AZ-900 Practice Test Bank: 200+ Questions & Explanations

Section 1.1: AZ-900 exam overview and official skills outline

AZ-900 is designed for newcomers to cloud and Azure: students, business stakeholders, early-career IT professionals, and technical sellers. The exam validates that you can describe (not implement) cloud concepts and Azure’s foundational services. The official skills outline is the blueprint; your practice-test work should map directly to it.

At a high level, AZ-900 objectives group into three buckets. First, cloud concepts: what cloud computing is, why organizations use it (scalability, elasticity, reliability, agility, and cost models), plus cloud service types (IaaS, PaaS, SaaS) and deployment models (public, private, hybrid). Second, Azure architecture and services: regions/region pairs, availability zones, subscriptions, resource groups, resources, plus the “fundamentals” of compute, networking, storage, and identity. Third, Azure management and governance: cost management concepts, governance features (policy, role-based access control), and compliance/monitoring tools.

Common traps are subtle wording shifts. A question may describe a scenario that sounds like PaaS but includes OS patching responsibility (which hints IaaS). Another may mention “global, highly available name resolution” and tempt you toward a load balancer when DNS (Azure DNS) is the actual match. Your edge comes from pairing definitions with responsibility boundaries.

Exam Tip: For every service you study, write a one-line “what it is” and a one-line “what you still manage.” Shared responsibility is the fastest eliminator of wrong answers on AZ-900.

• Cloud concepts: benefits, service types, deployment models, shared responsibility
• Core architecture: regions, availability zones, subscriptions, resource groups, resources
• Core services: compute, networking, storage, identity (purpose-level only)
• Management/governance: cost management, governance, compliance, monitoring tools

As you use the test bank, tag each missed item to one of these bullets. If you can’t tag it, you didn’t learn the underlying concept—you memorized an answer.

Section 1.2: Registration, scheduling, ID requirements, and retake policy

Registering for the Microsoft exam is straightforward, but policy details matter because last-minute surprises are avoidable. You typically schedule through Microsoft’s exam portal and choose either an in-person test center or an online proctored option. Online delivery is convenient, but it is less forgiving: workspace rules, camera requirements, and strict proctor instructions can derail candidates who did not prepare their environment.

Bring (or have ready) acceptable identification that matches your registration name. Name mismatches are a common administrative failure point. If you recently changed your name, update your profile well before exam day. For online exams, plan for check-in steps: room scan, desk clearance, and restrictions on notes, phones, and secondary monitors.

Retake policies and waiting periods can vary by program rules, so the safest approach is to plan as if you get one “clean shot” and you want to pass on the first attempt. From a study strategy perspective, that means scheduling far enough out to complete at least two full practice-test cycles with review (not just taking tests repeatedly).

Exam Tip: If you choose online proctoring, run the system test on the same device, network, and room you’ll use on exam day. Many failures come from corporate VPNs, restrictive firewalls, or unstable Wi‑Fi—not from lack of knowledge.

Also decide your exam window strategically. If you are studying over 7–14 days, schedule the exam at the end of that window and treat the appointment as a commitment device. Candidates who “study until they feel ready” often drift into inefficient review and lose momentum.

Section 1.3: Exam format—question styles, caselets, and common traps

AZ-900 uses a mix of question styles that test recognition and decision-making rather than deep configuration skill. Expect standard multiple-choice, “choose all that apply,” matching, and scenario-based items. Some exams include caselets: a mini-scenario with a set of questions tied to the same context. Caselets reward careful reading: details you ignore in the scenario often determine the correct service type or responsibility model.

Traps usually fall into three categories. First, over-specific distractors: an answer choice names a precise Azure feature that is real but irrelevant at the fundamentals level. Second, responsibility confusion: the question asks who patches the OS, secures data, or manages identities—and candidates assume “Microsoft does everything” in the cloud. Third, vocabulary collisions: services with similar names (for example, Azure AD vs. Active Directory Domain Services; or Azure Monitor vs. Azure Advisor) where the key is the function described (identity vs. directory services, monitoring telemetry vs. recommendations).

To identify correct answers consistently, translate the question into an objective statement before looking at options: “This is asking for a deployment model,” or “This is asking which layer you manage under PaaS.” Then eliminate choices that do not match the category. If multiple answers look plausible, return to the keywords: “global,” “region,” “availability zone,” “SLA,” “capex/opex,” “shared responsibility,” and “governance.” These words are the exam’s signposts.

Exam Tip: On “choose all that apply,” assume Microsoft included at least one tempting near-miss. Verify each selected option independently against the concept definition; don’t pick a set just because it “sounds complete.”

Finally, do not bring associate-level expectations into AZ-900. You do not need to know detailed SKU limits, complex networking designs, or step-by-step portal workflows. If an option requires deep implementation knowledge to justify, it is often a distractor on this fundamentals exam.

Section 1.4: Scoring basics, pass criteria, and performance reports

AZ-900 scoring is designed to reflect overall competency, not perfection in one area. You will receive a scaled score and a clear pass/fail result. While the exact weighting can vary by exam version, the practical coaching takeaway is consistent: you should aim for balanced readiness across all objective domains rather than trying to “ace” one and ignore another.

Time management and accuracy are intertwined. Many candidates lose points not because they don’t know the concept, but because they rush and misread a single keyword (“most cost-effective,” “best describes,” “customer is responsible for,” “high availability across datacenters”). A careful first pass with fewer careless errors often beats a frantic attempt to revisit everything later.

After the exam, you typically get a performance report that breaks down your strengths and weaknesses by objective area. Treat it as diagnostic data. If you pass, it tells you what to reinforce for real-world Azure conversations. If you don’t pass, it tells you exactly where to invest your next study cycle—especially useful if your cloud concepts are strong but governance tools or core services are weak (a common split).

Exam Tip: Don’t interpret “strong in one domain” as permission to stop reviewing it. On retakes, the question mix changes; keep your strongest areas warm with light review while you rebuild weak ones.

Use your practice-test bank to simulate scoring discipline: track performance by objective area (cloud concepts, architecture/services, management/governance). The goal is not just a higher total percentage; it’s reducing the number of “uncertain guesses” you make per domain.

Section 1.5: Study strategy for beginners—how to use a test bank

A test bank is most powerful when it drives targeted learning, not when it becomes a guessing game. Beginners should use a 7– to 14-day plan that alternates between timed practice and concept repair. Day 1 should be a baseline attempt (not to “see how smart you are,” but to reveal objective gaps). Then you build short daily loops: practice → review explanations → fix notes → retest weak areas.

Here is a practical structure: take a set of questions under light time pressure, then spend at least the same amount of time reviewing explanations. Your review must answer three questions: (1) What concept was being tested (service type, deployment model, responsibility, architecture component, governance tool)? (2) What keyword in the prompt pointed to that concept? (3) What made the wrong options wrong?

When you review explanations, write “micro-notes” that are reusable: one-sentence definitions and one-sentence comparisons. Example patterns that appear frequently on AZ-900 include IaaS vs. PaaS responsibility boundaries; region vs. availability zone; subscription vs. resource group; and monitoring vs. advisory vs. policy enforcement. Build a personal glossary from your misses.

Exam Tip: If you get an item right but for the wrong reason, mark it as wrong in your tracker. AZ-900 punishes shaky reasoning because similar questions will swap one keyword and flip the correct answer.

Finally, avoid the biggest test-bank trap: memorizing letter choices. Shuffle question order, use mixed-topic sets, and periodically take a full-length timed session to ensure your knowledge transfers to new wording. Your goal is to recognize the concept even when Microsoft describes it in business language rather than technical jargon.

Section 1.6: Exam-day readiness—environment, pace, and stress control

On exam day, success is partly operational. Whether you test at home or at a center, remove friction. For online exams: clear your desk, silence devices, close background apps, disable notifications, and ensure stable internet. For test centers: arrive early, know the route, and minimize last-minute stress that can cause misreads and second-guessing.

Your pacing strategy should match fundamentals-style questions. Use a two-pass method: first pass answers the items you can resolve confidently; second pass returns to flagged questions. When you flag, add a reason in your head (“unsure between PaaS/SaaS,” “confused tool names,” “shared responsibility detail”). That reason will guide your reread and prevent random switching.

Stress control is a skill. If you feel stuck, do a short reset: reread the last sentence of the prompt, identify the objective category (cloud concept vs. core service vs. governance), then eliminate two options quickly. Most AZ-900 items become manageable once you re-anchor to the category and the single keyword that matters.

Exam Tip: Beware of changing answers late without new evidence. The most common regret is switching from a correct definition-based choice to a “sounds more advanced” distractor.

In the final minutes, prioritize high-confidence clean-up: verify “choose all that apply” selections and re-check questions where a single word (like “hybrid,” “private connectivity,” “identity,” “cost management,” or “compliance”) determines the answer. Then submit knowing you executed a repeatable process—not a last-minute scramble.

Section 2.1: Define cloud computing and key characteristics

Cloud computing is the on-demand delivery of computing services—compute, storage, networking, databases, analytics, and more—over the internet with pay-as-you-go pricing. For AZ-900, you don’t need to quote formal definitions, but you must recognize the characteristics that distinguish “cloud” from traditional hosting: rapid provisioning, pooled resources, measured usage, and broad network access.

Expect scenario questions where a company wants resources quickly without procuring hardware. That points to on-demand provisioning: you can create and tear down resources in minutes. Another recurring idea is resource pooling (multi-tenancy): the provider runs large shared infrastructure and allocates capacity dynamically. This is the foundation for economies of scale and also explains why you typically think in terms of services (VMs, storage accounts) rather than “a specific server in a specific rack.”

• On-demand provisioning: provision resources when needed without long procurement cycles.
• Scalable capacity: add/remove capacity to meet demand.
• Measured service: usage is metered; billing is tied to consumption.
• Broad network access: access services over standard networks from diverse devices.

Common trap: confusing “cloud” with “virtualization.” Virtual machines can exist on-premises. Cloud adds self-service provisioning, metered billing, and provider-managed facilities at scale.

Exam Tip: If the scenario highlights “avoid managing datacenter facilities” or “rapidly provision resources,” it’s pointing to cloud characteristics (not a specific Azure product). Don’t over-answer by picking a named service unless the question asks for one.

Section 2.2: Benefits—high availability, scalability, elasticity, agility

AZ-900 frequently tests your ability to separate similar-sounding benefits. High availability (HA) is about keeping an application accessible with minimal downtime through redundancy. The exam may describe targets like “99.9% uptime” or “minimize downtime.” That’s your cue for HA. In contrast, scalability and elasticity are about handling changes in load. Scalability is the ability to increase resources to meet demand (often planned or steady growth). Elasticity is the ability to automatically or rapidly scale out/in in response to changing demand (often unpredictable or spiky).

Agility is the organizational speed benefit: teams can experiment, deploy, and iterate faster because infrastructure is available immediately. If a scenario emphasizes faster time-to-market, shorter development cycles, or quick environment creation (dev/test), agility is the best match.

• High availability: redundancy to reduce downtime; often discussed in terms of SLAs.
• Scalability: handle growth by adding resources; can be vertical (scale up) or horizontal (scale out).
• Elasticity: automatically adjust resources to match demand fluctuations.
• Agility: faster provisioning and experimentation; accelerates delivery.

Common trap: choosing scalability when the scenario is about short-lived spikes (that’s elasticity) or choosing HA when the scenario is actually about performance under load (that’s scaling). Read for the “why”: uptime vs capacity vs speed of delivery.

Exam Tip: Words like “unexpected,” “seasonal,” “spiky,” or “automatically” usually indicate elasticity; words like “growth,” “increase users over time,” or “planned expansion” indicate scalability. Words like “downtime,” “service interruption,” or “SLA” indicate high availability.

Section 2.3: Benefits—fault tolerance, disaster recovery, global reach

Fault tolerance and disaster recovery (DR) are related but not interchangeable—AZ-900 likes this distinction. Fault tolerance is the ability to continue operating when components fail. Think “no single point of failure” and “automatic failover.” DR is the strategy for recovering from a major event (region outage, natural disaster, ransomware) by restoring services and data to meet defined recovery targets. Even if an app is highly available within a datacenter, it may still require DR to handle catastrophic events.

When questions mention “backup site,” “replication to another location,” “restore service after an outage,” or “business continuity,” you’re in DR territory. If they mention “component failure,” “disk failure,” “server failure,” or “automatic continuation,” fault tolerance is the closer concept.

Global reach refers to serving users in multiple geographies with low latency and regional presence. Azure’s worldwide infrastructure enables deploying closer to users, meeting data residency needs, and improving user experience. On the exam, “users worldwide” or “reduce latency for customers in different countries” is a strong global reach cue.

• Fault tolerance: design to withstand failures (redundancy, failover) with minimal impact.
• Disaster recovery: plan and processes to restore after major incidents; often involves secondary locations and backups.
• Global reach: deploy in multiple regions to serve users and meet compliance/residency needs.

Common trap: assuming backups alone equal DR. Backups support DR, but DR includes recovery procedures and meeting objectives (how quickly you recover and how much data loss is acceptable).

Exam Tip: If the scenario mentions “entire site/region unavailable,” think DR; if it mentions “hardware component fails,” think fault tolerance. If it mentions “customers on multiple continents,” think global reach.

Section 2.4: Consumption-based model and cost basics

The consumption-based model is central to cloud economics: you pay for what you use. This maps directly to OpEx (operational expenditure) rather than CapEx (capital expenditure). CapEx is upfront spending on physical infrastructure (servers, buildings). OpEx is ongoing spending as services are consumed (monthly bills). Many exam questions frame this as “reduce upfront costs,” “avoid purchasing hardware,” or “shift to monthly billing,” which points to OpEx and consumption-based pricing.

Economies of scale mean providers can buy hardware, power, and networking in bulk and operate at scale, often lowering unit costs. You don’t need to do math, but you must understand the intuition: shared infrastructure and high utilization can reduce costs, and cloud pricing aligns cost with demand.

• CapEx: upfront investment; risk of overprovisioning; depreciation over time.
• OpEx: pay-as-you-go; align spending with usage; easier to scale budgets with demand.
• Metering: usage tracked (CPU time, storage consumed, data egress) and billed accordingly.

Common trap: “Cloud is always cheaper.” The exam expects nuance: cloud can reduce upfront cost and improve flexibility, but costs can rise if resources are left running or scaled improperly. Another trap is ignoring that some charges depend on outbound data transfer or premium service tiers.

Exam Tip: When an option says “pay only for what you use,” it’s describing the consumption-based model. When it says “avoid purchasing and maintaining datacenter hardware,” it’s pointing to shifting CapEx to OpEx and leveraging provider-managed infrastructure.

Section 2.5: Common cloud scenarios and decision cues

AZ-900 scenarios are short; they hide the clue in one phrase. Train yourself to underline the requirement and map it to a concept. If a retailer experiences heavy traffic during holidays, that phrase signals elasticity (scale out for spikes, scale in afterward). If a startup wants to launch quickly without buying servers, that signals agility and OpEx. If a healthcare organization must keep services running during component failures, that signals fault tolerance and high availability (and potentially compliance, but that’s addressed more deeply in governance chapters).

Also expect “lift-and-shift” style cues: move an existing application to the cloud quickly with minimal changes. While this chapter focuses on fundamentals, the underlying concept is that cloud enables rapid provisioning and flexible scaling even when the architecture is unchanged. Conversely, “cloud-native” cues (microservices, managed services) point to maximizing agility and reducing management overhead, but don’t overcomplicate: many AZ-900 questions only want the benefit, not the architecture pattern.

• Unpredictable demand: choose elasticity.
• Steady growth: choose scalability.
• Minimize downtime / SLA: choose high availability.
• Recover from major outage: choose disaster recovery.
• Reduce latency worldwide: choose global reach.
• Avoid upfront purchase: choose OpEx / consumption-based model.

Common trap: answering with “high availability” when the scenario is about performance under load, or answering “scalability” when the scenario is about surviving failures. Separate capacity concerns from resilience concerns.

Exam Tip: If the scenario includes both “keep running during failures” and “recover if the whole location goes down,” it’s testing fault tolerance vs DR—pick the one that matches the failure scope described.

Section 2.6: Exam-style practice: cloud concepts (fundamentals set)

This practice set is designed to sharpen “concept matching,” which is the core AZ-900 skill in cloud fundamentals. When you review explanations, focus on why the correct concept is the best fit and why the distractors are tempting but wrong. Most wrong answers are not nonsense; they are real cloud benefits applied to the wrong problem.

Use a two-step method during practice: (1) identify the primary requirement (uptime, variable demand, rapid delivery, recovery, cost model, geographic reach), and (2) select the concept that directly addresses that requirement with the least assumptions. For example, if the requirement is “handle traffic spikes automatically,” the word “automatically” is a strong elasticity signal; scalability alone does not guarantee automation. If the requirement is “reduce upfront investment,” do not drift into technical resilience features—this is a finance model question (OpEx/consumption-based).

• How to spot HA questions: look for uptime targets, maintenance windows, or minimizing service interruption.
• How to spot elasticity questions: look for sudden peaks, seasonal events, or short-lived surges.
• How to spot DR questions: look for regional/site failure, restore operations, backups, or business continuity language.
• How to spot cost-model questions: look for budgeting language, upfront purchase avoidance, or pay-per-use.

Common trap: “Fault tolerance = disaster recovery.” Fault tolerance is staying up during smaller failures; DR is getting back after a big disruption. Another trap is thinking “global reach” automatically implies DR—global reach is often about latency and presence, while DR is about recovery.

Exam Tip: If two options both seem right, ask: “Which one is explicitly requested?” The exam rewards precision. Choose the concept whose definition includes the key phrase from the scenario (spikes, downtime, restore, worldwide users, pay-as-you-go).

Section 3.1: Cloud service types— IaaS, PaaS, SaaS comparisons

The AZ-900 objective here is your ability to distinguish IaaS, PaaS, and SaaS based on management responsibility and typical use cases. Think of them as a spectrum: more control (and more work) on the IaaS side, more convenience (and less control) on the SaaS side.

IaaS (Infrastructure as a Service) gives you building blocks: virtual machines, virtual networks, load balancers, and storage. You manage the guest OS, updates/patching, runtime, and your application. The provider manages the physical datacenter, physical network, and host infrastructure. Scenario clues: “need admin access to the OS,” “install custom software,” “migrate an on-prem server as-is,” or “configure IPs/subnets.”

PaaS (Platform as a Service) abstracts away the server/OS layer. You deploy code or a packaged app and focus on data and application logic while the provider manages OS, middleware, and often scaling and availability features. Scenario clues: “managed database,” “deploy web app without managing VMs,” “automatic patching,” or “built-in scaling.”

SaaS (Software as a Service) is a complete application delivered over the internet. You manage users, configuration, and your data within the app; the provider manages everything else, including the application itself. Scenario clues: “use the application,” “configure settings,” “no need to deploy code,” “subscription per user.”

• Common exam trap: Confusing “runs on a VM” with “IaaS.” Many SaaS and PaaS products run on VMs behind the scenes, but that doesn’t change what the customer manages.
• Common exam trap: Assuming PaaS means “no security responsibilities.” You still own data classification, identity/access, and secure configuration of your app and services.

Exam Tip: When answers look similar, anchor on OS responsibility. If you patch/manage the OS, it’s IaaS. If the provider patches the OS but you deploy code/configure the service, it’s PaaS. If you simply use the app, it’s SaaS.

Section 3.2: Serverless basics and why it matters (fundamentals)

Serverless is frequently tested as a concept, not as an implementation detail. In AZ-900 terms, “serverless” means you do not manage servers (or even app service instances) and you typically pay per execution/consumption. The provider handles scaling, availability, and infrastructure operations. You focus on code, triggers, and configuration.

Serverless is often described as event-driven: something happens (an HTTP request, a timer, a message arrival, a file upload), and your code runs in response. That makes it ideal for bursty workloads, automation tasks, lightweight APIs, and integrations. It also fits scenarios where you want rapid development without planning capacity.

Where learners get trapped is thinking serverless is “always cheaper.” It can be cost-effective for intermittent workloads, but sustained, high-throughput workloads may cost more than reserved/always-on options. The exam may hint at this by describing “infrequent” or “unpredictable” demand—those cues favor serverless.

• Serverless strengths: automatic scaling, reduced operations overhead, pay-per-use, fast time to value.
• Serverless considerations: execution time limits, cold start behavior, and architecture patterns that rely on events and stateless design.

Exam Tip: If the scenario says “run code when a file is uploaded” or “process messages when they arrive,” serverless/event-driven is the mental model the test is aiming for—choose the option that emphasizes triggers and consumption-based scaling rather than VM provisioning.

Section 3.3: Deployment models—public, private, hybrid

AZ-900 expects you to recognize cloud deployment models and match them to business constraints. The key is not memorizing definitions; it’s identifying why an organization would choose one model over another (compliance, latency, legacy dependencies, cost, agility).

Public cloud (e.g., Azure) uses shared provider infrastructure with logical isolation. It emphasizes elasticity, speed, and managed services. Use case cues: “rapid provisioning,” “global reach,” “avoid buying hardware,” “scale out quickly.”

Private cloud is cloud infrastructure dedicated to a single organization, often on-premises or hosted. It emphasizes control, customization, and specific regulatory or data residency requirements. Use case cues: “must keep all workloads on-prem,” “specialized hardware requirements,” “strict internal governance,” or “legacy environment that cannot move.”

Hybrid cloud combines public and private clouds with some level of integration (identity, networking, management, data replication, or workload portability). This is frequently tested because it is a practical transition state. Use case cues: “keep sensitive data on-prem but use public cloud for burst capacity,” “gradual migration,” “disaster recovery to cloud,” or “latency-sensitive local processing with cloud analytics.”

• Common exam trap: Thinking hybrid means “two public clouds.” Hybrid specifically involves private + public (or on-prem + public) integration.
• Common exam trap: Assuming private cloud automatically means “more secure.” Security depends on controls and operations; private changes ownership and isolation, not the need for good security practices.

Exam Tip: When a question mentions compliance, legacy systems, or “cannot move data off-site,” scan for private or hybrid. When it emphasizes agility and scaling without owning hardware, scan for public cloud.

Section 3.4: Multi-cloud concepts and common misconceptions

Multi-cloud means using services from more than one cloud provider (for example, Azure plus another provider). AZ-900 usually tests this at a definition-and-scenario level: why an organization might do it, and what it does not automatically solve.

Common multi-cloud motivations include avoiding vendor lock-in, meeting regional availability needs, integrating with acquisitions that already use another provider, or selecting best-of-breed services (e.g., one provider’s analytics with another’s SaaS ecosystem). It can also be part of risk management—distributing workloads so a single provider outage is less impactful—though that depends on architecture and operational maturity.

The misconception the exam likes to probe is that multi-cloud is “easy redundancy.” Running the same app across multiple providers requires duplicated networking patterns, identity strategy, observability, deployment pipelines, and security controls. You may reduce provider dependency, but you increase operational complexity.

• Common exam trap: Equating multi-cloud with hybrid. Multi-cloud is multiple public clouds; hybrid is private + public integration.
• Common exam trap: Assuming multi-cloud eliminates lock-in. You can still lock into higher-level managed services, data formats, and provider-specific tooling.

Exam Tip: If the scenario says “use two cloud providers,” choose multi-cloud. If it says “integrate on-premises with Azure,” choose hybrid. If it says “all in one provider,” it is a single public cloud deployment model, not multi-cloud.

Section 3.5: Shared responsibility model across service types

The shared responsibility model is a core AZ-900 concept: security and compliance responsibilities are divided between the cloud provider and the customer. The provider is always responsible for the security of the cloud (physical facilities, physical network, host infrastructure). The customer is always responsible for security in the cloud (data, identities, access controls, and how resources are configured and used).

Where responsibilities sit depends heavily on service type. In IaaS, the customer takes on more: OS patching, endpoint protection on the VM, configuration hardening, and application security. In PaaS, the provider manages the OS and runtime, while the customer still owns secure application configuration, secrets management, identity, and data governance. In SaaS, the provider manages the app, but the customer still controls user access, data sharing settings, and compliance usage (e.g., who can export data).

Security implications that show up in exam wording include identity and access management, encryption configuration, network exposure (public endpoints vs private access), and misconfiguration risks. The exam frequently frames shared responsibility as “who patches what” or “who is responsible for data.” Data responsibility remains with the customer in all models.

• Common exam trap: Picking “the cloud provider” for data protection responsibilities. Providers offer tools, but customers choose classifications, retention, access policies, and correct configuration.
• Common exam trap: Thinking PaaS/SaaS removes the need for identity management. User access, MFA choices, and role assignments remain customer decisions.

Exam Tip: If you see “physical security” or “datacenter,” that’s provider responsibility. If you see “user permissions,” “data,” “configuration,” or “access keys,” that’s customer responsibility—even for SaaS.

Section 3.6: Exam-style practice: service models & responsibility set

This section helps you build the mental routine AZ-900 rewards: identify keywords, map them to service type and deployment model, then apply shared responsibility. You are not being tested on deep Azure product configuration here; you are being tested on correct classification and accountability.

Start with the “control vs convenience” spectrum. If a scenario includes requirements like custom OS images, installing agents, or controlling patch windows, it points toward IaaS. If it mentions deploying code with minimal infrastructure management, it points to PaaS. If it describes consuming a finished business application, it points to SaaS. If it says “run code in response to an event” or “pay only when it runs,” it points to serverless.

Next, determine the deployment model. If the scenario emphasizes keeping resources on-premises or in a dedicated environment, it points toward private cloud. If it combines on-premises with public cloud services, it points toward hybrid. If it mentions using multiple providers, it points toward multi-cloud (not hybrid).

Finally, apply responsibility. A reliable technique is to list the layers: physical datacenter, network/hosts, OS, runtime/middleware, application, data, identities. Then decide who owns each layer based on the service type. In exam options, the correct choice is often the one that assigns OS responsibility to the customer only for IaaS and keeps data/identity responsibility with the customer for all models.

• How to identify correct answers: Look for options that say “customer manages OS” only under IaaS, and options that never transfer “data ownership” entirely to the provider.
• Common exam trap: Overthinking “managed” as meaning “no customer responsibilities.” Managed means fewer infrastructure tasks, not zero governance or security tasks.

Exam Tip: When two answer choices both sound plausible, choose the one that most directly matches the operational task in the prompt (patching, scaling, event trigger, app consumption). AZ-900 questions reward precise mapping of a single clue to the correct model.

Azure’s global infrastructure is a frequent AZ-900 target because it underpins resiliency, data residency, and service availability. A region is a geographic area containing one or more datacenters. When an exam stem says “deploy to West Europe,” it is asking for a region-level placement decision. A geography is a larger area (for example, Europe) that can matter for compliance and data residency, but AZ-900 most often tests the region as the deployable unit.

Availability zones are physically separate datacenters within a single Azure region, each with independent power, cooling, and networking. If a question emphasizes “datacenter failure” within a region and asks for the best resiliency choice, zones are the concept being tested. However, not every region supports zones, and not every service is zone-redundant everywhere—AZ-900 expects you to know the concept, not the regional matrix.

Region pairs are two regions in the same geography paired for disaster recovery and platform updates. If a stem mentions “disaster recovery across regions” or “planned updates,” region pairs are your mental model. Azure tends to sequence platform updates to paired regions to reduce simultaneous impact. Region pairs also support certain data replication behaviors for services that replicate across regions.

Exam Tip: Watch for wording: “high availability within a region” points to availability zones; “business continuity if an entire region goes down” points to multi-region design (often across a region pair). Don’t confuse zones (intra-region) with region pairs (inter-region).

• Region = where you deploy resources (geographic boundary).
• Availability zone = resiliency within a region (datacenter-level separation).
• Region pair = resiliency and update strategy across two regions (geography-level).

Common trap: choosing “availability zones” when the requirement is “data residency in a different country/region.” Zones do not change geography; they stay inside one region.

AZ-900 expects you to understand Azure’s hierarchy and why it exists: scope for access control, policy, and billing. At the top of the common exam hierarchy are management groups, which can contain multiple subscriptions. Use management groups when you need consistent governance (policy and role assignments) across many subscriptions—think enterprise-wide guardrails.

A subscription is primarily a boundary for billing and access control. Many exam items imply subscriptions by referencing “separate billing,” “department chargeback,” or “isolation between teams.” While technical isolation is not the primary purpose, subscriptions do create an administrative and quota boundary that organizations use to segment environments (dev/test/prod) and business units.

A resource group is a logical container for related resources that share a lifecycle. This is an exam favorite: if the stem says “delete all resources for a project at once,” or “manage these resources as a unit,” the answer is almost always resource group. Resources in a resource group can be in different regions (a subtle but testable fact), but they typically belong to one workload.

Exam Tip: When you see “apply a policy to multiple subscriptions,” think management group. When you see “separate invoices” or “separate cost tracking,” think subscription. When you see “deploy and delete together,” think resource group.

Common traps include mixing up scope: you cannot place a subscription inside a resource group; it’s the other way around (resource groups live inside subscriptions). Another trap is assuming a resource group is a security boundary by itself. Security boundaries are enforced through permissions (RBAC) at a scope (management group/subscription/resource group/resource), not by the container concept alone.

On AZ-900, “Azure resources” are the manageable items you create—VMs, storage accounts, VNets, databases, and so on. The key exam angle is that resources are created, updated, and deleted through a consistent control plane called Azure Resource Manager (ARM). ARM is the deployment and management layer that provides consistency: role-based access control, policy enforcement, tags, and standardized APIs.

If a scenario emphasizes “repeatable deployments,” “infrastructure as code,” or “deploy the same environment multiple times,” ARM templates (JSON) or Bicep (higher-level language that compiles to ARM) are the concepts being tested. You don’t need to write templates for AZ-900, but you should recognize that templates define resources declaratively and support idempotent deployments (deploying the same template repeatedly results in the desired state).

ARM also underpins how tools work: the Azure portal, Azure CLI, PowerShell, and SDKs all ultimately interact with ARM. So if the exam asks which capability provides consistent management across tools, ARM is the answer—not the portal itself.

Exam Tip: Learn to separate “control plane” from “data plane” thinking. ARM governs creation/management (control plane). Accessing the data inside a service (for example, reading blobs from a storage account) is data plane and often uses different permissions and endpoints.

• ARM benefits that show up in exam explanations: consistent management, tags, RBAC integration, Policy, templates.
• Resources belong to a resource group; resource groups belong to a subscription.

Common trap: assuming “ARM” is a monitoring tool. Monitoring is typically Azure Monitor; ARM is the management/deployment layer.

Identity is a core service category in Azure because almost every management action and many data actions require an identity decision. Microsoft Entra ID (formerly Azure Active Directory) is Azure’s cloud-based identity and access management service. AZ-900 frequently tests what Entra ID is used for: user and group identities, application registrations, single sign-on, and issuing tokens for Azure and Microsoft 365 services.

The highest-yield distinction is authentication vs authorization. Authentication answers “Who are you?” (validating credentials and issuing a token). Authorization answers “What are you allowed to do?” (permissions). In Azure, authorization for management actions is commonly implemented with Azure RBAC (role-based access control), where roles are assigned at a scope (management group, subscription, resource group, or resource).

Exam Tip: If a stem says “users can sign in but can’t create resources,” authentication is working but authorization is missing—look for RBAC role assignment. If it says “prevent sign-in,” think authentication controls (account status, conditional access in broader contexts), but AZ-900 mainly wants the basic auth vs authz distinction.

Another concept that appears is “least privilege”: assign only the permissions required. On the exam, “Owner” is almost never the best answer unless full administrative control is explicitly needed. “Contributor” can manage resources but not grant access, while “Reader” can view resources. Understanding these at a recognition level helps you eliminate overly permissive options.

Common trap: confusing Entra ID with Active Directory Domain Services (AD DS). Entra ID is not a traditional domain controller; it’s an identity provider. If a stem requires legacy domain join/LDAP/Kerberos in Azure, that points toward Azure AD DS (managed domain services), not Entra ID alone.

Networking questions in AZ-900 are typically service-selection: which component provides isolation, which provides connectivity, and which provides name resolution. An Azure Virtual Network (VNet) is the foundational private network in Azure. It contains address spaces and subnets, enabling resources like VMs to communicate privately. If the stem says “private IP communication” or “isolate workloads,” VNet is the anchor concept.

To connect an on-premises network to Azure privately, the exam usually offers VPN Gateway and ExpressRoute. VPN Gateway provides encrypted connectivity over the public internet (site-to-site or point-to-site). ExpressRoute provides a private connection through a connectivity provider, offering more consistent performance and typically lower latency than internet-based VPN.

Exam Tip: Look for keywords: “over the internet” or “encrypted tunnel” suggests VPN Gateway; “private dedicated connection” and “no public internet” suggests ExpressRoute. Don’t overthink throughput numbers—AZ-900 is concept-level.

DNS resolves names to IP addresses. Azure provides Azure DNS for hosting DNS zones and also provides DNS services within VNets for internal name resolution. If a stem is about “users can’t reach an app by name but can by IP,” DNS is the likely missing piece. If the requirement is “custom domain records,” that’s DNS hosting; if it is “VMs resolve each other’s names,” that’s VNet name resolution (often via Azure-provided DNS or custom DNS servers).

• VNet = private network boundary in Azure.
• VPN Gateway = encrypted connectivity over public internet.
• ExpressRoute = private, dedicated connectivity path.
• DNS = name resolution (public zones and internal scenarios).

Common trap: choosing ExpressRoute for a requirement that only says “secure.” VPN is also secure (encrypted); ExpressRoute’s differentiator is private connectivity and predictable performance, not “security exists vs doesn’t exist.”

This section ties together the chapter’s lessons—global infrastructure, core services at a glance, and networking/identity fundamentals—using the way AZ-900 scenarios are typically structured. The exam often presents a short story and then asks you to select the best concept or service. Your job is to identify the category first (location, organization scope, deployment method, identity, connectivity), then match the Azure term.

When the scenario is about where to place workloads for resiliency, look for whether the risk is a single datacenter failure (availability zones) or a regional outage (multi-region/region pairs). When it’s about how an organization structures environments and costs, map “central governance across many subscriptions” to management groups, “billing boundary” to subscriptions, and “lifecycle grouping” to resource groups.

For deployment and change management language like “standardize,” “repeat,” “automate,” or “consistent,” pivot to ARM and templates/Bicep. If the stem is about “who can sign in” versus “who can delete,” separate authentication (Entra ID identity and sign-in) from authorization (RBAC at scope). For connectivity, decide whether the requirement is “private network in Azure” (VNet), “encrypted tunnel over internet” (VPN Gateway), “private circuit” (ExpressRoute), or “name-to-IP” (DNS).

Exam Tip: Use elimination strategically. If the question is about authorization and one option is “Microsoft Entra ID” and another is “Azure RBAC,” pick RBAC. Entra ID provides identities and authentication; RBAC grants permissions. Similarly, if the stem explicitly mentions “private connection that does not traverse the public internet,” eliminate VPN Gateway and choose ExpressRoute.

Common trap pattern: the exam mixes a correct concept with the wrong scope. For example, a correct governance tool (policy/RBAC) but at the wrong level (resource group vs subscription vs management group). Always ask: “How broadly must this apply?” The broader the requirement, the higher the likely scope in the hierarchy.

Section 5.1: Compute options—VMs, App Service, Containers, Functions (overview)

AZ-900 expects you to distinguish Azure compute offerings by the level of management you retain versus what Azure manages for you. Start with Azure Virtual Machines (VMs) (IaaS): you manage the OS, patches, and installed software. VMs fit “lift-and-shift” migrations, legacy apps, and cases requiring full admin access. If a prompt mentions RDP/SSH, custom drivers, or specific OS-level configuration, a VM is usually the best match.

Azure App Service is PaaS for hosting web apps, APIs, and mobile back ends. You deploy code; Azure manages OS and runtime patching. Look for phrases like “host a website,” “deploy quickly,” “built-in scaling,” and “no need to manage servers.” App Service commonly beats VMs on the exam when the app is a typical web workload and the scenario doesn’t demand OS control.

Containers (for example, Azure Container Instances and Azure Kubernetes Service) package the app and dependencies. The exam typically tests recognition: containers are lightweight, portable, and consistent across environments. Choose Azure Container Instances (ACI) for simple container execution without orchestration; choose AKS when the scenario mentions orchestrating many containers, microservices, or Kubernetes.

Azure Functions is serverless: event-driven code that scales automatically and bills per execution. Keywords include “run code on a schedule,” “trigger when a file is uploaded,” “process queue messages,” and “only run sometimes.” Exam Tip: “Serverless” on AZ-900 usually means Functions or similar event-driven services; don’t confuse it with “no servers exist.” The servers are still there—Azure just abstracts them away.

Common traps: (1) Picking VMs when the requirement is simply to host a web app—App Service is typically the better fit. (2) Confusing “containers” with “VMs”: containers share the host OS kernel and are not full VMs. (3) Assuming AKS is always required for containers—many exam scenarios are satisfied with ACI if orchestration isn’t mentioned.

Section 5.2: Storage services—Blob, Files, Disk, and redundancy basics

Azure storage questions often hinge on choosing the right storage type and understanding redundancy options. Azure Blob Storage is object storage for unstructured data like images, videos, backups, and logs. If the scenario mentions “store files for an application,” “HTTP access,” “data lake-style storage,” or “massive scale,” Blob is a prime candidate.

Azure Files provides managed file shares, commonly accessed via SMB (and sometimes NFS). Use it when the prompt explicitly references file shares, shared drives, or “lift-and-shift file server” patterns where applications expect a traditional file system interface.

Azure Disk Storage provides block storage for VMs (OS disks and data disks). If you see “attach to VM,” “persistent disk,” or “boot volume,” that points to Disks, not Blob or Files. Common trap: Disks are not used as a general shared file share for many servers; they’re typically tied to VM usage patterns.

AZ-900 also expects basic recognition of messaging storage: Queue storage is for simple message queues to decouple components. It’s not the same as Azure Service Bus (richer enterprise messaging), but at a fundamental level, choose Queue storage for “store messages to be processed later” scenarios.

Redundancy appears frequently. Know the terms: LRS (Locally Redundant Storage) replicates within a single datacenter region; ZRS (Zone-Redundant Storage) replicates across availability zones in a region; GRS (Geo-Redundant Storage) replicates to a paired region; and GZRS combines zone and geo redundancy. Exam Tip: If a question highlights “region-wide outage” resilience, pick a geo-redundant option (GRS/GZRS). If it highlights “datacenter failure within a region,” ZRS is the keyword match.

Finally, remember that storage accounts and services are regional, and performance/cost trade-offs exist. The exam won’t demand deep tuning, but it will test whether you know which service is “object vs file vs disk” and what redundancy choices imply.

Section 5.3: Databases and analytics fundamentals (overview-level recognition)

Data service questions on AZ-900 are primarily recognition-based: identify whether the requirement is relational, NoSQL, big data analytics, or data integration. Azure SQL Database is a managed relational database (PaaS). If the scenario mentions “relational,” “SQL,” “transactions,” “ACID,” or “managed database without server maintenance,” Azure SQL Database is the typical answer. If it mentions full SQL Server control on a VM, that shifts toward SQL Server on Azure VMs (IaaS), but the exam usually prefers PaaS when “managed” is emphasized.

Azure Cosmos DB is a globally distributed NoSQL database. Look for “low latency worldwide,” “automatic scaling,” “schema-less,” “key-value/document/graph,” and “multi-region writes.” A common trap is to choose Cosmos DB just because it’s “fast”—the scenario must imply NoSQL or global distribution needs.

For analytics recognition, know that Azure Synapse Analytics relates to data warehousing and analytics at scale, while Azure Databricks aligns with Apache Spark-based analytics and data engineering. If the prompt mentions “ETL/ELT,” “data pipelines,” or “move/transform data between services,” recognize Azure Data Factory as the data integration/orchestration service.

Exam Tip: If the question focuses on “reporting and dashboards,” that may be more about visualization (often Power BI), but AZ-900 typically stays at the level of selecting the correct Azure data platform component. Choose the simplest service that matches the data model: relational → Azure SQL; NoSQL/global distribution → Cosmos DB; orchestration → Data Factory; analytics warehouse → Synapse.

This section also connects to storage concepts: many analytics workloads use Blob storage as a landing zone for raw data. When you see “store raw logs, then analyze later,” the correct pairing is often Blob + an analytics service, not a database alone.

Section 5.4: Management tools—Portal, Cloud Shell, Azure CLI, PowerShell

Azure management tool questions test whether you can match the interface to the task and recognize command-line options. The Azure portal is the browser-based GUI for creating, configuring, and monitoring resources. It’s the default management plane experience and often the correct answer when the prompt says “from the browser” or “graphical interface.”

Azure Cloud Shell is an interactive shell environment available in the portal (and via shell.azure.com). It provides authenticated access and includes tools like Azure CLI and PowerShell without requiring local installation. It’s commonly correct when a scenario says “run commands from a browser” or “no local setup.” Exam Tip: If the question hints that the user is on a locked-down workstation or cannot install tools, Cloud Shell is a strong choice.

Azure CLI is a cross-platform command-line tool (Bash-style commands such as az) used to manage Azure resources. Azure PowerShell is the PowerShell module set (cmdlets) for managing Azure, often chosen when the scenario emphasizes PowerShell scripting, Windows admin workflows, or existing PowerShell automation.

On the exam, don’t overcomplicate the selection: Portal (GUI), Cloud Shell (browser-based CLI/PS), Azure CLI (cross-platform command line), Azure PowerShell (PowerShell cmdlets). Common trap: confusing Cloud Shell with Azure CLI. Cloud Shell is the environment; Azure CLI is one of the tools you can run inside it (as well as locally).

Also recognize that most resource deployment can be automated. While deeper infrastructure-as-code details appear more in other exams, AZ-900 may still reference templates conceptually; your job is to know that Azure provides multiple management approaches and that automation is a first-class option.

Section 5.5: Governance—RBAC, policies, blueprints/concepts, and resource locks

Governance is a high-yield area because many terms sound similar. Start with RBAC (Role-Based Access Control): it controls who can do what at a given scope (management group, subscription, resource group, resource). If the scenario is about granting permissions to users, groups, or applications, RBAC is the tool. Typical roles include Owner, Contributor, and Reader, but AZ-900 focuses on the concept more than memorizing role definitions.

Azure Policy enforces rules about resources—what is allowed to be created or how resources must be configured. Think “allowed locations,” “require tags,” “restrict SKU,” or “enforce encryption.” Policy is about compliance and standardization, not about assigning user permissions. Common trap: choosing RBAC to “prevent creation of a resource type.” That’s usually Policy, because it governs resource properties and deployment rules.

Azure Blueprints (often tested as a concept even as product capabilities evolve) package governance artifacts—policy assignments, role assignments, templates—into a repeatable environment definition. On fundamentals questions, interpret Blueprints as “deploy a governed landing zone consistently.” Even if the platform messaging changes over time, the exam objective is recognizing the idea of repeatable, compliant deployments.

Resource locks prevent accidental deletion or modification. Two core lock types are typically described: “CanNotDelete” (can read/modify but not delete) and “ReadOnly” (no modifications). If the scenario says “prevent accidental deletion of a critical resource,” locks are the clean answer. Exam Tip: Locks don’t replace RBAC or Policy; a user with sufficient permissions can still manage locks, and locks are mainly for preventing mistakes, not enforcing enterprise-wide rules.

To identify correct answers, map the requirement: permissions → RBAC; enforce standards → Policy; repeatable governed environments → Blueprints concept; prevent accidental changes/deletion → locks.

Section 5.6: Cost & monitoring—Pricing Calculator, TCO, budgets, Advisor, Monitor

Management and governance also include controlling spend and observing system health. For estimating costs before deployment, know the Azure Pricing Calculator: it estimates monthly costs for specific Azure services based on selected configurations. The Total Cost of Ownership (TCO) Calculator compares on-premises costs to running in Azure, helping justify migration scenarios.

Within Azure, Cost Management + Billing supports cost analysis and budgets. Budgets allow alerts when spending approaches or exceeds thresholds. If a scenario mentions “notify when costs exceed a limit,” budgets/alerts are the correct conceptual match. Exam Tip: The Pricing Calculator is not an enforcement tool; it’s for estimation. Budgets are for tracking and alerting after/while consuming Azure services.

Azure Advisor provides recommendations across key categories like cost, security, reliability, operational excellence, and performance. If a prompt asks for “recommendations to reduce cost” or “best practices,” Advisor is a frequent answer choice. A common trap is confusing Advisor with Monitor: Advisor recommends; Monitor observes and collects.

Azure Monitor is the umbrella service for collecting metrics and logs, generating alerts, and visualizing health. If the scenario says “collect telemetry,” “create alerts,” “view metrics,” or “analyze logs,” Azure Monitor is likely correct. Related concepts like Log Analytics workspaces and Application Insights may appear as named components; at AZ-900 level, treat them as parts of the overall monitoring story.

Tie this back to governance: cost control and monitoring are ongoing processes. The exam tests whether you can pick the right tool at the right stage—estimate (Pricing/TCO), manage and alert (budgets, cost analysis), optimize (Advisor), and observe/alert operationally (Monitor).

Section 6.1: Mock exam rules, timing plan, and how to review

Run your mock exam like it is the real AZ-900: no notes, no internet, no pausing, and no “just checking one thing.” This matters because many misses come from timing pressure and second-guessing, not a lack of knowledge. Set a single sitting, silence notifications, and treat every question as final unless you explicitly flag it.

Timing plan: target a steady pace and avoid spending too long on early items. Many AZ-900 questions are short and definition-based; if you’re stuck, it’s usually because you’re debating between two similar options (for example, Azure Policy vs RBAC). In that case, flag and move on. Reserve a final review block for flagged items only.

Exam Tip: Use a “two-pass” strategy. Pass 1: answer everything you can in under 45–60 seconds; flag anything uncertain. Pass 2: return to flags and eliminate options systematically based on scope, responsibility, and service category.

• Rule: Don’t change answers without a concrete reason (a specific definition or scope boundary).
• Rule: If two options both sound plausible, ask what the question is testing: cost management, governance enforcement, identity, or service model.
• Review trigger: Any item involving “who is responsible,” “best tool,” “reduce cost,” or “ensure compliance” deserves extra care.

Your review process is as important as your score. After the mock, categorize every miss by objective (cloud concepts, architecture/services, governance/management) and by failure type (definition confusion, scope confusion, misread requirement, or guessed without elimination). That categorization becomes your weak spot analysis in Section 6.5.

Section 6.2: Full mock exam—Domain mix (Cloud Concepts focus)

Mock Exam Part 1 emphasizes Cloud Concepts: cloud computing principles, benefits, service types, deployment models, and shared responsibility. The AZ-900 exam repeatedly tests whether you can classify a statement correctly (CapEx vs OpEx, scalability vs elasticity, high availability vs fault tolerance) and whether you can select the correct service model for a need.

Key concepts you must be able to identify quickly:

• Consumption-based model: pay for what you use; ties to OpEx and agility.
• Elasticity vs scalability: elasticity is automatic up/down with demand; scalability is ability to add resources (vertical/horizontal).
• Public vs private vs hybrid: hybrid blends on-prem and cloud; watch for “regulatory” or “data residency” hints.
• IaaS/PaaS/SaaS boundaries: IaaS gives you the most control (and responsibility); SaaS gives the least control (and least responsibility).

Exam Tip: When a prompt mentions “managing the OS,” it’s almost always an IaaS clue. When it mentions “focus on app code” with minimal platform management, think PaaS. When it mentions “use the application” with no infrastructure management, think SaaS.

Common trap: assuming “cloud” always means “Azure-hosted everything.” Some questions test hybrid realities: you can integrate on-prem identity (e.g., synchronization) while using cloud resources. Another trap is mixing benefits: “disaster recovery” is a business continuity strategy, while “high availability” is architecture within a region or across zones/regions. If the scenario requires surviving a datacenter failure, availability zones or region pairs are the concept anchor; if it requires recovering after a major outage, think backup/replication and DR planning.

During Part 1 review, don’t just memorize definitions—practice classifying statements. If you can label each line as a benefit, a service model trait, or a deployment model trait, you’ll eliminate wrong answers fast.

Section 6.3: Full mock exam—Domain mix (Azure services + governance focus)

Mock Exam Part 2 shifts to Azure architecture/services and management/governance: regions, subscriptions, resource groups, core compute/network/storage/identity services, plus cost management and compliance tooling. The exam expects fundamentals-level recognition—what the service is for, where it fits, and what problem it solves.

Architecture scope is a frequent test point:

• Resource: the actual service instance (VM, storage account).
• Resource group: a logical container; lifecycle management boundary is often tested.
• Subscription: billing and access boundary; many governance and spending questions point here.
• Management groups: govern multiple subscriptions—often the “enterprise-scale” clue.

Compute/service recognition often shows up as “choose the right tool”:

• Virtual Machines: IaaS compute; you manage the OS.
• App Service: PaaS for web apps/APIs.
• Container options: recognize the concept (containers) and that orchestration differs from simple container hosting.
• Networking basics: VNets, subnets, VPN Gateway, and peering are common.
• Storage: blob vs file vs queue vs table; plus redundancy choices (LRS/ZRS/GRS) at a concept level.
• Identity: Microsoft Entra ID (Azure AD) for identity; RBAC for authorization; MFA/Conditional Access are security controls (licensed features may be referenced conceptually).

Governance is where traps live because names overlap:

Exam Tip: If the requirement is “enforce” or “prevent noncompliant resources,” think Azure Policy. If the requirement is “who can do what,” think RBAC. If the requirement is “track spend and optimize,” think Cost Management. If the requirement is “monitor metrics and logs,” think Azure Monitor.

Another common trap: mistaking monitoring for security/compliance. “Alert on CPU” is monitoring; “ensure resources meet a standard” is policy/compliance. In Part 2, practice mapping each scenario to the correct plane: identity, networking, compute, storage, governance, or monitoring. That mapping is the fastest path to the correct choice.

Section 6.4: Detailed answer review method—why each option is right/wrong

Your score improves fastest when you review like an examiner, not like a student. For every missed or guessed item, write a one-line “why right” and a one-line “why wrong” for each distractor. The goal is to build discrimination—knowing why similar services are not interchangeable under exam wording.

Use this four-step method:

• Step 1: Restate the requirement in your own words (e.g., “enforce a tagging rule across subscriptions”). This prevents you from solving a different problem than the one asked.
• Step 2: Identify the exam objective domain (cloud concepts, architecture/services, governance/management). Many wrong answers come from picking a correct service in the wrong domain.
• Step 3: Eliminate by scope and responsibility. Ask: is this about billing boundary (subscription), lifecycle boundary (resource group), or org-wide governance (management group)? Is it about Microsoft’s responsibility vs customer responsibility?
• Step 4: Validate with a keyword from the option: “monitor,” “enforce,” “authorize,” “estimate cost,” “deploy.” Keywords align to Azure Monitor, Policy, RBAC, Pricing Calculator/Cost Management, and ARM/Bicep tools respectively.

Exam Tip: When two options both sound like “security,” separate them: RBAC controls access; Policy controls compliance; Defender for Cloud improves security posture and recommendations; Microsoft Entra ID provides identity. The exam loves these near-miss distractors.

Track patterns in your errors. If you frequently miss “regions vs availability zones” questions, your issue is resiliency vocabulary. If you miss “resource group vs subscription,” your issue is scope boundaries. Your weak spot analysis (next section) should be driven by these patterns, not by raw score alone.

Section 6.5: Final review by objective: fast recall sheets and last-minute traps

This is your “weak spot analysis” turned into action. Build fast recall sheets—short, exam-aligned bullet lists you can rehearse quickly. Organize them by the AZ-900 outcomes, and include the traps you personally fell for in the mocks.

Objective-based recall prompts:

• Cloud concepts: define CapEx/OpEx; differentiate elasticity vs scalability; identify IaaS/PaaS/SaaS by who manages OS/runtime/app.
• Deployment + shared responsibility: know what customers always manage (data, identities, access) vs what Microsoft manages (physical datacenter, core infrastructure), and how responsibility shifts by service model.
• Azure architecture: region, region pair, availability zones; management group vs subscription vs resource group vs resource.
• Core services: VM vs App Service; VNet basics; storage types and redundancy; identity basics (Entra ID, RBAC, MFA conceptually).
• Governance + compliance: Policy vs RBAC; resource locks; tags; Microsoft Purview and compliance offerings at a high level; Cost Management vs Pricing Calculator differences.
• Management tools: Azure Portal, Azure CLI, Azure PowerShell; ARM templates/Bicep concepts; Azure Monitor, Service Health, Advisor.

Exam Tip: Last-minute trap to avoid: treating Advisor as an enforcement tool. Advisor recommends; Policy enforces. Another trap: confusing Service Health (platform incidents and planned maintenance) with Azure Monitor (your resource telemetry). If the question mentions “Azure-wide outage” or “planned maintenance,” Service Health is usually the intended match.

Finish your final review by re-attempting only the categories where you missed repeatedly, not the entire bank. Repetition on weak objectives yields higher score gains than re-reading strengths.

Section 6.6: Exam day checklist and confidence plan

On exam day, your job is execution. Use a checklist to remove decision fatigue and protect your timing plan.

• Environment: stable internet (if remote), quiet space, ID ready, test area cleared; for test center, arrive early.
• Mindset: expect a few unfamiliar phrasings—AZ-900 tests concepts, so rephrase the requirement and anchor to the objective domain.
• Pacing: run the two-pass approach from Section 6.1; don’t let one item steal time from many.
• Reading discipline: underline the verb mentally: “identify,” “choose,” “ensure,” “reduce cost,” “enforce,” “monitor.” The verb points to the service category.
• Final review: revisit only flagged items; do not “tour” the entire exam changing answers impulsively.

Exam Tip: When you feel stuck, go back to boundaries: (1) service model responsibilities, (2) scope level (resource/resource group/subscription/management group), and (3) tool intent (recommend vs enforce vs monitor vs authorize). These three lenses resolve most 50/50 choices.

Confidence plan: before you click submit, verify that your choices are consistent with the requirement and that you didn’t select an option that is “true” but not the “best fit.” AZ-900 is full of plausible distractors. If you can explain why the chosen tool is the most direct match—especially for governance and management—you’re performing at a pass-ready level.