AZ-900 Practice Test Bank: 200+ Questions with Detailed Answers

Section 1.1: What AZ-900 measures: Azure Fundamentals scope and domains

AZ-900 is a fundamentals exam mapped to three high-level objectives: (1) Describe cloud concepts (cloud models, consumption-based pricing, benefits, and terminology), (2) Describe Azure architecture and services (regions, subscriptions, compute, networking, storage, identity), and (3) Describe Azure management and governance (cost management, security, compliance, governance features). Expect questions that ask you to classify: “Is this IaaS/PaaS/SaaS?”, “Which Azure resource type provides this capability?”, or “Which governance tool addresses this requirement?”

Microsoft updates exact domain weighting over time, so your job is to study by objective rather than memorize a stale percentage. Still, use weighting as a prioritization tool: if you consistently miss identity (Azure AD concepts), subscription/management groups, or cost governance, you’re leaving easy points on the table because these areas show up frequently in fundamentals exams.

Exam Tip: When a question mentions “shared responsibility,” “reducing operational overhead,” or “managed platform,” it’s usually probing cloud model distinctions (IaaS vs PaaS vs SaaS) and who manages what. Underline the verb: manage, configure, deploy, patch. Those verbs signal the intended service model.

• Cloud concepts: CapEx vs OpEx, elasticity, scalability, high availability, disaster recovery, and consumption-based pricing.
• Architecture & services: Regions/region pairs, availability zones, subscriptions/resource groups, core compute (VMs, containers), networking basics (VNets, VPN, ExpressRoute), storage types, and identity (Azure AD).
• Management & governance: Azure Policy, RBAC, resource locks, tags, Microsoft Defender for Cloud basics, compliance offerings, and cost tools.

Common trap: assuming “Azure” answers always mean “more secure” or “always cheaper.” The exam expects trade-offs: cloud reduces CapEx, but costs depend on usage; security is a shared responsibility; and design choices (zones, redundancy) affect price and resilience.

Section 1.2: Exam logistics: registration, delivery options, and ID requirements

Register through Microsoft Learn/Certification dashboard, which routes to the exam delivery provider. You’ll typically choose between an in-person test center and online proctoring. The content is the same; the risk profile is not. Online delivery introduces room-scan rules, webcam reliability, and stricter environment constraints, while test centers reduce technical issues but require travel and scheduling flexibility.

Plan your exam date backward from your study plan. If you’re using a 2-week sprint, schedule immediately to create urgency; if you’re using a 4-week plan, schedule after you’ve completed at least one full diagnostic set so you can choose a realistic date.

Exam Tip: Online proctoring failures often come from preventable causes: unstable internet, prohibited desk items, secondary monitors, or background noise. Treat setup like a checklist task the day before, not minutes before.

• ID requirements: Use government-issued photo ID matching the name on your registration. Mismatched names are a frequent “day-of” issue.
• Testing environment: Clear desk, silence notifications, remove notes/phones, and ensure you can complete a full room scan if required.
• Arrival time: Whether remote or in-person, budget extra time for check-in, identity verification, and any queue.

Common trap: assuming you can “look up” terms during the exam. AZ-900 is closed-book. If you depend on last-minute searching, you’ll struggle with terminology-based questions (e.g., governance tool names) that require instant recognition.

Section 1.3: Question formats: multiple choice, case-style prompts, and best-answer logic

AZ-900 questions are designed to test recognition and decision logic, not deep configuration. You’ll see standard multiple choice, “select all that apply,” matching, and short scenario/case-style prompts. Case-style prompts in fundamentals exams are usually lightweight: a paragraph describing a company goal (reduce cost, improve resiliency, meet compliance) followed by a service or concept selection.

The exam frequently uses “best answer” logic. Two options may look plausible, but one maps more directly to the requirement. Train yourself to translate the prompt into exam objectives: Is this about cloud benefits (elasticity, global reach)? Is it governance (Policy vs RBAC vs locks)? Is it architecture (regions vs availability zones)? Once you label the objective, distractors become easier to eliminate.

Exam Tip: Read the last line first. Many stems end with a precise requirement like “minimize administrative effort” (pushes you toward PaaS/SaaS) or “requires full control over the OS” (pushes you toward IaaS/VMs).

• Distractor pattern: a real Azure service with the wrong purpose (e.g., choosing a monitoring tool for a governance requirement).
• Keyword traps: “high availability” vs “disaster recovery,” “scaling up” (vertical) vs “scaling out” (horizontal), “authorization” (RBAC) vs “authentication” (Azure AD sign-in).
• Absolutes: Answers with “always/never” are often wrong unless the concept is definitional.

When stuck, eliminate by category. If the question is clearly about cost governance, options that are compute services are likely distractors. If it’s about identity, storage options are noise. This “category filter” is a repeatable exam skill.

Section 1.4: Scoring, pass/fail expectations, and retake planning

Microsoft exams report a scaled score; for AZ-900, the common passing threshold is 700 on a 1000-point scale (Microsoft can adjust scoring and does not publish a simple “X correct = pass” rule). Don’t waste energy trying to reverse-engineer raw scoring. Focus on consistent performance across domains and on reducing avoidable errors from misreading.

Set expectations: if you’re new to cloud, your first diagnostic attempt may feel rough because the exam is terminology-dense. That’s normal. You’re aiming for stable readiness signals: high accuracy on fundamentals vocabulary, confident domain mapping, and consistent results on mixed sets under time constraints.

Exam Tip: Build a “pass buffer.” If your practice sets average 70%, you are on the edge because exam-day anxiety and new question phrasing can drop you a few points. Aim for 80–85% on timed mixed sets before you sit.

Retake planning is part of strategy, not pessimism. If you do not pass, schedule the next attempt based on your error log themes (e.g., “identity and governance tools”) rather than restarting everything. The fastest retake preparation targets the top 3 miss categories, drills them, then returns to full mixed exams to confirm integration.

• Common scoring trap: spending too long perfecting one hard question and then rushing the last third.
• Common process trap: changing correct answers due to second-guessing without new evidence from the stem.

Adopt a simple rule: only change an answer if you can point to a specific word in the question that proves your new choice is better.

Section 1.5: Study strategy: spaced repetition, error logs, and review cycles

Your study plan should mirror how AZ-900 is built: broad coverage plus repeated exposure to core terms. Spaced repetition is ideal for Azure Fundamentals because many misses come from confusing similar-sounding tools (Policy vs RBAC vs locks) or mixing architectural scope (resource group vs subscription vs management group; region vs availability zone).

Create an error log with three columns: (1) concept/objective, (2) why you missed it (knowledge gap vs misread vs distractor), and (3) the “rule” you’ll use next time. The “rule” is key—short, test-ready statements like “Policy enforces standards; RBAC grants permissions; locks prevent changes.” Review these rules every 2–3 days.

Exam Tip: Don’t just re-do questions until you memorize the letter choice. Force retrieval: cover the options and explain the concept first, then reveal the answers. This prevents false confidence.

Two workable timelines:

• 2-week plan: Days 1–3 diagnostic + cloud concepts; Days 4–7 architecture/services; Days 8–10 management/governance; Days 11–13 timed mixed sets + targeted remediation; Day 14 full mock and final review.
• 4-week plan: Week 1 foundations + diagnostic; Week 2 architecture/services deep pass; Week 3 governance/identity focus; Week 4 mixed exams, timing, and consolidation via error-log reviews.

Common trap: over-studying one comfort domain (often cloud concepts) and under-studying governance tooling names. AZ-900 loves “what tool does what” because it’s easy to assess and very relevant to real Azure usage.

Section 1.6: How to use this test bank: timing, remediation, and progress tracking

This 200+ question test bank is most valuable when you use it as a measurement and feedback system, not entertainment. Start with an untimed diagnostic set to expose weak domains without pressure. Then move quickly to timed practice, because AZ-900 success depends on steady pacing and accurate first-pass decisions.

Use a three-pass workflow:

• Pass 1 (learn): Small sets by domain. After each set, read explanations and update your error log with a one-sentence rule.
• Pass 2 (integrate): Mixed sets that force domain switching (cloud concepts → services → governance). This simulates real exam cognition.
• Pass 3 (validate): Full mock exam mapped to the official domains to confirm balanced readiness and timing.

Exam Tip: Track performance by objective, not just overall score. If you’re at 90% in cloud concepts but 65% in governance, you are not “almost ready”—you are predictably vulnerable to a domain-heavy exam form.

Timing guidance: set a per-question budget and practice moving on. Mark-and-review is useful, but avoid “review paralysis.” Your best ROI is answering all questions once, then revisiting flagged items if time remains.

Remediation rule: never retake a set immediately. Wait at least 48 hours before reattempting similar questions so you test retention, not short-term memory. Finally, define a readiness gate: two consecutive mixed timed sets at your target score (e.g., 80–85%) plus a clean error log review where you can explain each rule without prompts.

The AZ-900 exam frequently tests cloud benefits as vocabulary-plus-scenario matching. You must distinguish between terms that overlap in everyday speech but have precise exam meanings.

High availability (HA) is about minimizing downtime by designing for redundancy and quick recovery. The question stems usually mention “service must remain available,” “minimize outages,” or “SLA.” Cloud platforms enable HA through redundant infrastructure and managed services that offer built-in availability features. On the exam, select answers that emphasize redundancy, failover, or designed uptime—not “backup” alone (backup supports recovery, not continuous availability).

Scalability is the ability to increase or decrease resources to meet demand, typically implying planned capacity changes. Elasticity is a sharper term: automatic, dynamic scaling in response to real-time demand (often rapidly). If the stem says “automatically adds instances when traffic spikes and removes them when traffic drops,” that’s elasticity. If it says “needs to handle growth over the next year,” that’s scalability.

Agility is speed of change: provisioning resources quickly, experimenting, and iterating without long procurement cycles. Many questions point to “rapidly deploy,” “quickly test,” “spin up environments,” or “faster time to market.” Exam Tip: When you see “in minutes” versus “weeks/months,” the test is steering you to agility and the cloud’s on-demand provisioning.

• Trap: Confusing scalability with elasticity. “Auto-scale” and “demand spikes” usually mean elasticity.
• Trap: Equating HA with disaster recovery. HA targets short, localized failures; DR targets major outages and restoring service after a disaster.
• How to eliminate distractors: Look for the keyword that matches the intent: uptime (HA), long-term growth (scalability), automatic response (elasticity), speed of provisioning (agility).

Practice mentally translating each benefit into a one-line promise: HA = “stay up,” scalability = “grow/shrink,” elasticity = “auto-adjust now,” agility = “move fast.” That translation is the fastest path to the right option under time pressure.

Reliability and security concepts appear in AZ-900 as “what happens when something fails?” and “who is responsible for securing what?” Expect conceptual questions rather than configuration details.

Fault tolerance means the system continues operating even when components fail. The exam often signals this with language like “no single point of failure” or “continue functioning if one component goes down.” In cloud terms, fault tolerance is achieved through redundancy (multiple instances, multiple zones/regions depending on scope) and resilient design patterns.

Disaster recovery (DR) is the ability to restore operations after a major disruptive event (region outage, data center loss, ransomware, etc.). AZ-900 may reference RPO/RTO conceptually (how much data you can lose and how fast you must recover) without requiring calculations. Exam Tip: If the stem mentions “region becomes unavailable” or “catastrophic event,” you’re usually in DR territory rather than HA.

Shared responsibility is a core “cloud terminology and shared responsibility mastery” objective. The exam tests the boundary: the cloud provider is always responsible for security of the cloud (physical facilities, underlying fabric), while the customer is responsible for security in the cloud (data, identities, access, and configurations), with responsibilities shifting by service model. In SaaS, the customer manages less (mostly data, users, and access); in IaaS, the customer manages more (OS, patches, network controls, apps).

• Common trap: Assuming the provider handles “all security” in cloud. The provider never becomes responsible for your data classification, user access, or misconfigurations you introduce.
• Common trap: Treating backups as a full DR strategy. Backups are part of DR, but DR also includes restore processes, failover planning, and testing.

To answer shared responsibility questions quickly, identify the service model first (IaaS/PaaS/SaaS), then decide whether the item in question is infrastructure/physical (provider) or identity/data/configuration (often customer). When uncertain, remember: the more managed the service, the more responsibility shifts to the provider, but your responsibility for data and access remains.

Service model questions are classic AZ-900 scenario items. The exam wants you to infer which layer the customer manages. Think in layers: facilities → hardware → virtualization → OS → runtime → apps → data.

IaaS (Infrastructure as a Service) provides virtualized compute, storage, and networking. You manage the OS, patches, middleware, and your application. Stems that mention “lift-and-shift,” “migrate servers,” “install custom software,” “full control of OS,” or “manage VM patches” point to IaaS. Exam Tip: If the stem includes “virtual machine,” default to IaaS unless the question explicitly says you don’t manage the OS.

PaaS (Platform as a Service) provides a managed platform (you deploy code; the provider manages OS and runtime). Stems often say “developers,” “deploy an app,” “managed database,” “no OS management,” “focus on code,” or “automatic scaling built in.” PaaS is commonly the correct answer when the requirement is to reduce operational overhead but still build/customize applications.

SaaS (Software as a Service) is a complete application delivered over the internet. You manage users, access, and data within the app, but not the platform. Stems mention “email,” “CRM,” “collaboration,” “subscription to software,” “no infrastructure management,” or “use the application directly.”

• Common trap: Confusing PaaS with SaaS. If you are deploying your own code, it’s not SaaS.
• Common trap: Thinking PaaS means “no responsibility.” You still manage identities, data, and application logic.
• Decision shortcut: “Need OS control” → IaaS. “Need to build/deploy code without OS” → PaaS. “Need to consume an app” → SaaS.

The lesson “Service models: IaaS, PaaS, SaaS question drills” is about pattern recognition. Train yourself to underline (mentally) the control requirement in each stem: OS control, code deployment, or app consumption. That single clue usually eliminates two options immediately.

Deployment model questions test where resources run and who owns/operates the underlying environment. The stem typically includes constraints such as regulatory requirements, data residency, legacy dependencies, or the need to span environments.

Public cloud means services are delivered over the internet and hosted by a cloud provider in shared facilities. It’s usually the answer when the scenario emphasizes rapid provisioning, no data center ownership, global reach, and consumption-based costs.

Private cloud means cloud-like capabilities dedicated to a single organization, often hosted on-premises or in a dedicated environment. The exam points to private cloud when the scenario stresses strict control, dedicated hardware, or specialized compliance constraints—especially when internet exposure is minimized. Exam Tip: “Private” does not automatically mean “on-prem,” but many AZ-900 items use them together; read carefully for “dedicated to one organization” versus “physically on-site.”

Hybrid cloud combines public cloud and private/on-prem environments with some level of integration (identity, management, networking). If the stem says “keep some workloads on-prem,” “gradual migration,” “burst to cloud,” or “data must remain on-prem while using cloud services,” hybrid is the best fit.

Multicloud means using multiple cloud providers (not just multiple regions). This shows up when the stem says “use Azure and another provider,” “avoid vendor lock-in,” or “meet requirements across providers.” Don’t confuse multicloud with hybrid: hybrid is about mixing cloud and on-prem; multicloud is cloud-to-cloud across vendors.

• Common trap: Calling any “multiple locations” scenario multicloud. Multiple Azure regions is not multicloud; it’s still single-cloud (Azure).
• Common trap: Selecting private cloud when the stem actually wants “hybrid” due to a split workload requirement.

The lesson “Deployment models: public, private, hybrid and use-case practice” should be approached as a constraint-matching exercise: list the non-negotiables (data location, legacy integration, provider count) and match the model that satisfies them with the fewest assumptions.

AZ-900 pricing questions are not about exact dollar amounts; they’re about financial models and what drives costs. The exam frequently contrasts CapEx and OpEx and asks which aligns with cloud.

CapEx (Capital Expenditure) is upfront spending—buying servers, data center equipment, and long-lived assets. CapEx is typical for on-premises environments where you pay before you use. OpEx (Operational Expenditure) is pay-as-you-go—ongoing costs based on consumption. Public cloud is primarily OpEx: you pay for what you use, when you use it.

Consumption-based pricing means costs scale with usage (compute time, storage consumed, data egress, transactions). The exam looks for your ability to identify the cost driver mentioned in the stem: more traffic might increase bandwidth and compute; more retained data increases storage; higher availability requirements can increase cost due to redundancy. Exam Tip: When a question asks “which action reduces cost,” look for shutting down unused resources, right-sizing, or choosing lower-cost tiers—rather than “buy more hardware” style answers.

Common cost drivers you should recognize conceptually include:

• Resource type and size: larger compute instances cost more than smaller ones.
• Time/uptime: resources running 24/7 cost more than those stopped when not needed.
• Storage amount and performance tier: more GB and higher tiers cost more.
• Network usage: outbound data transfer (egress) can be a driver in many scenarios.

Common trap: Assuming “scaling” always increases cost. Elasticity can reduce cost by scaling down during low demand. The correct exam answer depends on whether the scenario describes variable demand and whether resources can be turned down/off.

To nail these items, translate business language into billing language: “seasonal workload” implies elasticity and potential savings; “steady workload” may be cheaper with reserved capacity (conceptually) but AZ-900 usually keeps it high-level—focus on pay-as-you-go versus upfront purchasing.

This chapter’s practice set is designed to validate the four skills AZ-900 expects in the Cloud Concepts domain: (1) identify benefits (HA, scalability, elasticity, agility), (2) reason about reliability/security basics (fault tolerance, DR, shared responsibility), (3) choose the correct service model (IaaS/PaaS/SaaS), and (4) choose the correct deployment model (public/private/hybrid/multicloud), plus (5) interpret consumption-based pricing language (OpEx vs CapEx and cost drivers).

You will complete a timed, exam-style domain quiz (40+ items) where each rationale explains why the correct option matches the stem keywords and why the distractors fail the control-boundary test. The goal is not only to get the answer, but to be able to say, “This is PaaS because I don’t manage the OS,” or “This is hybrid because data stays on-prem while cloud services are used.”

Exam Tip: Use a two-pass strategy during timed practice. Pass 1: answer the “easy keyword” questions quickly (clear signals like “virtual machine,” “pay-as-you-go,” “keep data on-prem”). Pass 2: return to the ambiguous ones and apply elimination by responsibility and constraints. This mirrors how you should manage time on the real exam.

Common traps the practice set targets: mixing up scalability vs elasticity; calling backups “high availability”; confusing multicloud with multi-region; assuming SaaS means “no customer responsibility”; and missing the cost driver hidden in the scenario (e.g., data egress vs storage growth).

After grading, categorize every missed item into one of three buckets: terminology gap (didn’t know the definition), boundary gap (didn’t know who manages what), or reading gap (missed a stem constraint like “automatic” or “on-prem required”). Your remediation plan should match the bucket: re-learn the term, redraw the responsibility model, or slow down and underline constraints before choosing.

Section 3.1: Azure global infrastructure: regions, geographies, and region pairs

AZ-900 expects you to describe Azure’s global footprint using the right nouns: regions, geographies, and region pairs. A region is a set of datacenters connected by a low-latency network within a defined area (for example, “East US”). A geography is a broader area that can contain multiple regions and is often aligned to data residency/compliance boundaries (for example, “United States” geography).

Region pairs are a key exam concept: most regions have a paired region in the same geography designed for disaster recovery and platform-level prioritization during major outages. Pairing helps with planned maintenance ordering and provides a strategy for cross-region resiliency. In scenario practice, if the prompt says you need to maintain operations during a regional outage, the correct direction is usually “deploy to the paired region” or “replicate to another region,” not “add an availability zone” (zones are still inside one region).

Common trap: “Paired region” does not mean the regions are in the same city or that your workload automatically fails over. Pairing is an infrastructure relationship; you still design and configure your application’s replication and failover behavior (or choose a managed service that provides it).

• Regions: where you deploy resources; affects latency and many compliance requirements.
• Geographies: broad boundaries that can matter for data residency/regulatory questions.
• Region pairs: cross-region resiliency pattern; used for DR and platform recovery prioritization.

Exam Tip: If the question mentions “data residency” or “legal requirements,” select the answer that keeps data within the correct geography (or compliant region). If it mentions “disaster recovery across a large outage,” prefer “paired region” or “secondary region,” not “zone.”

Section 3.2: Availability concepts: availability zones, SLAs, and resiliency choices

This section aligns to exam prompts about “high availability,” “uptime,” and “fault isolation.” Availability zones are physically separate locations (datacenters) within a single Azure region. Using zones can protect against a single datacenter failure while keeping low latency because you stay within the same region. Not every service supports zones in every region, and not every region has zones—AZ-900 questions often test the concept rather than the catalog details.

SLAs (service level agreements) are used on the exam as decision clues. If an option adds redundancy (multiple instances, zone redundancy), it often increases availability compared to a single-instance deployment. However, the exam also tests that you must architect for the SLA: a single VM is a single point of failure, regardless of where it’s deployed. Adding multiple instances across zones (or using a service with built-in zone redundancy) is the classic fix.

Resiliency choices frequently appear as “best” answers:

• Single region, single instance: simplest, lowest cost, lowest availability.
• Single region, multi-instance across zones: higher availability within the region.
• Multi-region (often paired regions): strongest disaster recovery for regional outages; higher cost/complexity.

Common trap: Confusing availability zone with availability set. AZ-900 may still mention availability sets as a legacy pattern: sets spread VMs across fault/update domains within a datacenter environment, while zones provide stronger physical separation across datacenters in a region.

Exam Tip: If the scenario says “an entire region may become unavailable,” zones are insufficient—pick multi-region/paired-region design. If it says “datacenter failure” or “within the same region,” zones are a strong match.

Section 3.3: Azure resource organization: management groups, subscriptions, resource groups, resources

AZ-900 tests whether you can place the right governance and billing concepts at the right layer in Azure’s hierarchy. The hierarchy is: management groups (optional) at the top, then subscriptions, then resource groups, then individual resources (VMs, storage accounts, VNets, etc.).

Subscriptions are the most common “boundary” on the exam. They are associated with billing (invoicing) and access control boundaries. If a question is about “separating billing” or “separating environments for cost tracking,” subscriptions are often the correct answer. Resource groups are logical containers used to organize and manage related resources as a unit. They’re also key for lifecycle management: delete a resource group, and you typically delete the resources in it (a favorite exam concept for “cleanup” scenarios).

Management groups are used when you need to apply governance (like policy and role assignments) across multiple subscriptions. On AZ-900, you don’t need to implement policy details, but you do need to recognize the scope: if the scenario says “apply the same governance to all subscriptions,” management groups become the natural fit.

Common trap: “Resource group equals region.” Resource groups are not regional; resources within a resource group can exist in different regions. The region is a property of the resource (or sometimes the service), not the resource group container.

Exam Tip: Use keyword mapping: “invoice/cost center” → subscription; “delete everything for a project” → resource group; “govern many subscriptions at once” → management group; “deploy an actual service” → resource.

Section 3.4: Core identity services: Microsoft Entra ID and identity concepts

Identity questions in AZ-900 typically stay at the conceptual layer: what Microsoft Entra ID is, what it does, and how it differs from access control inside Azure resources. Microsoft Entra ID (formerly Azure Active Directory) is Azure’s cloud identity and access management service. It stores and manages identities such as users, groups, and service principals, and it supports authentication for Microsoft 365, Azure, and many SaaS applications.

The exam loves the contrast between authentication and authorization. Authentication answers the question “Are you who you say you are?” (proving identity, often via passwords, MFA, tokens). Authorization answers “What are you allowed to do?” (permissions after you’re authenticated). Many wrong answers flip these terms or use them interchangeably—don’t.

Also know that Entra ID is not the same thing as Windows Server Active Directory, although they can integrate (hybrid identity). If a prompt mentions “on-premises AD” and “sync to the cloud,” the concept is hybrid identity where identities can exist on-prem and be used in cloud services.

Common trap: Thinking Entra ID “automatically grants access” to Azure resources. Entra ID provides identity; permissions to Azure resources are granted via authorization mechanisms (typically Azure RBAC), which is covered next.

Exam Tip: If the question stem is about “sign-in,” “MFA,” “SSO,” or “user accounts,” it’s pointing to Entra ID and authentication. If it’s about “permissions to start/stop a VM,” it’s pointing to authorization and RBAC.

Section 3.5: Access basics: RBAC overview and least-privilege reasoning

AZ-900 expects you to recognize Azure role-based access control (RBAC) as the standard authorization system for Azure resources. RBAC assigns a role (a set of permissions) to a security principal (user, group, service principal, managed identity) at a specific scope (management group, subscription, resource group, or resource). Questions often ask which scope to choose or how to satisfy least privilege.

Least privilege means granting only the permissions needed to do the job—no more. On the exam, answers that say “Owner” or “Contributor” can be tempting, but they are frequently too broad. If the scenario is “view only,” pick a reader-type permission. If it’s “manage resources but not grant access,” a contributor-type role fits better than owner.

Scope is a common distractor. If a user needs to manage a single application’s resources, assign permissions at the resource group (or resource) level—not at the subscription. Conversely, if they need consistent access across many resource groups, subscription scope can be appropriate.

Common trap: Confusing authentication tools (MFA, password policies) with authorization (RBAC). MFA strengthens authentication but doesn’t define what actions are allowed once signed in.

Exam Tip: When you see “only this resource group,” choose RBAC at the resource group scope. When you see “all resources in the subscription,” choose subscription scope. If the prompt asks to “minimize permissions,” pick the narrowest scope and least powerful role that still meets requirements.

Section 3.6: Practice set B (Architecture): 35+ questions with detailed answers

This chapter’s practice set is designed to mirror the AZ-900 “architecture fundamentals” slice: regions vs zones vs region pairs, hierarchy scope decisions, and identity wording. You will see short scenarios where one or two keywords determine the answer. Your goal is to train recognition speed: identify the tested concept, eliminate two distractors quickly, then validate the remaining choice against scope (region/zone/management group/subscription/resource group) or identity action (authenticate vs authorize).

Time strategy matters. In a timed domain quiz, avoid overthinking service implementation details. AZ-900 typically rewards the most conceptually correct choice, not edge-case engineering. If you catch yourself debating “exact replication mechanism,” you’re probably beyond what the question demands; return to the core objective mapping: global infrastructure, resource organization, and identity and access basics.

• Expect questions that compare availability zones vs region pairs using outage scope keywords (“datacenter” vs “region”).
• Expect hierarchy questions that hinge on whether the need is billing separation (subscription) or lifecycle grouping (resource group).
• Expect identity questions that test vocabulary precision: authentication vs authorization, and where RBAC fits.

Exam Tip: After you answer, read the explanation and extract the “trigger phrase” that should have led you there (e.g., “separate billing” → subscription; “apply governance to many subscriptions” → management group; “regional outage” → multi-region/paired region). Building a personal trigger-phrase list is one of the fastest ways to raise AZ-900 scores.

Finally, treat wrong answers as signals. If you consistently miss “zone vs region pair,” rewrite the definitions in your own words and practice with a two-step rule: (1) What failure am I protecting against? (datacenter vs region) (2) What scope does the solution operate at? (within region vs across regions). That simple loop aligns tightly with what AZ-900 tests.

Compute questions in AZ-900 usually ask you to classify services into IaaS vs PaaS vs serverless and pick a best-fit option. Start with the “control vs convenience” ladder: Virtual Machines (VMs) give you the most control (OS-level access), App Service gives you managed hosting for web apps and APIs, Functions provides event-driven serverless execution, and AKS (Azure Kubernetes Service) is managed orchestration for containerized workloads.

VMs are the classic answer for “migrate an on-prem server as-is,” “need full OS access,” “install custom software,” or “run legacy apps.” A common trap is choosing App Service when the prompt implies a custom OS configuration or a non-web workload. If you see “lift and shift,” “existing VM,” “RDP/SSH,” or “custom drivers,” your mental default should be VM.

VM Scale Sets (VMSS) appear when the scenario mentions “identical VMs,” “automatic scaling,” or “high availability across multiple instances.” VMSS is not the same as a load balancer, but it commonly works with one. The exam expects you to describe VMSS as a way to deploy and manage a set of identical VMs with autoscaling.

App Service is PaaS for hosting web apps, REST APIs, and back ends without managing the underlying OS. Keywords: “managed platform,” “web app,” “deploy code,” “built-in scaling,” “slots.” A frequent distractor is a VM for a simple web app; App Service is typically the “more managed” and therefore more appropriate choice when OS control is not requested.

Azure Functions is “run code on demand.” In exam language, watch for “triggered by,” “event,” “scheduled,” “no server management,” and “only pay when it runs.” Functions is also a common distractor against Logic Apps; in AZ-900 you generally only need to recognize Functions as serverless compute for code, not workflow design.

AKS concepts are tested at a definition level: it’s a managed Kubernetes service for deploying, scaling, and managing containerized apps. Don’t overthink cluster administration details—AZ-900 will mainly probe: “containers” + “orchestration” + “managed control plane.”

Exam Tip: If the question mentions “containers across multiple hosts” or “microservices,” AKS becomes likely. If it only says “run a container,” the correct answer may simply be a container option (or App Service for Containers) rather than full orchestration.

This section supports the compute comparison drills: your job is to pick the simplest service that meets the requirement. For AZ-900, containers and serverless are often competing distractors, and the question wording decides the winner.

Containers package an application and its dependencies so it runs consistently across environments. Exam cues: “portable,” “consistent runtime,” “Docker,” “container image.” If the scenario needs you to package and run an app the same way in dev/test/prod, containers are a natural fit. Kubernetes (AKS) becomes relevant when you need orchestration: scaling many containers, service discovery, rolling updates, and resilience.

Serverless is about “no server management” and “pay per execution.” The exam uses phrases like “event-driven,” “runs only when triggered,” “short-lived tasks,” and “automatically scales.” Azure Functions is the primary compute example: you supply code, the platform manages the infrastructure. The trap is assuming serverless means “always cheapest”—it’s optimized for bursty, intermittent workloads, not necessarily long-running compute that is always on.

When to choose containers over serverless: choose containers when you need more control over runtime dependencies, need long-running services, or want to standardize deployment across environments. Choose serverless when your unit of work is a function-like task triggered by an event, and operational overhead should be minimized.

Another trap: confusing “PaaS” with “serverless.” App Service is PaaS, but it typically runs continuously (even though it abstracts infrastructure). Functions is serverless, designed around triggers and execution. If the scenario says “API website that must be always available,” App Service can be a better match than Functions, unless the prompt explicitly describes event-driven invocation.

Exam Tip: Identify the workload shape: (1) always-on app → VM/App Service/AKS; (2) bursty event handler → Functions; (3) many services packaged as images → AKS. AZ-900 questions usually include one phrase that reveals the workload shape.

Networking questions in AZ-900 focus on the foundational vocabulary: Virtual Networks (VNets), subnets, peering, and how private connectivity to Azure services is achieved. The exam is not measuring deep routing knowledge; it’s checking that you understand isolation boundaries and private addressing concepts.

A VNet is your private network in Azure. It enables resources (VMs, some PaaS via private endpoints) to communicate securely. VNets are divided into subnets—think of subnets as logical segments that help separate workloads (for example, web tier vs data tier). A common trap is treating a subnet like a region or subscription boundary; it is not. It’s a segment within a VNet.

VNet peering connects two VNets so they can communicate using private IP addresses. Exam cues include “connect VNets,” “same region or different regions,” and “low latency.” The key idea: peering is for Azure-to-Azure private connectivity across VNets, not for connecting an on-premises network to Azure (that’s where VPN Gateway/ExpressRoute appear in the next section).

Private endpoints are a high-frequency AZ-900 concept because they bridge networking and PaaS. A private endpoint provides private connectivity from your VNet to a supported Azure PaaS service (like Storage). You’ll see wording like “access the service privately,” “no public internet exposure,” or “private IP in the VNet.” The typical trap is choosing a service endpoint (not always tested in depth) or assuming “public endpoint with firewall rules” equals private access. The exam increasingly prefers “private endpoint” as the clean answer for private PaaS access.

Exam Tip: If the scenario says “keep traffic off the public internet” and the target is a PaaS service (Storage, etc.), look for “Private Endpoint” rather than “VPN” or “ExpressRoute,” unless the question explicitly mentions on-premises connectivity.

This section drives the networking services drills: differentiate connectivity (getting networks connected) from delivery (distributing traffic and content). AZ-900 questions often mix these to create distractors.

VPN Gateway provides encrypted connectivity between on-premises networks and Azure over the public internet. Typical wording: “site-to-site VPN,” “encrypted tunnel,” “over the internet,” or “connect branch office.” If the scenario is about a developer connecting from a single machine to Azure, that might imply point-to-site VPN—but AZ-900 generally stays high level.

ExpressRoute is a private, dedicated connection between your on-premises network and Microsoft’s network. Exam cues: “private connection,” “higher reliability,” “consistent latency,” “does not traverse the public internet.” The most common trap is choosing ExpressRoute when the question emphasizes “quick” or “low cost” rather than “private/dedicated.” VPN is typically simpler and cheaper; ExpressRoute is for stronger connectivity requirements.

Load balancing: in AZ-900 you should recognize that a load balancer distributes incoming traffic across multiple resources. If the question implies Layer 4 (TCP/UDP) distribution for VMs, “Azure Load Balancer” is often the right match. If it implies web traffic and advanced routing rules, “Application Gateway” may be a distractor (AZ-900 sometimes references it at a high level). Keep the simple rule: load balancers improve availability by spreading traffic across instances.

CDN (Content Delivery Network) caches content closer to users for faster delivery. Exam cues: “static content,” “images,” “video,” “global users,” “reduce latency.” A common trap is selecting a load balancer to “speed up” global delivery—load balancers distribute requests, but CDN accelerates content by edge caching.

Exam Tip: Watch for the phrase “does not use the public internet.” That is a strong discriminator that favors ExpressRoute (connectivity) or private endpoints (PaaS access), not VPN Gateway or public endpoints.

Azure Storage is a heavily tested AZ-900 area because it combines vocabulary (service names) with simple decision logic (what data type, what access pattern, what durability requirement). Most questions start with: “Which storage option should you use?” Your first step is to identify the storage data type.

A storage account is the top-level container that provides access to services like Blob, Files, Queues, and Tables. Azure Blob Storage is for unstructured object data: documents, images, backups, logs. Azure Files provides managed file shares, including SMB access—this is the usual answer when the scenario says “mount a network drive” or “SMB.” A common trap is choosing Blob when the question requires file-share semantics or lift-and-shift of file servers; Azure Files is designed for shared file access.

Queues store messages for asynchronous processing—look for “decouple,” “background processing,” or “message queue.” Tables (Table storage) is a NoSQL key-value store; on AZ-900, it’s enough to describe it as structured, non-relational storage for large amounts of data with simple access patterns.

Disks are commonly seen with VMs: “Azure managed disks” attach to VMs to provide persistent block storage. Don’t confuse disks with Azure Files; disks are not shared SMB file shares in the same way.

Redundancy options are classic exam targets: LRS (locally redundant) replicates within a single datacenter in a region; ZRS (zone-redundant) replicates across availability zones in a region; GRS (geo-redundant) replicates to a secondary region (paired region concept). The exam loves “highest durability” or “regional disaster recovery” phrasing—those cues point to GRS (or RA-GRS in some contexts). The trap is assuming ZRS equals geo-redundant; zones are within a region, not across regions.

Access tiers (Hot, Cool, Archive) are about cost vs access frequency. Hot is optimized for frequent access; Cool is for infrequently accessed data with lower storage cost and higher access cost; Archive is for rarely accessed data with retrieval delay. If the prompt says “retain for years” and “rarely accessed,” Archive becomes likely.

Exam Tip: Separate “where copies live” (LRS/ZRS/GRS) from “how often accessed” (Hot/Cool/Archive). Distractors often mix these dimensions to confuse you.

This chapter’s domain quiz set is designed to be taken as a timed, exam-style drill covering compute, networking, and storage together—because the real AZ-900 exam blends these topics. You will see scenario stems that intentionally include extra details; your task is to locate the single requirement that dictates the service choice (for example: “must be event-driven,” “must be private,” “must use SMB,” “must not traverse the public internet,” “must scale automatically”).

How to use the rationales effectively: after each question, don’t just note the correct service—write down the “deciding phrase” from the scenario and the “eliminating phrase” for each distractor. For instance, if the correct answer is Azure Files, your notes might say: deciding phrase = “SMB file share”; eliminate Blob = “object storage, not mountable SMB share”; eliminate Disk = “VM-attached block storage.” This turns each rationale into a reusable pattern for future questions.

Expect common trap styles in this set: (1) swapping similar terms (VPN vs ExpressRoute, Load Balancer vs CDN), (2) over-upgrading (choosing AKS for a single container task), and (3) misreading scope (ZRS vs GRS, subnet vs VNet). The timed format matters because AZ-900 rewards quick elimination: if two options are both plausible, re-check the stem for a constraint about management level (IaaS vs PaaS), connectivity path (public internet vs private), or access method (HTTP object access vs SMB file access).

Exam Tip: If you are unsure, choose the most “AZ-900 canonical” service for the requirement: event-driven code → Functions; private dedicated circuit → ExpressRoute; distribute traffic across instances → Load Balancer; cache static content globally → CDN; unstructured objects → Blob; SMB share → Files; queue messages → Queue storage; scale identical VMs → VMSS.

Readiness target for this set: aim for accuracy first, then speed. Once you can consistently identify the deciding phrase in under 20–30 seconds per question, you are operating at the pace needed for the real exam.

Section 5.1: Management interfaces: Azure Portal, Cloud Shell, CLI, PowerShell

The exam expects you to recognize Azure’s primary management interfaces and when each is appropriate. The Azure Portal is the web-based GUI for creating and managing resources. It is commonly referenced in AZ-900 scenarios because it’s approachable and includes built-in dashboards, access control screens, and guided wizards. However, don’t assume “Portal” is always the best answer—questions often ask for automation or repeatability, which points elsewhere.

Azure Cloud Shell is a browser-based shell environment that provides access to command-line tools without installing anything locally. It can run either Bash (commonly used with the Azure CLI) or PowerShell. Cloud Shell typically includes authenticated context and access to common tools; for exam purposes, treat it as “CLI/PowerShell in the browser.”

The Azure CLI is a cross-platform command-line tool (macOS, Linux, Windows) designed for scripting and automation. Azure PowerShell is the PowerShell module set for Azure management, often preferred in Windows/PowerShell-centric environments. Both can do most of the same work, so the question wording is your clue: if it mentions “Bash,” “cross-platform,” or “command-line for Linux,” CLI is a strong pick; if it mentions “PowerShell scripts,” “cmdlets,” or Windows admin workflows, choose Azure PowerShell.

• Portal: interactive management, quick validation, dashboards.
• Cloud Shell: no local install; run CLI/PowerShell in-browser.
• Azure CLI: automation via commands; good for cross-platform and Bash scripting.
• Azure PowerShell: automation via PowerShell cmdlets; strong for PowerShell-based ops.

Exam Tip: If the stem emphasizes “repeat the same steps across many resources,” you’re likely in CLI/PowerShell/IaC territory, not Portal. A common trap is choosing Portal because it “can do everything,” even when the question emphasizes scripting or automation.

Section 5.2: Infrastructure as code basics: ARM templates and Bicep concepts

AZ-900 doesn’t require you to author templates, but it does test whether you understand the concept of Infrastructure as Code (IaC) and Azure-native options. ARM templates (Azure Resource Manager templates) are JSON-based declarative files that define resources, their configuration, and dependencies. “Declarative” is a key test word: you specify the desired end state, and Azure figures out the deployment steps.

Bicep is a domain-specific language (DSL) that simplifies authoring compared to raw JSON, while still targeting ARM under the hood. On the exam, think of Bicep as “cleaner syntax for ARM deployments,” not a separate provisioning engine. Both support repeatable deployments, standardization, and version control—core IaC benefits that align to governance and operational consistency.

Questions in this area often ask what helps you deploy the same environment reliably across subscriptions or resource groups. ARM/Bicep is the typical answer when the requirement is “define resources in a file and deploy consistently.” Another frequent phrasing is “use a template to deploy multiple resources in a single operation,” which points to ARM/Bicep rather than manual Portal actions.

• ARM template: JSON, declarative, repeatable deployments.
• Bicep: simpler authoring experience that compiles to ARM JSON.
• Resource Manager: the control plane that validates and orchestrates deployments.

Exam Tip: Don’t confuse IaC (ARM/Bicep) with configuration management tools or runtime monitoring. If the question is about “how you deploy” resources, IaC is in scope; if it’s about “how you observe” resources, you’re in Azure Monitor territory.

Section 5.3: Monitoring: Azure Monitor, Log Analytics basics, alerts, dashboards

Monitoring questions on AZ-900 test that you can distinguish resource monitoring from platform health. Azure Monitor is the umbrella service for collecting and analyzing telemetry (metrics and logs) from Azure resources and some on-prem/hybrid sources. Metrics are typically numeric time-series (CPU %, disk IOPS), while logs are event records and richer text-based data.

Log Analytics (via a Log Analytics workspace) is used to store and query logs, commonly using KQL (Kusto Query Language). For AZ-900, you do not need to write KQL, but you should know that Log Analytics is where many logs land for analysis and correlation.

Alerts and dashboards are common exam targets. Alerts are rule-based notifications triggered by metrics or log queries (for example, CPU above a threshold for 10 minutes). Dashboards provide a visual way to pin charts and status tiles to track the environment. The exam often frames dashboards as “central view” and alerts as “notify when condition is met.”

• Azure Monitor: collects/analyzes metrics and logs across resources.
• Log Analytics: central log store + queries/analysis.
• Alerts: notify based on conditions from metrics/logs.
• Dashboards: visual monitoring at a glance.

Exam Tip: If the question says “CPU usage on a VM” or “application telemetry,” choose Azure Monitor (and possibly Log Analytics). If it says “Azure had an outage in a region,” that’s not Azure Monitor—that’s Service Health (covered next). A classic trap is picking Azure Monitor for platform incident notifications.

Section 5.4: Service status and support: Service Health, support plans, knowledge centers

In AZ-900, Microsoft expects you to separate “your workload’s signals” from “Azure platform events.” Azure Service Health provides visibility into Azure service issues, planned maintenance, health advisories, and (in many cases) how those events may affect your specific subscriptions and resources. When the question mentions “region outage,” “planned maintenance,” or “service incident,” Service Health is the correct mental bucket.

Support plan awareness is also tested. You don’t need pricing memorization, but you must know that Azure offers multiple support plans (from basic to more advanced tiers) and that some features like faster response times and architectural guidance differ by plan. Many questions test the general idea: Basic support is included; higher tiers add technical support and quicker SLAs for response.

“Knowledge centers” and self-service help are often represented by Microsoft documentation, troubleshooting guides, and service-specific guidance in the portal. Exam items may describe a user wanting to “find documentation” or “troubleshoot using official guidance,” which points to Microsoft Learn/Docs rather than paid support escalation.

• Service Health: service incidents, maintenance, advisories impacting Azure services.
• Support plans: differ by response time and included services (technical support, guidance).
• Self-service resources: documentation and learning paths for how-to and troubleshooting.

Exam Tip: Watch for wording: “my VM CPU is high” is monitoring; “Azure Storage is experiencing an incident in my region” is Service Health. Don’t confuse “service status page” concepts with per-resource metrics.

Section 5.5: Governance and compliance: Azure Policy, resource locks, tags, cost management

Governance is heavily tested because it’s foundational and vocabulary-driven. Start by separating who can do what from what is allowed to exist. RBAC (role-based access control) answers “who can perform actions” at scopes like management group, subscription, resource group, or resource. If a question mentions permissions such as “can read but not delete,” RBAC is usually central.

Azure Policy enforces rules on resources (for example, “only allow certain VM sizes,” “require tags,” or “deny public IP creation”). The key word is “enforce” or “ensure compliance.” Policy can deny non-compliant deployments or audit/report them depending on the effect. This differs from RBAC: even if a user has permission, Policy can still block creation if it violates rules.

Resource locks protect resources from accidental deletion or modification. The exam commonly uses “prevent deletion” language, which maps to locks like “CanNotDelete” and “ReadOnly.” Locks are not about “permissions” (RBAC) or “standards” (Policy)—they are a safety mechanism against accidental changes.

Tags are metadata labels (like Department, CostCenter, Environment) used for organization, reporting, and cost allocation. Tags are a frequent distractor: they help categorize and report, but they do not enforce configuration by themselves. Policy can require tags, and Cost Management can report by tags.

Cost Management focuses on budgeting, analysis, and cost control. The exam often frames it as “track spending,” “set budgets,” “forecast costs,” or “identify cost anomalies.” Don’t confuse cost governance with security governance—budgeting tools don’t assign permissions or block resource types unless combined with policy/permissions.

Exam Tip: A fast elimination approach: if the requirement is “enforce standards” → Policy; “organize/chargeback” → Tags + Cost Management; “prevent accidental changes” → Locks; “restrict actions by users/groups” → RBAC. A common trap is choosing Policy for “prevent deletion” (locks are the direct control).

Section 5.6: Practice set D (Governance): 40+ questions with detailed explanations

This chapter’s practice set is designed to mirror AZ-900’s governance-heavy multiple-choice style. The questions will intentionally reuse the same few services (Policy, RBAC, Locks, Tags, Cost Management, Service Health, Azure Monitor) to train rapid classification. Your goal is not to memorize definitions in isolation, but to recognize the “signal words” that indicate the tested objective.

Use a timed approach. AZ-900 rewards pace and accuracy: read the last line first (“What should you use?”), then scan the stem for the controlling verb: enforce, prevent, monitor, notify, budget, assign permissions. Then match to the tool category from earlier sections. If two options look plausible, decide which one is directly designed for the requirement (for example, locks directly prevent deletion; Policy directly enforces allowed configurations; Service Health directly reports Azure incidents).

• When you miss a question, write down the keyword that fooled you (e.g., “compliance,” “deletion,” “outage,” “budget”).
• Practice eliminating distractors that are “adjacent” services (Monitor vs Service Health; Policy vs RBAC; Tags vs Policy).
• Re-answer missed items 24 hours later without looking at explanations to confirm retention.

Exam Tip: Many governance questions are “single best answer.” Multiple services might help in real life, but the exam wants the most precise match. If the stem is narrow (e.g., “ensure resources have a Department tag”), Policy is usually the enforcement mechanism; tags alone can’t force compliance.

After completing the 40+ question set, you should be able to answer typical AZ-900 governance items in under 45 seconds by categorizing the scenario, spotting the governing verb, and selecting the service that provides that control at Azure scope.

Section 6.1: Mock exam instructions: timing, pacing, and how to review

Your first goal is to simulate the real exam environment: uninterrupted time, no notes, no searching, and a single pass through the questions before you review. AZ-900 is designed for breadth, so you must keep moving even when a question feels unfamiliar. Over-investing time in any one item is one of the most common ways candidates underperform despite strong knowledge.

Use a simple pacing plan: divide your total exam time into thirds. In the first third, answer confidently and flag only the truly uncertain items. In the second third, revisit flagged items and apply elimination. In the final third, re-check only the questions where you narrowed to two choices. Avoid “re-reading everything”—it creates doubt and can reduce your score.

Exam Tip: If you can eliminate two options quickly, you’re already in a high-probability position. Don’t chase perfection; chase consistent, defensible choices.

When reviewing, do not start by reading explanations. Start by categorizing each miss into one of three buckets: (1) knowledge gap (you didn’t know the concept), (2) misread (you missed a keyword like capex/opex, public/private/hybrid, region vs availability zone), or (3) confusion between similar services (e.g., RBAC vs Azure Policy, NSG vs Azure Firewall). This classification tells you what to fix.

• Knowledge gap: go back to the objective and restudy the definition plus one scenario.
• Misread: practice slowing down on keywords and constraints.
• Service confusion: build a “contrast card” (what it is, what it isn’t, where it applies).

Finally, re-test only after you’ve written a one-sentence rule for each error (for example: “Azure Policy enforces rules; RBAC assigns permissions to identities”). If you can’t state a rule, you didn’t truly correct the weakness.

Section 6.2: Full mock exam (Set 1): mixed-domain, exam-style questions

Mock Exam Set 1 is your baseline across all AZ-900 domains. It should feel “fair” rather than tricky. The purpose is to confirm you can recognize the most common exam patterns: a short scenario plus a direct ask (best service, best concept, best governance control). As you take this set, focus on consistency: a steady pace, clean elimination, and disciplined flagging.

What the exam tests here is not memorization of every product name; it tests whether you can place an item into the right category. For example, identity questions often reduce to: “Is this authentication/authorization (Microsoft Entra ID), permissions (RBAC), or enforcement of standards (Azure Policy)?” Networking questions often reduce to scope: “Is the control at subnet/NIC level (NSG), app-level (WAF), or perimeter/central policy (Azure Firewall)?”

Exam Tip: Train yourself to spot the domain first. If the question mentions “who can do what,” you’re in identity/governance. If it mentions “latency, proximity, disaster recovery,” you’re in regions/availability zones. If it mentions “cost, budget, forecast,” you’re in management and governance.

Common traps in Set 1 include mixing up similar terms:

• Availability Zone vs Region Pair: zones are within a region; pairs are for disaster recovery strategy across regions.
• Subscription vs Resource Group: subscriptions are billing/limits boundaries; resource groups are lifecycle containers.
• CapEx vs OpEx: on-prem up-front investment vs pay-as-you-go operational spending.

As you complete the set, mark questions that felt “too easy.” Those are your anchors—on exam day, they calm you and keep pace. Also mark any item where you guessed between two close answers; those are prime targets for quick score gains during review because they usually hinge on a single keyword the exam expects you to notice.

Section 6.3: Full mock exam (Set 2): mixed-domain, harder distractors

Mock Exam Set 2 raises difficulty by using distractors that are “almost correct” and by wording questions closer to the official exam style. This is where you practice resisting the impulse to choose a familiar product name if the scenario doesn’t match the service’s purpose or scope. Your goal is to justify each answer with a rule, not a feeling.

Expect governance and compliance distractors. For example, the exam frequently separates “visibility” tools from “enforcement” tools. Azure Advisor provides recommendations; it does not enforce. Azure Policy enforces rules; it is not a permission model. Microsoft Defender for Cloud improves security posture and recommendations; it is not the same as a firewall or an NSG.

Exam Tip: When two options both seem plausible, ask: “Which one is the control plane decision vs the data plane implementation?” Many distractors are implementation tools offered as answers to governance questions (or vice versa).

Set 2 also stresses cloud service models and shared responsibility. A common trap is assuming that moving to PaaS removes all responsibility. In reality, the provider manages more, but you still manage identity, data classification, and configuration choices. Another trap is treating “high availability” and “disaster recovery” as the same: availability zones help availability; region pairs and geo-redundant options support disaster recovery.

• IaaS vs PaaS: IaaS gives you VM control; PaaS reduces OS/platform management but not data/identity responsibility.
• SLA thinking: redundancy choice (LRS/ZRS/GRS) and deployment pattern affect resilience expectations.
• Billing: consumption-based pricing aligns cost with usage; reservation options can reduce cost but require commitment.

After finishing Set 2, do not immediately reattempt missed items. First, write down the exact phrase that misled you (for example: “secure network traffic” could mean NSG, Firewall, or WAF—your job is to pick based on level and context). This habit directly improves exam-day accuracy.

Section 6.4: Answer review strategy: error log, concept mapping, and re-test plan

Your review process determines whether mock exams actually raise your score. Use an error log with four columns: (1) domain/objective, (2) what you chose vs correct, (3) why you chose it, (4) the corrected rule you will use next time. Keep each entry short but specific. “I forgot” is not a usable diagnosis; “I confused Azure Policy with RBAC because both mention access” is.

Next, concept map by clustering errors into repeating themes. Most AZ-900 misses fall into a few clusters: (a) scope boundaries (tenant/subscription/resource group/resource), (b) identity vs governance vs security tools, (c) region/zone/pair distinctions, (d) pricing and cost management terms, and (e) service model responsibility. If you see three or more misses in one cluster, that’s a weak spot you can fix quickly with targeted drills.

Exam Tip: Aim for “one rule per cluster.” Example: “RBAC answers ‘who can do what’; Policy answers ‘what is allowed to exist’.” One clean rule often resolves multiple question types.

Create a re-test plan with short cycles: re-study for 20–30 minutes, then re-test 10–15 questions focused on that single cluster. Do not re-test the entire mock set immediately; that inflates scores due to recall. Your goal is transferable understanding, not recognition.

• Day 1: Fix top two clusters; re-test targeted items.
• Day 2: Fix next two clusters; re-test targeted items.
• Day 3: Run a mixed mini-set to confirm improvements under context switching.

Finally, practice “answer justification” out loud: one sentence explaining why your choice fits and one sentence explaining why the closest distractor does not. This is the fastest way to immunize yourself against Set 2-style distractors and the real exam’s tight wording.

Section 6.5: Final domain recap: cloud concepts, Azure services, management and governance

This final recap is not a re-teach; it is a test-focused checklist of distinctions that AZ-900 commonly probes. For Cloud Concepts, be fluent in: public vs private vs hybrid, and the benefits of cloud (scalability, elasticity, agility, high availability, fault tolerance). Also be ready for pricing language: consumption-based pricing, OpEx vs CapEx, and what affects cost (region, service tier, data egress, uptime requirements).

For Azure Architecture and Services, anchor on geography and hierarchy: a region is a geographic area, availability zones are physically separate locations within a region, and region pairs support broader resilience planning. Then know the management boundaries: tenants (Entra ID), subscriptions (billing and limits), resource groups (lifecycle management), and resources (actual services).

Exam Tip: When a question asks about “organizing” or “managing as a unit,” think resource groups. When it asks about “billing” or “access to Azure services,” think subscriptions and tenants.

For core services, keep “role and layer” clear: compute (VMs, containers, serverless), storage (Blob, Disk, Files; redundancy options), and networking (VNets, VPN/ExpressRoute concepts, load balancing). Identity basics typically revolve around Microsoft Entra ID, MFA, and the difference between authentication and authorization.

For Azure Management and Governance, differentiate tooling intent: Azure Policy (enforce standards), RBAC (permissions), Blueprints (packaged governance patterns—conceptually), Cost Management (spend visibility and budgets), and compliance/security tooling (Defender for Cloud for posture management; Azure Monitor for telemetry). Many exam questions are solved by choosing the tool whose primary purpose matches the verb in the prompt: enforce, recommend, assign permissions, monitor, estimate cost.

• Enforce: Azure Policy
• Authorize: RBAC
• Recommend: Advisor
• Monitor: Azure Monitor
• Secure posture: Defender for Cloud

As a final check, revisit any weak cluster from your error log and confirm you can state the rule from memory. If you can, you’re ready to rely on that rule under pressure.

Section 6.6: Exam-day checklist: ID, environment, time management, and confidence plan

Your exam-day performance improves dramatically when logistics are handled early. Whether testing online or at a test center, prepare your ID, confirmation details, and timing plan the night before. For online proctoring, ensure your room is compliant: clear desk, stable internet, working camera/mic, and allowed materials only. Avoid last-minute software updates and run any system checks provided by the testing vendor.

Exam Tip: Build a “calm start” routine: arrive or log in early, read the first question slowly, and secure easy points before you engage with harder items. Early momentum stabilizes pacing.

Time management on AZ-900 is about preventing spirals. If you hit a confusing item, eliminate what you can, select the best remaining choice, and flag it if your platform allows. Do not let one tricky question steal time from multiple straightforward ones. Your goal is maximum total points, not perfection on every item.

• ID and access: government-issued ID ready; exam confirmation accessible.
• Environment: quiet space, no interruptions, phone away, desk cleared.
• Tech readiness: power connected, stable network, system test completed.
• Pacing plan: first pass answer/flag, second pass resolve flags, final pass verify only close calls.

Finally, set a confidence plan: remind yourself that many questions are solved by identifying the domain and matching the verb to the right tool. If anxiety spikes, return to process: read constraints, identify domain, eliminate mismatches, choose the best fit. That repeatable method is what turns your mock exam practice into a passing score on the real AZ-900.