical, it may be beyond the scope unless it supports a basic concept comparison.

As you progress through this course, keep the certification path in mind. The goal is not just passing one test; it is learning the Microsoft framework for cloud thinking. That is why this chapter emphasizes orientation and strategy before content drilling. Candidates who understand where AZ-900 fits are more likely to study at the correct depth and avoid wasting time on advanced details not rewarded on the exam.

Section 1.2: AZ-900 exam structure, scoring model, and question formats

Before you can beat the exam, you need to understand its mechanics. AZ-900 typically presents a mix of question styles rather than one fixed format. You may encounter standard multiple-choice items, multiple-response items, matching-style tasks, drag-and-drop style interactions, and short scenario-based questions. Microsoft may update delivery formats over time, so your best preparation is flexibility: understand the concept, then practice applying it in different layouts.

The scoring model matters because it affects your test-day behavior. Microsoft reports scores on a scaled system, and a passing score is commonly presented as 700. Scaled scoring means candidates should avoid trying to reverse-engineer raw point values. Instead, focus on accuracy and careful reading. Some questions may be weighted differently, and not every item necessarily contributes equally in the way candidates expect. The key lesson is simple: every question deserves full attention.

Common AZ-900 question patterns include definition recognition, feature comparison, best-fit service selection, and true-benefit identification. For example, one option may be technically related but not the best answer. This is one of Microsoft’s favorite traps. A distractor is often plausible, not absurd. For instance, a governance tool can appear in an answer set with a monitoring tool, even though both are real Azure capabilities. The exam tests whether you can separate “used to observe” from “used to enforce.”

Exam Tip: Read the noun and the verb in the question carefully. If the item asks which solution “enforces,” “restricts,” or “controls,” think governance tools. If it asks which solution “tracks,” “collects,” or “analyzes,” think monitoring or reporting tools. One word often decides the answer.

Another important skill is elimination. Start by removing answer choices that belong to the wrong service category. If the question is about cloud deployment models, eliminate service models. If the question is about storage redundancy, eliminate compute services. This objective-based filtering is one of the fastest ways to improve your score, especially when you are unsure. The practice bank in this course is designed to build exactly that habit so you can interpret Microsoft-style questions rather than simply memorizing isolated facts.

Section 1.3: Registration process, exam policies, identification, and retake rules

Certification success includes more than content mastery. Administrative mistakes can create unnecessary stress or even prevent you from testing. For AZ-900, candidates generally register through the Microsoft certification portal and are directed to an authorized exam delivery provider. During scheduling, you will usually choose a delivery mode such as a testing center or an online proctored exam. Your choice should be based on your testing environment, comfort level, and ability to meet technical or location requirements.

If you select online delivery, prepare your space in advance. You will typically need a quiet room, a reliable internet connection, appropriate identification, and a workspace that complies with exam security rules. Candidates sometimes underestimate how strict these policies can be. Background noise, unauthorized items, or identification mismatches can delay or invalidate an exam session. If you choose a test center, plan transportation time, arrival timing, and the exact identification documents required.

Identification rules are especially important. Your registered name should match your government-issued identification closely enough to satisfy the testing provider’s policy. A small mismatch can become a major problem on test day. Review the official exam confirmation details well before the appointment so there is time to correct any account issues.

Retake rules also matter to your study strategy. Many candidates schedule a first exam too early, assuming they can simply retry without consequence. While retakes are possible, waiting periods and scheduling limitations may apply. That means a failed attempt can disrupt momentum. A better strategy is to use diagnostics and objective-based reviews before the first sitting so your initial attempt is a strong one.

Exam Tip: Treat exam-day logistics as part of your preparation plan. Verify your account name, appointment time, delivery method, system readiness, and ID requirements at least several days before the exam. This reduces anxiety and protects your score from avoidable distractions.

Understanding policies also helps with confidence. When logistics are already handled, your mental energy stays focused on interpreting questions and applying knowledge. That is exactly where it belongs on exam day.

Section 1.4: Official exam domains overview: Describe cloud concepts; Describe Azure architecture and services; Describe Azure management and governance

AZ-900 is organized around three major knowledge domains, and your study plan should mirror them. The first domain, Describe cloud concepts, tests foundational understanding. Expect to know the benefits of cloud computing, including high availability, scalability, elasticity, reliability, predictability, security, and governance at a conceptual level. You must also understand the shared responsibility model, cloud service types such as IaaS, PaaS, and SaaS, and deployment models such as public, private, and hybrid cloud. The most common trap here is confusing service models with deployment models. They are not the same category, and Microsoft likes to place them side by side in answer choices.

The second domain, Describe Azure architecture and services, is typically broad and highly testable. It includes core architectural components like regions, region pairs, availability zones, subscriptions, resource groups, and management groups. It also includes service families across compute, networking, storage, and identity. Questions often test whether you know what a service does at a basic level and whether it fits a business requirement. For example, you may need to distinguish virtual machines from containers, virtual networks from VPN gateways, or blob storage from file storage. Identity services, especially Microsoft Entra ID, are also central because authentication and access are recurring themes across Azure.

The third domain, Describe Azure management and governance, focuses on controlling, securing, monitoring, and optimizing your Azure environment. This includes cost management tools, pricing concepts, Service Level Agreements, governance services such as Azure Policy and resource locks, and monitoring services. The classic exam trap in this domain is mixing governance with operational insight. Policy enforces standards; monitoring observes health and activity. Cost management analyzes spending; SLAs define expected service availability commitments. Learn the role of each tool rather than memorizing names in isolation.

Exam Tip: When reviewing objectives, rewrite each domain into plain-language questions: “What is it?” “Why would I use it?” “What is it commonly confused with?” That third question is where many AZ-900 marks are won.

This course outcome structure maps directly to the exam blueprint. If you can describe cloud concepts, describe Azure architecture and services, and describe Azure management and governance with confident comparisons, you are preparing in the same way the exam is organized.

Section 1.5: Study strategy for beginners using practice banks, revision cycles, and weak-spot tracking

Beginners often make one of two mistakes: either they read passively for too long without testing themselves, or they jump into random practice questions without first understanding the exam domains. The most effective AZ-900 plan combines both content learning and structured question practice. Start with domain-based study blocks. Learn one objective area at a time, then complete a focused set of practice questions on that same area. Immediate application improves retention and reveals misunderstandings early.

A good revision cycle is simple and repeatable. First, study a topic. Second, answer a small practice set. Third, review every explanation, including correct answers. Fourth, tag weak spots. Fifth, revisit those weak spots within a few days. This spaced repetition method is far more efficient than rereading all notes from the beginning each time. For first-time certification candidates, consistency matters more than marathon sessions. Even short, regular review blocks can build the recognition speed needed for exam day.

Weak-spot tracking should be objective-based, not emotional. Do not write “I’m bad at Azure.” Write “I confuse availability zones with region pairs” or “I mix up Azure Policy and Microsoft Defender for Cloud.” Specific weaknesses can be fixed. Vague self-judgment wastes energy. Use a notebook, spreadsheet, or study app to categorize errors by domain and by confusion type such as vocabulary error, concept confusion, or careless reading.

Exam Tip: If you miss a question because two answers looked similar, create a two-column comparison note immediately. AZ-900 rewards distinctions. Your job is to turn every confusion pair into a clear contrast.

The practice bank in this course should be used as a learning instrument, not only a score checker. Topic-based drills build familiarity, cumulative reviews build endurance, and a full mock exam builds timing confidence. As your exam date approaches, shift gradually from open-note learning to closed-note recall. That transition is what converts study effort into exam readiness.

Section 1.6: Diagnostic quiz blueprint and how to review explanations effectively

Your first diagnostic quiz is not a judgment of your potential. It is a measurement tool used to set a baseline. In this course, a diagnostic should sample all three official AZ-900 domains: cloud concepts, Azure architecture and services, and Azure management and governance. The goal is breadth, not perfection. A balanced diagnostic helps you determine whether your biggest challenge is foundational terminology, service recognition, or governance and cost-control concepts.

How you review a diagnostic matters more than the initial score. Many candidates look only at the percentage and move on. That is a missed opportunity. Instead, analyze each explanation with three questions in mind: Why was the correct answer correct? Why were the other options wrong? What clue in the wording should have led me there? This method trains exam reasoning, not just answer recall. It also reveals whether the issue was knowledge, category confusion, or careless reading.

Effective review should produce action items. If you repeatedly miss questions involving service models, return to IaaS, PaaS, and SaaS comparisons. If you miss governance questions, build contrast notes for Azure Policy, resource locks, and monitoring tools. If you answer correctly but guessed, treat that as unstable knowledge and review it anyway. Guessing is not readiness.

Exam Tip: Track three result labels after each diagnostic item: “Know,” “Guessed,” and “Missed.” Both “Guessed” and “Missed” belong in your revision queue. This gives you a more honest picture of readiness than score alone.

Over time, diagnostics should become more targeted. Start broad, then focus on weak domains, then return to mixed sets to confirm retention under exam-like conditions. This process helps you identify weak areas quickly and apply a practical study strategy with measurable progress. That is how first-time candidates move from uncertainty to confident performance on AZ-900.

Section 2.1: Define cloud computing and the value proposition of cloud services

Cloud computing is the delivery of computing services over the internet. These services can include servers, storage, databases, networking, software, analytics, and more. For AZ-900 purposes, you should think of cloud computing as a model that allows organizations to access IT resources on demand without having to buy, house, and maintain all infrastructure themselves.

The value proposition of cloud services centers on flexibility, speed, and efficiency. Instead of making large upfront capital investments in hardware, organizations can obtain resources when needed and adjust usage as business conditions change. This allows businesses to experiment faster, support growth more easily, and reduce the operational burden of managing physical infrastructure.

On the exam, cloud computing is usually tested from a business or operational perspective. Microsoft wants you to understand why a company would move to the cloud. Typical reasons include lowering time to deploy, avoiding overprovisioning, improving resilience, simplifying management, and aligning costs with usage. Do not assume the cloud always means lower total cost in every scenario; rather, it often improves cost flexibility and operational efficiency.

• On-demand resource provisioning
• Broad network access
• Rapid deployment of services
• Reduced need for physical hardware ownership
• Ability to scale resources as requirements change

A common exam trap is selecting an answer that describes virtualization rather than cloud computing. Virtualization helps enable cloud services, but cloud computing adds service delivery, elasticity, and consumption-based access. Another trap is assuming “cloud” means the customer has no responsibility. That is false, especially in infrastructure and platform scenarios.

Exam Tip: If an answer choice emphasizes faster provisioning, reduced hardware management, or the ability to consume services over the internet, it is usually pointing to the cloud value proposition. If it focuses only on creating virtual machines on local servers, it may be describing virtualization rather than cloud computing as a complete model.

When eliminating distractors, ask: Is the answer describing what cloud computing is, or is it describing one supporting technology or one isolated benefit? The correct answer usually defines cloud computing as a service delivery model, not just a hardware or software feature.

Section 2.2: Describe the shared responsibility model and consumption-based pricing

The shared responsibility model explains that security, maintenance, and operations in the cloud are divided between the cloud provider and the customer. The exact division depends on the service type. In all models, the provider is responsible for the physical datacenter, physical networking, and physical hosts. The customer still has responsibility somewhere in the stack, especially for data, identity, access, and configuration decisions.

This is a favorite AZ-900 test area because it checks whether you understand that moving to the cloud does not eliminate customer responsibility. In IaaS, the customer manages more, including the operating system and many configurations. In PaaS, the provider manages more of the platform. In SaaS, the provider manages the application itself, but the customer is still typically responsible for user access, data handling, and proper usage.

Consumption-based pricing means customers pay for cloud resources based on usage. This contrasts with traditional capital expenditure models where organizations purchase hardware upfront regardless of actual usage. In cloud environments, the business can often provision resources, consume them, and pay according to measurable use such as compute time, storage consumed, or transactions processed.

Exam questions often present this as a shift from CapEx to OpEx. CapEx means large upfront spending on assets. OpEx means paying ongoing operational costs as services are consumed. Be careful: consumption-based pricing does not necessarily mean every cost is variable in every service scenario, but for AZ-900, the core idea is paying for what you use rather than buying infrastructure in advance.

• Provider responsibility always includes the physical infrastructure layer
• Customer responsibility remains for data and access decisions
• More responsibility shifts to the provider as you move from IaaS to SaaS
• Consumption pricing supports cost flexibility and faster experimentation

A common trap is answering as though the provider is responsible for customer data classification, user permissions, or application settings in every case. Another trap is confusing predictable monthly billing with traditional ownership. A cloud bill may be recurring, but it is still based on service consumption rather than asset purchase.

Exam Tip: If a question asks who is responsible for the physical servers, the answer is the cloud provider. If it asks who is responsible for access to company data, identity configuration, or account permissions, that responsibility remains with the customer.

Section 2.3: Describe the benefits of cloud computing including high availability, scalability, elasticity, agility, and disaster recovery

AZ-900 places strong emphasis on recognizing specific cloud benefits and distinguishing them from one another. High availability refers to the ability of a system to remain accessible and operational for a high percentage of time. This is often supported by redundancy, fault tolerance, and service design across multiple components or locations.

Scalability means increasing or decreasing resources to meet demand. This can happen vertically by adding more power to an existing resource, or horizontally by adding more instances. Elasticity is closely related but different: it refers to the ability to automatically or dynamically adjust resources in response to real-time demand changes. On the exam, if the scenario mentions sudden demand spikes and automatic response, elasticity is often the better answer than general scalability.

Agility means being able to deploy and adapt rapidly. In business terms, it allows organizations to test, build, and release solutions faster than with traditional infrastructure procurement cycles. Disaster recovery refers to the ability to recover systems and data after a major event. Questions may describe a regional outage, accidental deletion, or major operational disruption. In those cases, disaster recovery is the concept being tested, not just availability.

The exam may present simple business stories such as an online retailer preparing for seasonal demand, a startup that needs fast deployment, or an enterprise seeking resilience during outages. Your goal is to match the requirement to the precise cloud benefit.

• High availability = minimize downtime
• Scalability = increase or decrease capacity
• Elasticity = automatic or rapid adjustment to demand changes
• Agility = faster deployment and change
• Disaster recovery = restore service after significant failure

A very common trap is confusing high availability with disaster recovery. High availability helps keep services running. Disaster recovery helps restore them after a serious incident. Another trap is choosing scalability when the scenario clearly describes automatic expansion and contraction based on demand, which points to elasticity.

Exam Tip: Look for wording clues. “Always accessible” suggests high availability. “Handle growth” suggests scalability. “Automatically add resources during spikes” suggests elasticity. “Quickly deploy new solutions” suggests agility. “Recover after outage” suggests disaster recovery.

Section 2.4: Describe cloud service types: IaaS, PaaS, and SaaS

The three primary cloud service types tested on AZ-900 are Infrastructure as a Service, Platform as a Service, and Software as a Service. You must know what each model provides, what the customer manages, and what problem each model is best suited to solve.

IaaS provides foundational infrastructure resources such as virtual machines, storage, and networking. The customer manages the operating system, applications, data, and many security settings. IaaS offers the most control of the three service types, but it also requires the most management effort from the customer.

PaaS provides a managed platform for building, testing, deploying, and managing applications. The provider manages the underlying infrastructure and much of the platform stack, allowing developers to focus on application logic and data. PaaS is commonly the correct answer when the scenario emphasizes application development without managing servers or operating systems.

SaaS delivers complete software applications over the internet. The provider manages the application, platform, and infrastructure, while the customer typically configures usage settings and manages users and data access. SaaS is the least management-intensive model for the customer and is often the correct answer when the scenario involves accessing a finished application through a browser or subscription.

• IaaS: most customer control, most customer management
• PaaS: focus on app development, reduced infrastructure management
• SaaS: ready-to-use software, least customer management

Exam questions often test this topic indirectly. Instead of asking for definitions, they describe needs. If the organization wants to deploy custom applications without patching operating systems, think PaaS. If it wants maximum control over virtual machines, think IaaS. If it wants employees to use hosted email or collaboration software, think SaaS.

A common trap is choosing IaaS simply because servers are involved somewhere in the background. If the customer is not managing those servers, it is not IaaS from the customer perspective. Another trap is thinking SaaS means no customer responsibility at all. User management and data governance still matter.

Exam Tip: On AZ-900, move mentally from most control to least control: IaaS, then PaaS, then SaaS. Move from most management burden to least management burden in the same order.

Section 2.5: Describe cloud models: public, private, and hybrid

Cloud deployment models describe where resources are hosted and how they are made available. The core models you need for AZ-900 are public, private, and hybrid cloud. Public cloud refers to services offered over the internet and shared across multiple customers, although each customer’s data and workloads remain logically isolated. Public cloud is known for scalability, broad availability, and reduced need to manage physical infrastructure.

Private cloud refers to cloud resources used exclusively by one organization. These resources may be hosted in the organization’s own datacenter or by a third party, but the environment is dedicated to that organization. Private cloud offers greater control and can support specific compliance, customization, or legacy requirements, but it usually involves higher management responsibility and cost.

Hybrid cloud combines public cloud and private infrastructure, allowing applications and data to move between them or work across both environments. Hybrid cloud is often the best fit when an organization must keep some systems on-premises while still taking advantage of cloud scalability, backup, analytics, or burst capacity.

Microsoft commonly tests whether you can identify the model from the scenario. If a company wants to retain some local infrastructure due to regulation while extending services to the cloud, hybrid is usually correct. If the goal is avoiding datacenter management and consuming services over the internet, public cloud is the likely answer. If resources are dedicated to a single organization, private cloud fits best.

• Public cloud: provider-owned, internet-based, highly scalable
• Private cloud: dedicated to one organization
• Hybrid cloud: combines on-premises or private resources with public cloud

A frequent trap is equating private cloud with on-premises only. Private cloud can be hosted by a third party as long as it is dedicated to one organization. Another trap is assuming hybrid means merely using multiple public cloud services. For AZ-900, hybrid specifically involves a mix of public cloud and private or on-premises resources.

Exam Tip: If the question includes words like retain existing datacenter, integrate on-premises, or gradual migration, hybrid should immediately be one of your top choices.

Section 2.6: Exam-style question bank for Describe cloud concepts with detailed answer review

This section prepares you for how AZ-900 frames cloud concept questions. The exam usually does not reward memorization alone. Instead, it presents a short requirement and expects you to identify the exact cloud concept that best satisfies it. That means you should practice reading for keywords, identifying the tested objective, and eliminating answers that are true in general but not correct for the scenario.

For this domain, Microsoft frequently uses question patterns such as business goal matching, definition recognition, responsibility mapping, and model comparison. You may see prompts about minimizing upfront costs, increasing uptime, handling variable demand, reducing server management, or maintaining some on-premises infrastructure. In each case, first identify the objective being tested: benefit, service type, deployment model, or responsibility boundary.

Here is a practical elimination strategy:

• Step 1: Identify the core requirement in one phrase, such as “automatic scaling,” “finished software,” or “keep some systems on-premises.”
• Step 2: Map the phrase to the exam objective: benefit, pricing, service model, or deployment model.
• Step 3: Remove answers from the wrong category first.
• Step 4: Compare similar remaining answers using exact wording from the prompt.

Common distractor patterns include pairing scalability with elasticity, pairing high availability with disaster recovery, and pairing PaaS with SaaS. These distractors work because candidates remember related terms but do not verify whether the wording matches precisely. Another distractor pattern is using a technically true statement that does not answer the actual question. For example, a service may indeed improve security, but if the question asks about pricing flexibility, the correct answer will be the one tied to consumption-based billing.

Exam Tip: In foundational exams, the simplest accurate answer is often correct. Avoid overthinking. If the scenario describes using a complete application through a subscription, choose SaaS rather than inventing a more complex architecture.

As you practice, review not only why an answer is correct, but why the other options are wrong. That is how you build objective-based reasoning and quickly identify weak areas. This skill becomes especially valuable in cumulative review and full mock exams, where time pressure can cause candidates to choose familiar terms instead of the precise concept being tested.

Section 3.1: Describe Azure regions, region pairs, sovereign regions, and availability zones

Azure organizes its global infrastructure by geography and resiliency design. A region is a set of data centers deployed within a specific geographic area. On the AZ-900 exam, a region is often tied to ideas such as latency, compliance, data residency, and service availability. If a question asks how to place resources closer to users, reduce latency, or satisfy regional requirements, think first about Azure regions.

A region pair is two Azure regions within the same geography that are linked for disaster recovery and platform update prioritization. Microsoft commonly references region pairs in the context of resiliency. The exam does not expect deep architectural design, but you should know that region pairs support recovery planning and help maintain platform reliability during large-scale disruptions. Candidates often confuse region pairs with availability zones. Region pairs are about paired regions; availability zones are separate physical locations within a single region.

Sovereign regions are isolated Azure instances designed for specific governmental or regulatory needs. These exist to meet strict compliance, legal, or national boundary requirements. If a scenario mentions government agencies, classified workloads, or special regulatory separation from the public cloud, sovereign regions are the clue. Do not confuse sovereign regions with standard public regions that simply happen to be in a country.

Availability zones are physically separate locations within an Azure region, each with independent power, cooling, and networking. They are used to improve high availability for supported services. This is a classic exam trap: candidates see “disaster recovery” and choose region pairs even when the question asks about protecting a workload from data center failure in one region. In that case, availability zones are the better answer because the scope is inside one region.

• Region: geographic location for resource deployment.
• Region pair: paired regions for recovery and platform resilience.
• Sovereign region: isolated cloud environment for special compliance or government needs.
• Availability zone: separate physical location within a region for high availability.

Exam Tip: Watch for scope words. “Within a region” usually points to availability zones. “Across regions” may suggest region pairs. “Government or regulated isolation” suggests sovereign regions. “Near users” suggests selecting the appropriate region.

The exam tests recognition, not implementation. You do not need to design replication policies in detail. You do need to understand what problem each concept solves and avoid mixing geography terms with resiliency terms.

Section 3.2: Describe subscriptions, management groups, resource groups, and resources

This section covers one of the most important hierarchy models in Azure. The AZ-900 regularly tests whether you understand how Azure organizes administration, billing, and deployed services. The hierarchy is straightforward once you see the levels: management groups can contain subscriptions, subscriptions contain resource groups, and resource groups contain resources. Resources are the actual Azure services you deploy, such as virtual machines, storage accounts, or virtual networks.

A subscription is a unit for billing and access control. If the exam asks how to separate costs, apply spending oversight, or isolate administrative boundaries, subscription is often the right answer. Many beginners incorrectly choose resource groups for billing separation, but resource groups are primarily organizational containers for resources, not billing boundaries in the same sense as subscriptions.

Management groups sit above subscriptions and help apply governance consistently across multiple subscriptions. When a question refers to organizing many subscriptions under a common policy structure, management groups should stand out. This is especially relevant in larger enterprises. The exam will not ask you to implement governance in depth, but it expects you to know the placement and purpose of management groups.

Resource groups are logical containers for resources that share a lifecycle, permission model, or deployment pattern. A resource group helps organize related resources for a solution. If the prompt discusses managing a web app, database, and storage account together, resource group is likely correct. A common trap is to think resource groups create hard physical boundaries. They do not. They are logical groupings for management.

Resources are the individual deployable services. A virtual machine, public IP address, or storage account is a resource. Exam questions may ask at which level an item exists. If it is an actual service instance, it is a resource, not a container.

• Management groups: organize and govern multiple subscriptions.
• Subscriptions: billing and access boundaries.
• Resource groups: logical organization for related resources.
• Resources: actual Azure service instances.

Exam Tip: If the requirement is “group for management,” think resource group. If it is “group many subscriptions,” think management group. If it is “separate billing or quotas,” think subscription. If it is “the service itself,” think resource.

The exam often tests this topic by using familiar words in misleading ways. Read the question for the real administrative need, not just the word “group.”

Section 3.3: Describe core Azure compute services including virtual machines, containers, and serverless options

Azure compute is a major AZ-900 topic because it represents how workloads actually run in the cloud. At this level, Microsoft wants you to classify compute choices by control, flexibility, and management effort. The three broad choices that appear most often are virtual machines, containers, and serverless services.

Virtual machines provide the most control. They let you run an operating system and install software much like a traditional server. If a scenario requires full OS control, custom software installation, legacy application hosting, or lift-and-shift migration, virtual machines are frequently the correct answer. The trap is that candidates choose VMs for everything because they are familiar. On the exam, if the workload does not need full server control, a simpler service may be better.

Containers package an application and its dependencies in a lightweight, portable unit. They are useful when you want consistency across environments and faster deployment than a full VM. For AZ-900, know that containers are more lightweight than virtual machines and are commonly used for microservices or portable application deployment. You may see Azure Container Instances or Azure Kubernetes Service mentioned. At the fundamentals level, focus on recognizing that containers avoid bundling a full operating system per application in the same way VMs do.

Serverless options include services where Azure handles much of the infrastructure automatically and you focus on code or logic. Azure Functions is the standard exam example for event-driven code execution. If a scenario says run code in response to an event, pay only when code runs, or avoid managing servers, serverless is the clue. Candidates often miss these questions by selecting a VM simply because code has to run somewhere.

Azure App Service may also appear as a managed platform for hosting web apps and APIs without managing infrastructure at the VM level. While not identical to Azure Functions, it supports the same testable idea: less infrastructure management than VMs.

Exam Tip: Match the requirement to the least-managed service that still satisfies the need. Full control points to VMs. Portability and lightweight packaging point to containers. Event-driven or no-server-management wording points to serverless.

The exam tests service purpose more than product depth. You do not need orchestration detail, scaling syntax, or deployment pipelines. You do need to quickly separate “I need full machine control” from “I just need my application to run.”

Section 3.4: Describe core Azure networking services including virtual networks, VPN, ExpressRoute, DNS, and load balancing

Networking questions in AZ-900 are usually about purpose, not packet-level detail. The exam expects you to know what each core networking service is used for and how to distinguish secure connectivity options from traffic distribution services. Start with Azure Virtual Network, often called a VNet. A VNet is the foundational private network in Azure that allows Azure resources to communicate securely with each other, the internet, and on-premises networks when configured appropriately.

If a scenario asks for isolated network communication between Azure resources, think virtual network. This is the base concept on which many other services depend. A VPN gateway supports encrypted connectivity over the public internet between Azure and another network, often on-premises. By contrast, ExpressRoute provides private dedicated connectivity that does not travel over the public internet in the same way. The exam frequently contrasts VPN and ExpressRoute. The key difference is private dedicated connection versus encrypted internet-based connection.

DNS translates names to IP addresses. Azure DNS helps host and manage DNS domains using Azure infrastructure. On the exam, if the need is name resolution rather than connectivity or security, DNS is likely the answer. Candidates sometimes overcomplicate name-resolution questions by choosing VNet or load balancer options.

Load balancing distributes incoming traffic across multiple resources for availability and performance. At the fundamentals level, you mainly need to know the purpose of Azure Load Balancer and similar traffic-distribution services. If a question asks how to distribute traffic across multiple servers or improve application availability through traffic distribution, load balancing is the correct concept.

• Virtual Network: private networking foundation in Azure.
• VPN: secure connection over the public internet.
• ExpressRoute: private dedicated connection to Azure.
• DNS: name resolution.
• Load balancing: traffic distribution across resources.

Exam Tip: If the scenario emphasizes predictable private connectivity and enterprise-grade dedicated links, choose ExpressRoute. If it emphasizes secure connection but does not require a dedicated private circuit, VPN is often enough.

A common trap is mixing connectivity with traffic routing. VPN and ExpressRoute connect networks. Load balancing distributes application traffic. DNS resolves names. Keep those jobs separate in your mind and the answer choices become easier to eliminate.

Section 3.5: Service selection scenarios for Describe Azure architecture and services

This section ties the chapter together by focusing on how AZ-900 frames service selection. Microsoft rarely asks for deep configuration knowledge. Instead, it presents a business or technical need and expects you to choose the best-fit Azure service or architectural component. Your job is to identify the keyword that defines the requirement: latency, isolation, billing, portability, high availability, private connectivity, or event-driven execution.

If the organization wants resources close to users in Europe, the choice likely involves selecting an Azure region. If the concern is failure of a single data center inside one region, availability zones become more relevant. If the concern is separation of costs between departments, subscriptions are usually a better fit than resource groups. If the concern is grouping related application components for management, resource groups are usually enough.

For compute, ask how much infrastructure control is truly needed. A legacy app requiring OS-level customization points toward virtual machines. A modern portable application packaged consistently for deployment points toward containers. An event-triggered process that should run only when needed points toward serverless options such as Azure Functions. For networking, private enterprise connectivity to Azure points toward ExpressRoute, while a secure internet-based connection points toward VPN.

The test often uses distractors that are technically related but not best-fit. For example, a storage account may appear in a scenario that is really about compute hosting. Or a VNet may appear in a question that is actually testing DNS. Best-fit reasoning matters more than recognizing familiar names.

Exam Tip: When two answers could work in the real world, choose the one that most directly matches the stated requirement with the least extra complexity. AZ-900 favors clear alignment over edge-case architecture debates.

Another smart strategy is category filtering. First decide whether the question is about geography, organization, compute, or networking. Then compare only the answers within that category. This reduces confusion and speeds up elimination. The more you practice this pattern, the more “Microsoft-style” the exam becomes.

Section 3.6: Exam-style question bank on Azure architecture, compute, and networking

This course includes practice questions, but your improvement comes from how you review them. For this objective area, do not just mark right or wrong. Instead, classify each missed item into one of three categories: terminology confusion, scope confusion, or service-purpose confusion. Terminology confusion happens when you mix similar terms such as region pair and availability zone. Scope confusion happens when you pick a service at the wrong administrative level, such as resource group instead of subscription. Service-purpose confusion happens when you choose a technically possible service rather than the intended Azure fit, such as a VM instead of serverless code execution.

When reviewing architecture questions, ask what noun in the scenario mattered most. Was the key phrase “within one region,” “across subscriptions,” “private dedicated connectivity,” or “event-driven”? AZ-900 questions are often unlocked by a single phrase. Train yourself to underline or mentally isolate those clues during practice.

You should also practice eliminating distractors methodically. If an answer is from the wrong category, remove it. For example, if the requirement is billing separation, compute and networking options are immediate distractors. If the requirement is name resolution, ExpressRoute and VPN are distractions because they solve connectivity, not DNS. This simple discipline raises accuracy fast.

Exam Tip: Review every wrong option, not just the correct one. Ask why each distractor was tempting and why it was still wrong. That is how you prepare for the real exam, where several answers may sound reasonable at first glance.

Finally, build a weak-area loop. If you repeatedly miss questions on hierarchy, drill management groups, subscriptions, resource groups, and resources until you can explain the differences without notes. If you repeatedly miss networking, create a one-line definition for each core service and rehearse scenario matching. Consistent pattern recognition is the goal. By the time you finish the chapter drills, you should be able to identify the tested objective behind a question before reading all answer choices.

Section 4.1: Describe Azure storage services including blob, disk, file, archive, and redundancy options

Azure storage questions often test whether you can match a data type or access pattern to the correct storage offering. Start with the big distinctions. Azure Blob Storage is designed for massive amounts of unstructured data such as images, backups, log files, media, and documents. Azure Files provides managed file shares that can be accessed using standard file-sharing protocols. Azure managed disks support Azure virtual machines and act like the disk resources attached to compute instances. Archive storage is not a separate general-purpose everyday storage type for fast access; it is a low-cost access tier for infrequently accessed blob data.

Blob Storage is commonly tested by asking about object storage or unstructured data. If the scenario mentions storing large volumes of text or binary data, serving images, retaining backups, or supporting analytics input files, Blob Storage is usually the best answer. If the scenario instead mentions shared files accessed by multiple systems as a network file share, Azure Files is the stronger match. A common trap is confusing files stored in Blob Storage with file shares in Azure Files. The word file in ordinary language does not automatically mean Azure Files. Focus on the access method and use case.

Managed disks are another favorite exam topic. They are designed for Azure virtual machine storage and provide durable block storage. If the requirement is to attach storage to a VM operating system or data disk, think managed disks rather than Blob Storage or Azure Files. Candidates sometimes overthink this and choose general storage services because they know a VM stores data somewhere in Azure. On AZ-900, if the scenario is specifically about a disk attached to a VM, managed disks is the correct concept.

Storage tiers also matter. Hot tier is for frequently accessed blob data, cool tier is for infrequently accessed data with lower storage cost but higher access cost, and archive tier is for rarely accessed data with very low storage cost and retrieval delay. The exam may test cost optimization rather than deep operational detail. If the scenario describes long-term retention with rare access, archive is likely correct. If it describes active content or regular reads, archive is almost certainly a distractor.

• Blob Storage: unstructured object data
• Azure Files: managed file shares
• Managed disks: VM disk storage
• Archive tier: lowest-cost long-term blob retention with slower retrieval
• Redundancy choices: LRS, ZRS, GRS, and RA-GRS are common recognition areas

Redundancy is another tested objective. Locally redundant storage (LRS) replicates within a single datacenter. Zone-redundant storage (ZRS) replicates across availability zones in a region. Geo-redundant storage (GRS) adds replication to a secondary region. Read-access geo-redundant storage (RA-GRS) allows read access to the secondary region. You do not need advanced replication internals, but you should understand the business tradeoff between resilience and cost.

Exam Tip: If a question asks for the lowest-cost storage for rarely accessed retained data, think archive tier. If it asks for resilience across regions, think geo-redundancy. If it asks for VM-attached storage, think managed disks. These keywords are often enough to eliminate two or three distractors immediately.

What the exam is really testing here is your ability to classify storage by structure, access method, and resilience requirement. Learn the default purpose of each offering, and many storage questions become straightforward.

Section 4.2: Describe identity, access, and security basics with Microsoft Entra ID and authentication concepts

Identity is one of the most important foundational topics in AZ-900 because it connects security, access management, and cloud governance. Microsoft Entra ID is Azure’s cloud-based identity and access management service. It helps users sign in and access resources. The exam often tests whether you understand that Entra ID is about identities, authentication, and authorization, not about hosting applications, storing files, or creating subscriptions.

A critical distinction is between authentication and authorization. Authentication answers the question, “Who are you?” Authorization answers, “What are you allowed to do?” Many candidates know the terms but miss them under exam pressure. If the scenario is about verifying a user’s identity with a password, multifactor authentication, or sign-in, that points to authentication. If the scenario is about assigning permissions to a resource after the user is signed in, that points to authorization. Microsoft loves this distinction because it reveals whether you truly understand identity basics.

Multifactor authentication, or MFA, adds an additional verification factor beyond just a password. This is a common security-related service basic that may appear in simple business language such as reducing the risk from stolen passwords. Single sign-on, or SSO, lets a user authenticate once and access multiple applications. These concepts are often used as distractors against each other. MFA increases sign-in security. SSO improves user access convenience. They can work together, but they solve different problems.

Microsoft Entra ID also supports identities for users, groups, and applications. On the exam, service principals or managed identities may appear at a basic recognition level. If the question is about an Azure service authenticating securely to another service without storing credentials in code, managed identities is the right concept. Even if the exam wording is simple, the tested idea is reducing secret management risk.

Another common trap is confusing Microsoft Entra ID with Azure role-based access control, or Azure RBAC. They are related but not identical. Entra ID provides the identity foundation and sign-in capability. Azure RBAC controls what authenticated identities can do with Azure resources. If the question asks about assigning read or contributor access to Azure resources, RBAC is usually the intended answer. If it asks about user accounts, tenant identity, or sign-in, Entra ID is usually correct.

• Authentication: proving identity
• Authorization: granting access
• MFA: stronger sign-in security
• SSO: one sign-in for multiple apps
• RBAC: permissions to Azure resources

Exam Tip: When you see identity questions, slow down and find the verb. Sign in, verify, and authenticate point one way. Assign access, allow actions, and permission point another. AZ-900 often rewards precise reading more than technical depth.

What the exam tests here is whether you can recognize the role of cloud identity in a secure Azure environment. Keep the concepts distinct: Entra ID manages identities, authentication verifies users, authorization grants permissions, and RBAC controls resource access.

Section 4.3: Describe Azure database and analytics basics including relational and non-relational options

Database questions in AZ-900 are usually about choosing between relational and non-relational solutions and recognizing managed Azure offerings. Relational databases store structured data in tables with rows, columns, and defined schemas. Azure SQL Database is the most common relational service tested at this level. If the scenario mentions structured business data, transactions, SQL queries, or a traditional application database, Azure SQL Database is often the best answer.

Non-relational databases, sometimes called NoSQL databases, handle flexible data models and very large scale workloads. Azure Cosmos DB is the key non-relational database service to know for AZ-900. It is commonly associated with globally distributed applications, flexible schemas, and low-latency access. If the requirement includes worldwide distribution, elastic scale, or semi-structured data, Cosmos DB should be high on your list.

Azure may also be tested through managed database families such as Azure Database for MySQL or Azure Database for PostgreSQL. The exam does not usually require deep feature comparison, but it does expect you to understand that Azure provides managed open-source relational database services in addition to Azure SQL Database. This matters when a scenario mentions a MySQL- or PostgreSQL-based application migrating to Azure with minimal management overhead.

Analytics basics may appear in contrast with transactional databases. Transactional systems support operational workloads such as order processing or inventory updates. Analytics platforms are used to analyze large data volumes and derive insights. At a basic level, if the question is about storing and querying application transaction records, think database service. If it is about analyzing large datasets for trends or business intelligence, think analytics service category instead. The exam may not demand advanced analytics architecture, but it may test whether you understand the difference in purpose.

A common trap is assuming every data-related question is about SQL. If the question says structured tables, transactions, and relational relationships, SQL is a safe direction. If it describes flexible schema, globally distributed apps, or non-relational data, Cosmos DB becomes more likely. Also be careful not to confuse storage services with database services. Blob Storage stores data objects; it is not the same as a managed database engine.

• Azure SQL Database: managed relational database
• Azure Cosmos DB: managed non-relational globally distributed database
• Azure Database for MySQL/PostgreSQL: managed relational open-source options
• Analytics services: designed for insight and large-scale analysis, not only transactions

Exam Tip: Look for words that reveal data shape. Tables, schema, and transactions suggest relational. Flexible, document, globally distributed, and NoSQL suggest Cosmos DB. Microsoft often hides the answer in the business wording.

The exam objective here is not to make you a database administrator. It is to confirm that you can classify workloads correctly and choose the Azure data platform service family that best matches the requirement.

Section 4.4: Describe Azure application hosting choices including App Service, virtual machines, and containers

One of the most practical AZ-900 skills is matching a workload to the right hosting model. Azure offers several options, but the exam usually centers on the tradeoffs among Azure App Service, virtual machines, and containers. Think in terms of management responsibility, customization, and deployment style.

Azure App Service is a platform-as-a-service option for hosting web apps, APIs, and mobile app back ends. It is ideal when you want Microsoft to manage much of the underlying infrastructure so you can focus on application code. If the scenario mentions a web application that should be deployed quickly with minimal server administration, App Service is often the best fit. This is a common exam target because it represents the cloud advantage of reduced operational overhead.

Virtual machines are infrastructure-as-a-service. They give you the most control over the operating system and environment. If an application requires a custom OS configuration, legacy software support, or full administrative control, VMs are often the correct answer. The trap is that some candidates choose VMs for everything because they feel familiar. But on AZ-900, Microsoft often expects you to recognize when a higher-level managed service such as App Service is more appropriate.

Containers package applications and dependencies together for consistent deployment. They are useful when you want portability and lightweight isolation. Azure supports containers through services such as Azure Container Instances and Azure Kubernetes Service, though AZ-900 questions are typically basic and focus on recognizing containers as a hosting model. If the scenario mentions microservices, rapid scaling of packaged apps, or consistent deployment across environments, containers may be the intended answer.

To compare the three, ask how much control is required and how much management the organization wants to avoid. App Service offers less infrastructure control but lower management burden. VMs offer maximum control with more management responsibility. Containers sit in between in many scenarios by emphasizing application packaging and portability.

Security-related service basics are also connected here. A secure hosting decision often includes identity integration, access controls, and reduced administrative exposure. A managed platform can lower risk by reducing the need to maintain servers manually. Microsoft may frame this as reducing management overhead while maintaining scalability.

• App Service: managed web and API hosting
• Virtual machines: full OS and environment control
• Containers: portable packaged applications with consistent runtime behavior

Exam Tip: If the requirement says web app plus minimal infrastructure management, App Service is usually the answer. If it says custom operating system or legacy server software, choose virtual machines. If it emphasizes packaged deployment or microservices, look at containers.

The exam tests whether you can align hosting choice with business need. The correct answer is rarely the most powerful service. It is the service that best matches the workload with the least unnecessary complexity.

Section 4.5: Scenario-based review for Describe Azure architecture and services across storage, identity, and databases

This objective area becomes easier when you think like the exam writer. Microsoft often combines several services into one short business scenario and asks you to identify the best architectural match. For example, a company may need long-term retention for old records, secure employee sign-in, and a managed database for line-of-business data. Those are three separate clues: archive blob tier for infrequently accessed retained data, Microsoft Entra ID for identity, and a relational database service such as Azure SQL Database for structured business information.

Notice the pattern: each requirement maps to one service family. The exam does not reward overengineering. If the data is file-share based, choose Azure Files instead of Blob Storage. If a VM needs persistent attached storage, choose managed disks. If the company wants employees to sign in securely, do not choose RBAC alone because RBAC is about authorization, not initial identity verification. If the application stores structured data with clear table relationships, a relational database fits better than Cosmos DB.

Another common scenario pattern involves workload matching. You may see an application requiring global scale with flexible schema, a public website requiring minimal server management, and user access protected by multifactor authentication. The strongest matches are Azure Cosmos DB, Azure App Service, and MFA with Entra ID. The exam may include plausible distractors such as VMs, Blob Storage, or simple passwords. These are not always wrong services in general; they are wrong for that stated requirement.

When reviewing scenarios, identify the noun and the constraint. The noun tells you the resource type: file share, user identity, web app, relational data, virtual machine disk. The constraint tells you the feature priority: low cost, global distribution, minimal management, long-term retention, or stronger sign-in security. Put them together and the answer often becomes obvious.

Exam Tip: Break a long scenario into mini-prompts. Ask: What is the storage clue? What is the identity clue? What is the database clue? Solve each requirement independently before looking at the answer choices. This prevents distractors from pulling you toward a broad but incorrect option.

What the exam is really evaluating in scenario-based items is your ability to translate business language into Azure service language. You do not need implementation steps. You need service recognition plus disciplined elimination. If one answer meets the workload but ignores the stated constraint, it is usually a distractor. If another answer sounds more advanced than necessary, it may also be a distractor because AZ-900 prefers the simplest correct service match.

This chapter’s themes connect directly here: storage fundamentals, identity and security basics, and data platform choices all appear in mixed-service scenarios. Practice recognizing each clue quickly, and you will improve both speed and accuracy.

Section 4.6: Exam-style question bank with detailed explanations for service comparison

As you work through a practice test bank, remember that this exam domain is built around comparisons. You are not memorizing long feature lists; you are learning to separate similar services by purpose. The most important comparison sets in this chapter are Blob Storage versus Azure Files, managed disks versus storage tiers, Entra ID versus RBAC, authentication versus authorization, relational versus non-relational databases, and App Service versus VMs versus containers.

When reviewing explanations, ask why the wrong answers are wrong. This is one of the fastest ways to improve. If Blob Storage is correct, the explanation should make clear why Azure Files is not correct for object storage. If Entra ID is correct, the explanation should show why a database or network service does not solve identity verification. High scorers do not just recognize the correct answer; they learn the boundary lines between services.

A strong study method is to build a one-line mental label for each service. For example: Blob Storage equals unstructured objects. Azure Files equals managed file shares. Managed disks equal VM disks. Entra ID equals identity and sign-in. RBAC equals resource permissions. Azure SQL Database equals managed relational data. Cosmos DB equals globally distributed NoSQL. App Service equals managed web hosting. Virtual machines equal full OS control. Containers equal portable packaged apps. If you can recall these labels instantly, many practice questions become recognition exercises instead of guesswork.

Watch for test-author traps. One trap is choosing the familiar service rather than the best-fit service. Another is choosing a technically possible solution instead of the Azure-native managed option emphasized by the requirement. Microsoft frequently rewards the answer that reduces management effort while meeting the business need. That is why App Service often beats VMs for web apps, and managed databases often beat self-managed database servers when administration is not required.

Exam Tip: In service comparison questions, eliminate answers by category first. If the requirement is identity, remove storage and database answers immediately. If it is VM-attached storage, remove identity and hosting services. Narrowing by service family can raise your odds even before you know the exact feature.

Use your practice bank deliberately. After every incorrect answer, identify which keyword you missed. Was it file share, sign-in, global distribution, relational, or minimal management? Those keywords are the exam’s signposts. Over time, this pattern-based approach will help you identify weak areas quickly and sharpen your exam readiness across the Azure architecture and services objective.

By the end of this chapter, you should be more confident in describing storage, identity, database, and hosting basics while also recognizing Microsoft-style distractors. That combination of content knowledge and exam technique is exactly what AZ-900 candidates need.

Section 5.1: Describe cost management in Azure including pricing factors, calculators, and tagging

Cost management is a core AZ-900 topic because cloud value depends on understanding how usage translates into spending. Azure pricing is affected by multiple factors, including resource type, service tier, region, consumption amount, licensing model, and outbound data transfer. The exam usually stays at a foundational level, so focus on recognizing the broad pricing drivers rather than memorizing exact numbers. Virtual machines, storage, databases, and networking all have different billing characteristics. Some services bill based on time, some on transactions, some on storage volume, and some on data movement.

Microsoft commonly tests whether you know when to use the Azure Pricing Calculator versus the Total Cost of Ownership calculator. The Pricing Calculator helps estimate the expected cost of Azure services before deployment. It is useful when planning a new solution in Azure. The TCO Calculator is used to compare current on-premises costs with projected Azure costs, helping organizations evaluate migration value. A frequent trap is choosing TCO when the question is really about estimating the monthly price of an Azure deployment. If the scenario asks about comparing cloud to existing datacenter infrastructure, TCO is the better fit.

Azure Cost Management and billing tools help organizations analyze spending, set budgets, and identify cost trends. On the exam, remember that budgets track and alert on spending thresholds, but budgets do not directly stop resource consumption by themselves. If a question asks how to monitor and manage spending, Cost Management is a strong answer. If it asks how to estimate before deployment, use a calculator instead.

Tags are another favorite exam objective. Tags are name-value pairs applied to Azure resources for organization, reporting, automation, and chargeback/showback scenarios. A business may tag resources by department, environment, owner, application, or cost center. Tags are especially useful for cost reporting because they help break down usage by business category. However, tags do not enforce compliance by themselves. That is a trap. If the requirement is to require certain tags or deny deployment without them, Azure Policy is involved. Tags identify and organize; Policy enforces.

• Pricing Calculator: estimate Azure solution cost
• TCO Calculator: compare on-premises costs to Azure
• Cost Management: analyze, monitor, and optimize spending
• Tags: classify resources for reporting and administration

Exam Tip: When you see phrases like estimate future Azure monthly cost, think Pricing Calculator. When you see compare current datacenter cost to Azure, think TCO Calculator. When you see group costs by department, think tags. When you see alert when spending nears a threshold, think budget in Cost Management.

To eliminate distractors, ask yourself whether the need is estimation, comparison, analysis, or categorization. Those are four different ideas, and AZ-900 often turns them into four answer choices that all seem plausible. The best answer is the one that most directly matches the business goal.

Section 5.2: Describe features and tools in Azure for governance and compliance including Policy, RBAC, locks, and Blueprints concepts

Governance and compliance in Azure are about making sure resources are deployed and managed according to organizational rules. On the AZ-900 exam, the key is to separate permission management from standards enforcement. Azure role-based access control, or RBAC, determines who can perform which actions on Azure resources. If a user needs read-only access, contributor access, or owner access, RBAC is the concept being tested. RBAC does not decide whether a resource is allowed to exist in a region or whether a tag is required. That is governance policy, not access permission.

Azure Policy evaluates resources against rules and can enforce standards. Examples include allowing resources only in specific regions, requiring specific tags, restricting resource types, or auditing compliance. The exam often presents a scenario about ensuring resources meet organizational rules and then includes RBAC as a distractor. If the requirement is to control configurations, compliance, or allowed settings, choose Azure Policy. If the requirement is to let users manage resources, choose RBAC.

Resource locks are simpler but very testable. Locks protect resources from accidental changes or deletion. The two key lock types are delete locks and read-only locks. A delete lock prevents deletion but still allows modifications, while a read-only lock prevents changes and deletion. Questions may ask how to protect a mission-critical resource from accidental removal. The best answer is a resource lock, not a backup, not RBAC, and not Policy alone.

Azure Blueprints has historically been used to package and deploy a set of governance artifacts such as policies, RBAC assignments, ARM templates, and resource groups in a repeatable way. For AZ-900, treat Blueprints as a governance-at-scale concept that helps standardize deployments. Even when Microsoft updates service positioning over time, the exam objective still expects you to understand the idea: repeatable deployment of a governed environment. Do not confuse Blueprints with an ARM template alone. Templates define resources; Blueprints combine governance components around deployment.

• RBAC: controls access permissions
• Azure Policy: enforces or audits standards and compliance
• Resource locks: prevent accidental delete or modification
• Blueprints concepts: package governance and deployment artifacts consistently

Exam Tip: A fast exam shortcut is this: if the question says who can do it, think RBAC. If it says what is allowed, think Policy. If it says prevent accidental deletion, think locks. If it says deploy a standardized governed environment repeatedly, think Blueprints concepts.

A common trap is assuming that one service does everything. In real environments, these tools are layered together. A subscription might use RBAC for permissions, Policy for compliance, and locks for protection. The exam likes this overlap, so focus on the primary purpose of each tool to select the best single answer.

Section 5.3: Describe tools for managing and deploying Azure resources including the portal, Cloud Shell, ARM, and Infrastructure as Code concepts

Azure provides several ways to create, manage, and deploy resources, and AZ-900 tests your understanding of when each approach is most appropriate. The Azure portal is the browser-based graphical interface for managing Azure services. It is ideal for learning, performing one-off administrative tasks, and visually reviewing configurations. On exam questions, if a scenario emphasizes a web interface or simple interactive management, the portal is usually the right answer.

Azure Cloud Shell is a browser-accessible command-line environment that supports Azure CLI and PowerShell. It allows administrators to run commands without setting up local tooling. Microsoft may ask which tool lets you manage resources from a command-line interface directly in the browser. That points to Cloud Shell. A common trap is confusing Cloud Shell with the portal itself. Cloud Shell runs within the Azure experience, but its purpose is command-line administration.

Azure Resource Manager, or ARM, is the deployment and management service for Azure. ARM templates are declarative JSON-based templates used to define infrastructure in a repeatable and consistent way. The exam may not go deep into syntax, but you should know the concept: define infrastructure as code so that deployments are automated, repeatable, and less prone to manual error. This connects directly to Infrastructure as Code, or IaC, which is the broader practice of managing infrastructure through machine-readable definitions rather than manually clicking through a GUI.

Infrastructure as Code is especially important for standardization and scaling. If the question asks how to deploy the same environment repeatedly with consistency, ARM templates or IaC concepts are likely the correct answer. If it asks how to quickly create a single resource interactively, the portal may be better. This distinction is a classic AZ-900 pattern.

Exam Tip: Portal equals graphical management. Cloud Shell equals browser-based command line. ARM templates equal declarative, repeatable deployment. Infrastructure as Code equals the broader operational model of defining infrastructure through code.

Another common test angle involves resource management scope. Azure resources are organized into resource groups, which are containers for related resources. ARM manages deployment and management at scale across subscriptions, resource groups, and resources. The exam might include resource groups as distractors when the real question is about deployment method. Remember: a resource group organizes resources, while ARM templates define and deploy them.

• Azure portal: GUI for management
• Cloud Shell: browser-based CLI/PowerShell environment
• ARM: Azure deployment and management framework
• ARM templates/IaC: repeatable, automated deployments

The best strategy on the exam is to identify whether the scenario prioritizes simplicity, automation, consistency, or scripting. Once you know that, the answer set becomes much easier to eliminate.

Section 5.4: Describe monitoring tools in Azure including Azure Monitor, Service Health, and Advisor

Monitoring is another heavily tested management topic because Microsoft wants candidates to understand the difference between observing your resources, understanding platform incidents, and receiving optimization guidance. Azure Monitor is the central service for collecting, analyzing, and acting on telemetry from Azure and on-premises environments. It includes metrics, logs, alerts, and dashboards. If a question asks about tracking performance, collecting operational data, or triggering alerts based on conditions, Azure Monitor is the expected answer.

Azure Service Health is more specific. It provides personalized information about Azure service issues, planned maintenance, and health advisories that may affect your subscribed services and regions. The exam often uses outage-based scenarios here. If the requirement is to determine whether an Azure platform issue in a region is impacting your environment, Service Health is the best choice. A common distractor is Azure Monitor, but Monitor focuses on telemetry from your resources, while Service Health reports Microsoft-side service events relevant to your subscriptions.

Azure Advisor provides recommendations to improve cost, performance, reliability, operational excellence, and security. If the question asks for best-practice guidance or recommendations for optimization, Advisor is the correct tool. Advisor does not replace active monitoring, and it does not serve as a compliance policy engine. It is a recommendation service. This distinction appears frequently in foundational exams.

Another subtle trap is confusing Service Health with the global Azure status page. The public status page gives broad information across Azure, but Service Health is personalized to your tenant and resources. For AZ-900, if the question mentions impact to your subscribed services, choose Service Health.

• Azure Monitor: metrics, logs, alerts, observability
• Azure Service Health: platform incidents, maintenance, advisories affecting your environment
• Azure Advisor: personalized recommendations and best-practice guidance

Exam Tip: Use this memory aid: Monitor watches, Service Health informs, Advisor recommends. If the prompt includes words like alert, metric, or log, think Monitor. If it includes outage, planned maintenance, or service issue in a region, think Service Health. If it includes improve cost or optimize reliability, think Advisor.

From an exam perspective, the goal is not deep operational setup. It is understanding the category of each tool. Read carefully, isolate whether the scenario is about telemetry, service incidents, or recommendations, and then eliminate answers that operate in a different category.

Section 5.5: Describe Service Level Agreements, preview services, and lifecycle considerations

Service Level Agreements, or SLAs, describe Microsoft’s commitment to uptime and connectivity for Azure services. On AZ-900, you are not expected to memorize large tables of percentages, but you should understand what an SLA represents and how to interpret it. An SLA commonly defines the expected availability percentage over a billing period, along with conditions and service credits if commitments are not met. Availability is not the same as performance. A service can be available but slow, and that does not necessarily mean the SLA was violated.

The exam may test combined SLA thinking at a basic conceptual level. If multiple components are required in a solution path, overall solution availability can be affected by each component. More dependencies can mean lower overall end-to-end availability unless redundancy is designed in. Microsoft also likes to test the idea that higher availability often requires architectural choices such as distributing workloads or adding resilient components. Foundationally, just remember that SLAs apply to services, and solution uptime is influenced by design.

Preview services are another common exam topic. A service in preview is made available for evaluation before general availability. Preview offerings may have limited support, can change, and often do not carry the same SLA guarantees as generally available services. If an exam question asks which service phase may lack an SLA or should be used cautiously in production, preview is the answer. General availability, or GA, is the stage where the service is fully released for production use with formal support expectations.

Lifecycle considerations include understanding that cloud services evolve. Features may be introduced in preview, become generally available, and later be retired. Businesses must consider supportability, compliance, reliability, and change risk when choosing a service. The exam does not require advanced product lifecycle management, but it does expect you to recognize that preview is not equivalent to production-ready GA in terms of commitments.

Exam Tip: If a question mentions guaranteed uptime, think SLA. If it mentions early access, limited support, or no production guarantee, think preview. If it asks about the safest choice for critical production workloads, generally available services are usually preferred over preview services.

Watch for wording traps. “High availability” is not automatically the same as “SLA.” One is an architectural goal; the other is a contractual service commitment. Also remember that service credits do not mean zero downtime. The SLA defines the commitment threshold and compensation model, not a promise that outages never occur.

Section 5.6: Exam-style question bank for Describe Azure management and governance

This final section is designed as a practical coaching guide for management and governance questions on the AZ-900 exam. Rather than listing practice questions in the chapter body, focus on how Microsoft frames this objective and how you should reason through answer choices. Most questions in this area are short scenario-based prompts asking you to identify the best Azure service or feature. The challenge is not technical depth; it is resisting distractors that are related but not primary.

Start by classifying the scenario into one of five buckets: cost, governance, deployment, monitoring, or lifecycle. If the problem is about estimating or analyzing spend, the answer will usually involve calculators, Cost Management, budgets, or tags. If it is about enforcing standards or assigning permissions, think Policy, RBAC, locks, or Blueprints concepts. If it is about creating resources repeatedly and consistently, think ARM templates and Infrastructure as Code. If it is about visibility into resource performance, outages, or recommendations, think Azure Monitor, Service Health, or Advisor. If it is about uptime guarantees or release maturity, think SLAs, preview, and GA lifecycle concepts.

A highly effective elimination method is to compare the noun in the answer with the verb in the question. For example, if the prompt says prevent deletion, remove answers that only monitor, estimate cost, or assign access. If the prompt says require a tag, remove answers that merely store a tag or display cost data. If the prompt says optimize reliability, remove answers that only provide logs or access control.

Exam Tip: On foundational Microsoft exams, the best answer is often the most direct service match, not the most powerful service overall. Do not choose a broad platform feature when a specific purpose-built tool fits the wording exactly.

Common traps in this objective include these pairings: RBAC versus Policy, Monitor versus Service Health, Pricing Calculator versus TCO Calculator, and tags versus Policy enforcement. Another trap is selecting the Azure portal for tasks that clearly require repeatable automated deployment. The portal is easy, but exam questions about consistency, scale, and reusability usually point to templates or IaC concepts.

For final review, build a one-line memory map: Cost Management controls visibility into spend; tags organize; RBAC grants access; Policy enforces rules; locks protect resources; Blueprints concepts standardize governed deployments; portal manages visually; Cloud Shell manages by command line; ARM and IaC automate deployment; Monitor tracks telemetry; Service Health reports Azure issues; Advisor recommends improvements; SLAs define commitments; preview means limited guarantees. If you can recall that map quickly, you will be well prepared to answer this chapter’s exam domain questions with confidence.

Section 6.1: Full-length mock exam blueprint aligned to all AZ-900 official domains

A strong AZ-900 mock exam should reflect the structure and intent of the real test, even if the exact number of questions or wording differs. The exam measures foundational Azure knowledge across major domains: cloud concepts, Azure architecture and services, and Azure management and governance. Your mock blueprint should therefore distribute items in a way that feels realistic, with enough breadth to expose weak areas without overloading one topic.

The blueprint for this chapter is built around domain coverage rather than random question order. That matters because AZ-900 is not a trivia exam. Microsoft expects you to recognize patterns across core ideas. For example, cloud concepts questions often test whether you can distinguish benefits like high availability, scalability, elasticity, fault tolerance, and disaster recovery. Architecture questions often test whether you can identify regions, availability zones, resource groups, subscriptions, and management groups. Service questions often assess whether you know the purpose of compute, networking, storage, database, and identity offerings. Governance questions typically target cost management, SLAs, Azure Policy, locks, monitoring, and compliance concepts.

When using a full-length mock exam, aim for three outcomes. First, verify domain familiarity. Second, test stamina and concentration. Third, identify whether your errors come from knowledge gaps, misreading, or poor elimination strategy. Many candidates think a score alone tells the story. It does not. A balanced mock blueprint should allow you to classify misses by category.

• Cloud concepts: benefits, shared responsibility, service types, deployment models, consumption-based pricing
• Core architecture: regions, region pairs, availability zones, subscriptions, management groups, resource groups
• Azure services: compute, networking, storage, databases, AI concepts, analytics basics, identity and access
• Management and governance: cost tools, SLAs, compliance, governance controls, monitoring and health tools

Exam Tip: Build your mock review around exam objectives, not around product names alone. The test often asks what a service does or when it fits, not how to configure it.

A good blueprint also mixes direct-definition items with scenario-style prompts. Direct items test recall. Scenario items test recognition under mild ambiguity. The latter are where distractors become dangerous. If two answers appear plausible, return to the objective: is the question asking for access control, policy enforcement, cost estimation, service uptime, or resource organization? Matching the intent of the question to the exam domain is often the fastest route to the correct answer.

Finally, use your mock blueprint as a training tool, not a one-time event. If you retake a mock, do not just chase a higher score. Check whether the improvement comes from true understanding. For AZ-900, confidence built on pattern recognition and objective-based reasoning is more reliable than simple memorization.

Section 6.2: Mock exam Part 1 covering Describe cloud concepts and core architecture topics

Mock Exam Part 1 should focus on the domains that establish your foundational reasoning: cloud concepts and Azure core architecture. These topics appear basic, but they are also where Microsoft inserts some of the most common beginner traps. The exam expects you to know not only what terms mean, but also how to separate similar ideas when answer choices are intentionally close.

For cloud concepts, you should be ready to identify the benefits of cloud computing, including high availability, scalability, elasticity, agility, reliability, and disaster recovery. The key is understanding the difference between them. Scalability refers to handling increased load by adding resources, while elasticity emphasizes automatic or dynamic adjustment to demand. Agility is about provisioning and adapting quickly. Reliability relates to consistent service delivery. High availability concerns minimizing downtime. Disaster recovery focuses on restoration after a major failure event.

Another frequent test area is the shared responsibility model. Many candidates miss these questions because they answer from intuition rather than the model. In Azure, Microsoft is always responsible for the physical infrastructure, while customer responsibility varies depending on whether the service is IaaS, PaaS, or SaaS. A question may appear to ask about security generally, but it is often actually testing whether you know which layer the customer manages.

Exam Tip: When a question mentions operating systems, network controls, applications, or data, pause and ask which cloud service model is in play before choosing an answer.

On service types and deployment models, expect distinctions among IaaS, PaaS, and SaaS, as well as public, private, and hybrid cloud. The common trap is choosing based on familiarity instead of responsibility boundaries. If the scenario emphasizes full application consumption with minimal management, SaaS is usually the fit. If it emphasizes application development without managing underlying operating systems, think PaaS. If it emphasizes virtual machines and customer-managed operating systems, think IaaS.

The architecture portion of Part 1 should then shift to core Azure constructs. You must be comfortable with subscriptions, management groups, resource groups, and resources. These are often tested together because Microsoft wants to see whether you understand hierarchy and organization. A management group can contain subscriptions. A subscription can contain resource groups. A resource group contains resources. Traps often involve confusing governance scope with geographic scope.

You should also review Azure regions, region pairs, and availability zones. Regions are geographic areas containing one or more datacenters. Availability zones are physically separate locations within an Azure region. Region pairs support certain resiliency and recovery planning scenarios. Candidates sometimes confuse availability zones with regions because both relate to redundancy.

In your mock review, watch for questions that test what the exam is really after: business continuity, organization, or service location. If the question emphasizes separate power, cooling, and networking within a region, it is likely about availability zones. If it emphasizes grouping resources for lifecycle management, it is about resource groups. If it emphasizes billing and service limits, it is about subscriptions.

Part 1 is where strong candidates build momentum. If your cloud concepts are shaky, fix them before moving on. These are high-value objectives that support reasoning across the rest of the exam.

Section 6.3: Mock exam Part 2 covering Azure services, management, and governance topics

Mock Exam Part 2 should cover the service recognition and governance material that often determines whether a candidate passes comfortably or hovers near the cut score. This portion of the exam expects you to identify the purpose of Azure services at a foundational level and connect them to cost, compliance, monitoring, and control.

Begin with compute and networking services. You should recognize when Azure Virtual Machines, Azure App Service, containers, virtual networks, VPN Gateway, load balancing, and content delivery concepts are being tested. The exam usually does not require implementation detail, but it does require you to select the service that best matches a scenario. The trap is that several services may sound cloud-capable. Your task is to match the requirement to the defining characteristic. For example, if the focus is managed web app hosting, App Service is often the better answer than virtual machines because it reduces infrastructure management.

Storage and database recognition is equally important. Be clear on Blob Storage, disk storage, file shares, archive and access tiers, and the difference between structured and unstructured data use cases at a high level. On databases, know the broad role of managed relational and non-relational services. Microsoft may test whether you can identify a managed database option rather than asking for SQL syntax knowledge.

Identity is one of the most testable areas in this part of the exam. You should know Microsoft Entra ID basics, authentication versus authorization, multifactor authentication, single sign-on, and role-based access control. A classic trap is mixing policy enforcement with permissions assignment. RBAC controls who can do what. Azure Policy evaluates whether resource configurations comply with rules. Resource locks prevent accidental deletion or modification. These tools sound related, but they solve different governance problems.

Exam Tip: If the scenario is about denying or auditing noncompliant resource properties, think Azure Policy. If it is about granting a user access to manage a resource, think RBAC.

Management and governance items also include pricing, support, SLAs, and monitoring. Know the purpose of calculators, cost analysis, tags for organization, and Azure Advisor recommendations at a high level. For SLAs, be prepared to compare percentages conceptually and understand that higher availability targets reduce allowable downtime. Questions may present this indirectly by emphasizing uptime expectations rather than asking for exact outage math.

Monitoring tools are another area where distractors appear. Azure Monitor, Service Health, and Advisor each serve different roles. Azure Monitor collects and analyzes telemetry. Service Health communicates issues affecting Azure services and your subscriptions. Advisor provides best-practice recommendations on reliability, security, performance, operational excellence, and cost. Read carefully: the exam may ask about learning from metrics, viewing platform incidents, or improving configurations. Those are three different needs.

Part 2 is where candidates must resist overcomplicating. AZ-900 is testing service purpose, not engineering design depth. If you know what each service is broadly for and can separate governance controls by function, you will perform well on this section of the mock and the actual exam.

Section 6.4: Answer explanations, distractor analysis, and confidence scoring method

A mock exam only becomes a true learning tool when you review it with discipline. The explanation process should answer three questions for every item: Why is the correct answer right? Why is each distractor wrong? How certain was I when I answered? This approach reveals whether your misses came from incomplete knowledge, confusion between related concepts, or simple test-taking errors.

Start with the correct answer explanation. Do not settle for a label such as “because Azure Policy enforces rules.” Push one step further and connect the explanation to the objective. For example, if the item tested governance, note that Azure Policy evaluates resource properties for compliance, while RBAC assigns permissions. Tying the answer to the domain helps your memory because AZ-900 repeatedly tests functional distinctions.

Next, analyze distractors. Microsoft-style distractors are rarely random. They often represent concepts from the same domain that are partially true but not the best fit. This is why candidates get trapped by familiar terms. A distractor may describe a valid Azure service, but if it does not solve the specific problem in the prompt, it is still wrong. Learning to reject plausible-but-incorrect options is one of the most valuable exam skills.

Exam Tip: When two answers seem correct, ask which one addresses the exact verb in the question. “Monitor,” “control access,” “enforce compliance,” “estimate cost,” and “organize resources” point to different Azure tools.

A practical confidence scoring method can sharpen your review. After each mock item, classify your answer as high, medium, or low confidence. High confidence means you knew the concept and would choose the same answer again. Medium confidence means you narrowed it down but were not fully sure. Low confidence means you guessed. Then compare confidence with correctness:

• Correct + high confidence: likely mastered
• Correct + low confidence: review needed; understanding may be weak
• Wrong + high confidence: dangerous misconception; prioritize immediately
• Wrong + low confidence: knowledge gap; schedule normal review

The most urgent category is wrong with high confidence. These mistakes can repeat on exam day because you may not even realize your reasoning is flawed. Common examples include confusing Azure Monitor with Service Health, assuming resource groups determine billing boundaries, or mixing up shared responsibility tasks across SaaS and IaaS.

Create a weak spot log after finishing the mock. Group errors by domain and by error type. You may discover that your issue is not “networking” broadly but specifically distinguishing service purpose. Or your issue may be not reading the final line carefully, where Microsoft often places the real requirement.

Review explanations actively. Rewrite the concept in your own words, compare it with the distractors, and identify the trigger words that should have led you to the right answer. This method turns every missed item into a reusable pattern for the real exam.

Section 6.5: Final review checklist by domain and last-week revision plan

Your final review should be selective, not chaotic. In the last week before AZ-900, the objective is not to relearn Azure from scratch. It is to reinforce high-yield concepts, repair confirmed weak spots, and improve recognition speed. A good checklist keeps your revision aligned to the exam objectives and prevents wasted time on low-value detail.

Begin with cloud concepts. Confirm that you can explain shared responsibility, CapEx versus OpEx, public versus private versus hybrid cloud, and IaaS versus PaaS versus SaaS without hesitation. Review the cloud benefits that are frequently contrasted in answer choices, especially scalability, elasticity, high availability, and disaster recovery. If you still need to pause on those distinctions, revisit them immediately.

Next, review Azure architecture. Make sure you can identify management groups, subscriptions, resource groups, resources, regions, region pairs, and availability zones. These items are foundational because they recur indirectly in many scenarios. Then verify your service recognition across compute, networking, storage, databases, and identity. At AZ-900 level, broad purpose matters more than setup detail. If you cannot state in one sentence what a service is for, that is a review target.

Finally, review management and governance. This includes pricing tools, support options, SLA awareness, Azure Policy, RBAC, locks, Azure Monitor, Service Health, and Advisor. These concepts are frequently tested because they reflect real-world operational understanding. The exam wants to know whether you can select the right control or tool for the right need.

• Days 7-5 before exam: review by objective domain, using notes and missed mock items
• Days 4-3: complete targeted drills on weak areas only
• Day 2: take a final timed mixed review, then analyze mistakes
• Day 1: light review, flash concepts, no cramming

Exam Tip: In the final week, prioritize concepts you confuse, not concepts you merely find interesting. The fastest score gains come from fixing repeated errors, especially service mix-ups and governance tool confusion.

Your weak spot analysis should drive the final plan. If your misses cluster around identity and governance, do not spend hours revisiting basic cloud definitions you already know. If your issue is question interpretation, practice slowing down and identifying the tested objective before reading all answer options.

A final review checklist should also include logistics: exam appointment confirmation, identification requirements, testing environment rules, and a plan for sleep and timing. Content mastery matters, but it performs best when paired with calm, organized execution.

Section 6.6: Exam day strategy, time management, and post-exam next steps

Exam day success depends on controlled execution. AZ-900 is designed for foundational knowledge, but candidates still lose points through rushed reading, second-guessing, and preventable stress. Your strategy should be simple: read carefully, identify the objective, eliminate distractors, answer decisively, and manage time without panic.

At the start of the exam, settle in and avoid trying to predict your score question by question. Focus on the current item only. For each prompt, ask yourself what the exam is testing before you inspect all answer choices. Is it a cloud concept? A service purpose? A governance control? A pricing or monitoring tool? This habit reduces confusion because it frames the options correctly.

Time management on AZ-900 is usually less about speed and more about avoiding overthinking. Do not spend excessive time forcing advanced logic onto a basic concept question. If you narrow an item to two plausible choices, use objective-based reasoning and move on. Flagging may help if the testing interface supports review, but avoid leaving too many unresolved items for the end.

Exam Tip: Many wrong answers on AZ-900 happen because candidates choose an answer that is technically true in Azure, but not the one that best satisfies the question requirement. Best fit beats partial fit.

Before submitting, review flagged items with a fresh perspective. Pay special attention to qualifiers such as “best,” “most appropriate,” “minimize management,” “enforce,” “monitor,” or “estimate.” These words often determine which of two plausible answers is correct. Also watch for simple hierarchy errors, such as confusing resource groups with subscriptions, or function errors, such as confusing RBAC with Azure Policy.

If your exam is online, complete environment checks early, verify system readiness, and remove prohibited materials. If you are testing at a center, arrive early and carry required identification. Reduce uncertainty wherever possible. Small logistical problems can damage concentration before the exam even starts.

After the exam, whether you pass or not, use the result strategically. If you pass, note which domains felt weakest anyway and strengthen them before moving to a more advanced Azure certification. AZ-900 is often a starting point, not an endpoint. If you do not pass, do not restart from zero. Use your domain feedback and mock analysis to target the specific gaps. Candidates often improve quickly on a retake when they replace broad reviewing with focused correction.

The final goal of this chapter is readiness with control. A full mock exam, a sharp weak spot analysis, and a practical exam day checklist turn knowledge into performance. If you can explain core concepts clearly, identify the purpose of major Azure services, separate governance tools by function, and avoid common distractors, you are well prepared to earn AZ-900.