AZ-900 Practice Test Bank: 200+ Questions with Detailed Answers

AZ-900 questions align to three big ideas: (1) cloud concepts, (2) Azure architecture and services, and (3) Azure management and governance. Even when Microsoft updates weighting over time, the exam consistently rewards understanding of the “why” (benefits and tradeoffs) and the “what” (which service category solves the need). Start by mapping your study to the official domain names rather than to random service lists.

Cloud concepts include benefits (high availability, scalability, elasticity, agility), financial models (CapEx vs OpEx), and service types (IaaS/PaaS/SaaS) plus deployment models (public, private, hybrid). Common stems ask you to pick the model that best matches control vs convenience. A frequent trap is confusing scalability (capacity can grow) with elasticity (automatic, demand-driven scaling), or assuming “hybrid” means “some workloads on two public clouds.”

Azure architecture and services focuses on core components and foundational services: regions/region pairs, availability zones, subscriptions, resource groups, plus compute, storage, and networking categories. The exam often tests whether you know the right level: for example, regions are geographic; availability zones are within a region; resource groups are logical containers for resources (not for users).

Management and governance covers cost management, Azure Policy, resource locks, tags, Blueprints concepts (where applicable), and compliance offerings. The test is less about configuring policies and more about identifying which governance feature enforces rules versus which feature reports, organizes, or restricts deletion.

Exam Tip: When a stem includes words like “must enforce,” “must prevent,” or “ensure compliance,” think governance controls (Policy/locks). When it says “track,” “report,” or “allocate costs,” think tagging and cost management.

You register for AZ-900 through Microsoft’s certification portal, which redirects scheduling to Pearson VUE. Expect a straightforward workflow: sign in with the correct Microsoft account, pick AZ-900, choose language, select an exam delivery option, then select a date/time and confirm personal details. Read the policies during checkout—rescheduling windows and identification requirements are where candidates lose time or fees.

Delivery options typically include online proctored and test center. Online proctoring offers convenience but demands a controlled environment: clean desk, stable internet, compatible OS, webcam/mic, and a room scan. The most common online failure points are corporate laptops with locked-down permissions, unstable Wi‑Fi, and interruptions (notifications, people entering the room). Test centers reduce technical risk but require travel, earlier arrival, and compliance with local rules.

Exam Tip: If you choose online delivery, run the Pearson system test on the same device and same network you will use on exam day. If you can’t control your environment for 90+ minutes, pick a test center to avoid a preventable cancellation.

For identification, follow Pearson’s requirements exactly (typically government-issued photo ID; names must match). A subtle trap is a mismatch between a shortened name in your profile and the legal name on your ID. Fix profile details well before your appointment to avoid check-in delays.

Microsoft exams use scaled scoring. You will see a score report by domain, but you typically won’t see which specific items you missed. Passing is based on the scaled score threshold (commonly 700), not “percent correct.” Do not try to reverse-engineer your needed raw score; instead, use domain-level performance to target study.

Question formats can include multiple choice, multiple response (select all that apply), true/false variants, matching, ordering, and short scenario-based items. The most important skill is reading the stem for the task word: identify, choose, best describes, most cost-effective, or meets the requirement. Many wrong answers are “true statements” that don’t satisfy the stem’s requirement.

Time management matters even on fundamentals. Build a rhythm: (1) answer what you know immediately, (2) mark and move on when you’re uncertain, (3) return with remaining time. Avoid spending two minutes debating between two close options early; that habit creates a time squeeze later and increases errors from rushing.

Exam Tip: When two answers both sound plausible, look for the one that best matches the level of abstraction in the question. If the stem is conceptual (benefits, models, responsibilities), the correct answer is usually conceptual—not a specific SKU or configuration detail.

On “select all that apply,” treat each option as a true/false statement relative to the stem. A common trap is over-selecting. If you cannot justify an option with a clear rule or definition, leave it unselected.

Practice tests are most effective when used as a measurement tool, not as a memorization engine. Start with a baseline attempt under realistic conditions (timed, no notes). The point is to reveal your current distribution of strengths and weaknesses across the AZ-900 domains.

Next, iterate using a disciplined review loop. For every missed item, capture three things: (1) the objective it maps to (e.g., cloud service types, Azure Policy), (2) the specific misconception (definition confusion, misread stem, distractor trap), and (3) the corrected rule in one sentence. Your goal is to convert wrong answers into portable rules you can apply to new stems.

Finally, measure improvement with periodic retests—preferably using mixed sets so you practice switching contexts like the real exam. Track not only percent correct, but also: average time per question, error types (knowledge vs reading), and whether you’re missing the same concept repeatedly.

Exam Tip: Re-reading explanations for questions you got right is not wasted time. If you guessed correctly, you have a fragile win. Confirm you can explain why the distractors are wrong—AZ-900 is full of answers that are “almost right” in a different context.

Avoid grinding the same question bank in the same order until you can recite letter choices. That approach inflates practice scores without improving exam-day transfer. Mix questions, shuffle sections, and rephrase concepts in your own notes.

Your study plan should be a checklist built from the official AZ-900 skills outline and organized by the same domain names the exam uses. This prevents a common beginner failure mode: spending too long on popular services (like VMs) while neglecting governance, compliance, and identity basics that appear frequently in fundamentals-level testing.

Create a table with columns: Objective, Key definitions, “Must-know” Azure examples, Common distractors, and Practice score trend. Under Cloud concepts, include IaaS/PaaS/SaaS, public/private/hybrid, shared responsibility, consumption model, and resilience concepts (HA, fault tolerance, disaster recovery). Under Azure architecture and services, include regions/zone concepts, subscriptions/resource groups, and the big buckets: compute, networking, storage. Under Management and governance, include cost tools, tagging, Policy, locks, and compliance resources.

Exam Tip: Write at least one “spot the keyword” trigger per objective. Example: if a stem says “prevent deletion,” your trigger should point to resource locks. If it says “enforce a naming rule,” your trigger should point to Azure Policy.

Use your checklist to plan weekly cycles: learn (short reading/video), practice (timed set), review (explanations), then patch (targeted notes). This keeps your progress tied to exam objectives rather than to the volume of content consumed.

Beginners often miss AZ-900 not because it is “hard,” but because they study in ways that don’t match how the exam asks questions. The first pitfall is memorizing service names without understanding categories. If you know that Azure offers “something for networking,” you still need to distinguish the purpose: connectivity (VPN/ExpressRoute), traffic distribution (load balancing), name resolution (DNS), and security boundaries (NSGs). Fundamentals questions frequently ask you to choose the category that matches the requirement.

A second pitfall is confusing governance tools. Tags organize and report; they don’t enforce. Azure Policy enforces and audits rules; it doesn’t “protect” resources from deletion. Resource locks prevent changes or deletion; they don’t validate configurations across subscriptions. Many distractors exploit these near-misses.

A third pitfall is over-reading scenarios and missing the stem’s real ask. Candidates see a paragraph about an app and start designing an architecture. AZ-900 usually wants the simplest concept that satisfies a single requirement (cost, availability, management overhead, or responsibility boundary).

Exam Tip: If you find yourself designing a complex solution, stop and re-check the stem. Fundamentals items typically have a “one-concept” answer: a model (IaaS/PaaS/SaaS), a scope container (subscription/resource group), a resiliency construct (zone/region), or a governance feature (Policy/lock/tag).

Finally, avoid the memorization trap of repeating the same practice set until you recognize questions. Rotate question sets, explain answers aloud, and require yourself to justify choices with definitions. This builds the transferable reasoning AZ-900 is actually measuring.

Section 2.1: Define cloud computing and the shared responsibility model

Cloud computing is the delivery of computing services (compute, storage, networking, databases, analytics, and more) over the internet with on-demand provisioning and pay-as-you-go pricing. On AZ-900, “cloud” is less about where servers sit and more about characteristics: rapid provisioning, measured service, broad network access, resource pooling, and elasticity. Resource pooling is where economies of scale show up: a provider aggregates demand across many customers to run infrastructure more efficiently than most single organizations can.

The shared responsibility model is a frequent exam target because it changes depending on the service type. The core rule: the cloud provider is always responsible for the security of the cloud (physical datacenters, hardware, and foundational services), while the customer is always responsible for what they put in the cloud (data, identities, access). Responsibility “shifts” toward the provider as you move from IaaS to PaaS to SaaS.

Typical responsibility areas the exam probes: physical security (provider), network controls (shared depending on model), OS patching (customer in IaaS, provider in PaaS/SaaS), application code (customer in IaaS/PaaS, provider in SaaS), and data classification/access (customer always).

• Common trap: Assuming Microsoft backs up your data automatically in all services. Backups and retention are often configuration choices; you remain accountable for data governance.
• Common trap: Confusing “high availability provided by Azure” with “my app is highly available.” You must design for availability (multiple instances/zones) even if the platform is resilient.

Exam Tip: If a question mentions “who is responsible for patching the guest OS,” it’s almost always testing shared responsibility and service model recognition. “Guest OS” implies IaaS virtual machines (customer patches).

Section 2.2: Cloud service types (IaaS, PaaS, SaaS) and decision cues

Service models show up in scenario stems more than direct definitions. Memorize the management boundary: IaaS gives you maximum control; SaaS gives you maximum convenience; PaaS sits in the middle to accelerate development by managing the platform layer.

IaaS (Infrastructure as a Service) provides virtualized compute, storage, and networking. You manage the OS, middleware, runtime, and your applications. Decision cues: “lift-and-shift,” “custom OS configuration,” “need full control,” “install third-party software,” “manage patches.”

PaaS (Platform as a Service) provides a managed platform (runtime, scaling features, and often built-in monitoring). You focus on your code and data. Decision cues: “developers want to deploy code,” “minimize OS management,” “automatic scaling,” “managed database/app hosting,” “CI/CD-friendly.”

SaaS (Software as a Service) delivers a complete application (like email, CRM). You manage users, data, and configuration—almost everything else is provider-managed. Decision cues: “use the software,” “no code,” “subscribe,” “configure settings,” “fastest time-to-value.”

• Distractor pattern: A stem about “hosting a website without managing servers” will bait IaaS. The best fit is typically PaaS.
• Distractor pattern: “Need maximum control over the OS” will bait PaaS due to “managed,” but the correct is IaaS.

Exam Tip: Translate requirements into a single word: control (IaaS), productivity (SaaS), developer speed (PaaS). If the stem highlights patching/OS, that’s a control signal → IaaS.

Section 2.3: Cloud deployment models (public, private, hybrid) and multicloud concepts

Deployment models describe where cloud resources run and who has access to them. On AZ-900, questions usually focus on “who can use it,” “who owns the hardware,” and “why choose this model.”

Public cloud (Azure is the key example) means resources are owned and operated by a cloud provider and delivered over the internet to many customers. You get strong economies of scale, broad service catalog, and fast provisioning. Most “start here” scenarios point to public cloud unless the stem introduces strict constraints like isolated hardware ownership or on-prem-only requirements.

Private cloud is dedicated to one organization (hosted on-premises or by a third party). It can meet specific regulatory or isolation needs, but typically sacrifices the elasticity and cost advantages of public cloud. Exam stems might mention “must run on company-owned hardware” or “no internet connectivity allowed.”

Hybrid cloud combines public cloud with on-prem/private environments, enabling workload portability and integrated operations. Decision cues: “keep some data on-prem,” “gradual migration,” “latency to on-prem systems,” “regulatory requirement for specific datasets,” “burst to cloud during peak.”

Multicloud means using multiple cloud providers (for example, Azure + another provider). It’s not the same as hybrid. Multicloud is about provider diversity; hybrid is about mixing cloud and on-prem/private resources.

• Common trap: Picking “multicloud” when the scenario describes on-prem plus Azure. That’s hybrid, not multicloud.
• Common trap: Assuming private cloud automatically equals “more secure.” Security depends on controls and configuration, not just location.

Exam Tip: When you see “some workloads remain on-premises” or “connect datacenter to Azure,” your first thought should be hybrid. When you see “avoid vendor lock-in by using two providers,” think multicloud.

Section 2.4: Cloud benefits (scalability, elasticity, high availability, disaster recovery)

Cloud benefits are a core AZ-900 objective and a frequent source of subtle terminology errors. The exam expects you to match business outcomes to the right term.

Scalability is the ability to increase resources to meet demand. It can be vertical (bigger VM size) or horizontal (more instances). Stems that mention “planned growth” or “add resources to handle more users” signal scalability.

Elasticity is the ability to automatically scale resources up and down in response to changing demand—often rapidly. The keyword is “dynamic” or “spiky traffic.” If demand drops and the platform reduces capacity, that is elasticity.

High availability (HA) means designing systems to remain operational through failures. In Azure terms, this is often achieved via redundancy across fault domains, availability zones, or regions. HA is about minimizing downtime, not just having backups.

Disaster recovery (DR) is the ability to recover after a major outage, such as a regional failure. DR is typically about restore operations, failover, and meeting RTO/RPO targets. If the stem mentions “recover after disaster,” “secondary region,” or “business continuity,” that’s DR.

• Common trap: Confusing HA and DR. HA keeps the service running during localized failures; DR restores service after a catastrophe.
• Common trap: Using “scalability” when the stem explicitly describes automatic scaling down as well as up—elasticity is the better match.

Exam Tip: Look for timing clues: “automatically during traffic spikes” → elasticity; “planned increase for next quarter” → scalability; “keep running during failures” → HA; “recover after outage/region down” → DR.

Section 2.5: CapEx vs OpEx and consumption-based pricing basics

AZ-900 frequently tests the financial framing of cloud. You do not need accounting depth, but you must correctly label cloud spend and understand why consumption-based pricing matters.

CapEx (Capital Expenditure) is upfront investment in physical infrastructure (servers, datacenter buildout). It’s “buy now, depreciate later.” Traditional on-prem procurement is CapEx-heavy: you size for peak and pay for idle capacity.

OpEx (Operational Expenditure) is ongoing spending for services you consume (monthly billing, subscriptions). Public cloud leans strongly toward OpEx: you pay for what you use, and you can scale down to reduce cost.

Consumption-based pricing means charges are tied to usage (compute hours, storage capacity, data egress, transactions). The exam often couples this with agility and elasticity: because you can provision quickly and scale dynamically, you can align costs with demand.

• Common trap: Assuming “moving to cloud always reduces costs.” The exam focuses on the model (pay-as-you-go) and potential savings; poor governance can increase costs.
• Common trap: Thinking reserved capacity/commitments contradict consumption. They are pricing options that trade flexibility for lower unit cost; the underlying services are still metered.

Exam Tip: If a stem highlights “avoid upfront hardware purchase” or “shift from capital expense,” the answer is usually OpEx/consumption-based. If it highlights “buying servers and depreciating,” that’s CapEx.

Section 2.6: Practice questions: Describe cloud concepts (rationales + distractor analysis)

This chapter’s drill set (40+ items in your test bank) is designed around repeatable AZ-900 patterns. Your job is to identify the tested concept quickly, then eliminate distractors using one decisive cue from the stem. In timed conditions, don’t debate “could be true”; instead, ask “what is the examiner targeting?”

For shared responsibility items, your rationale should anchor to a single boundary statement: in IaaS you manage the guest OS and applications; in PaaS the provider manages the platform (OS/runtime); in SaaS the provider manages the application. Distractors commonly swap “data” and “OS” responsibilities—remember, you are always responsible for data and access management, regardless of model.

For service model classification, force yourself to match verbs: “manage” (IaaS), “deploy code” (PaaS), “use software” (SaaS). Distractors often include a true statement about another model (for example, “scales automatically”) but miss the core requirement (for example, “needs OS-level control”). Your rationale should cite the requirement that disqualifies the distractor.

For deployment models, your decision cue is the presence of on-prem or multiple providers. If the stem includes “connect to on-premises” or “some workloads stay in the datacenter,” hybrid is the default. If it says “two public cloud providers,” that is multicloud. Public cloud is the simplest answer unless an explicit constraint forces private/hybrid.

For benefits (scalability/elasticity/HA/DR), write rationales that use timing and failure scope: elasticity reacts to change; scalability supports growth; HA reduces downtime during component failure; DR restores after major outage. Distractors are usually synonyms used incorrectly. Eliminate by asking: is the stem about staying up (HA) or getting back (DR)?

Exam Tip: When you review explanations, don’t just note the correct option—note the exact word in the stem that made it correct, and the exact word that makes each distractor wrong. That is how you improve speed and accuracy across 200+ questions without memorizing answers.

Section 3.1: Azure geography: regions, region pairs, sovereign regions, availability zones

Azure’s global infrastructure is built from regions—geographic areas containing one or more datacenters. A region is the unit you choose when deploying many services (for example, placing a VM in East US vs West Europe). On the exam, a common task is interpreting what “in a region” implies: data residency, latency proximity, and service availability (not all services are in every region).

Availability Zones (AZs) are physically separate locations within an Azure region, designed to provide high availability and fault isolation. If a question emphasizes protection from a datacenter failure within the same region, availability zones are usually the right concept. Not every region is “zonal,” and not every service supports zone-redundant deployment—AZ-900 expects recognition of the concept and its purpose, not the SKU matrix.

Region pairs are Microsoft-defined pairings within the same geography (for example, for coordinated updates and recovery prioritization). Region pairs matter in disaster recovery discussions: if the stem mentions “paired region” or “platform-managed recovery prioritization,” the concept is region pairs rather than zones.

Sovereign regions are special regions designed for compliance and legal requirements (for example, Azure Government). If the stem mentions government entities, specific regulatory boundaries, or isolated operations, look for the sovereign cloud option rather than public regions.

Exam Tip: Translate the requirement into the right resiliency layer: “datacenter outage” → Availability Zones; “regional outage” → multi-region design (often leveraging region pairs); “legal isolation/government” → sovereign region.

Common trap: Choosing “availability zone” for any disaster recovery question. Zones reduce impact of a single datacenter failure; they do not solve a full region outage.

Section 3.2: Azure resource hierarchy: management groups, subscriptions, resource groups, resources

AZ-900 frequently tests whether you understand how Azure organizes and governs assets. The hierarchy (top to bottom) is: management groups → subscriptions → resource groups → resources. Each level exists for a reason: management groups are for large-scale governance, subscriptions are for billing and isolation boundaries, resource groups are for lifecycle management, and resources are the actual services (VMs, storage accounts, VNets, etc.).

A subscription is often the boundary for billing and quotas. If a question suggests separating departments for cost tracking or isolating limits, subscriptions are a good fit. A resource group is a logical container that allows you to manage related resources as a unit—deploy, update, or delete together. If the stem says “delete all components of an app at once” or “manage access to the app’s resources together,” resource groups are the intended answer.

Management groups roll up multiple subscriptions to apply policy and access control at scale. On the exam, they appear when an organization has many subscriptions and wants consistent governance. Remember: applying governance “across subscriptions” usually implies management groups.

Exam Tip: Watch for verbs: “bill/chargeback” hints subscription; “deploy/delete together” hints resource group; “standardize rules across many subscriptions” hints management groups.

Common trap: Assuming resources must be in the same region to be in the same resource group. Resource groups can contain resources in different regions (the metadata is stored in one region), so don’t let region distract you unless the question explicitly ties to data residency or latency.

Section 3.3: Compute services: VMs, App Service, Functions, Containers (AKS concepts at a high level)

Compute questions on AZ-900 are primarily “which service type matches this workload?” The core mental model: VMs are infrastructure-as-a-service (IaaS) where you manage the OS; App Service is platform-as-a-service (PaaS) for hosting web apps/APIs with less administrative overhead; Functions is serverless for event-driven code; and containers package apps with dependencies for consistent deployment.

Azure Virtual Machines fit when you need full control over the OS, custom software installation, or lift-and-shift of on-prem servers. If the stem mentions patching the OS, admin access, or running legacy software, VMs are commonly correct. Azure App Service is ideal when the question highlights “managed hosting,” “minimal infrastructure management,” or quickly deploying web apps/APIs. You still manage your code, but Azure manages the underlying hosting environment.

Azure Functions appear when the stem includes triggers (HTTP request, timer, queue message) and “run code on demand.” Serverless is about consumption-based execution and reduced operational burden. If the question focuses on short-lived tasks, event processing, or automatic scaling without server management, Functions is a strong match.

Containers are about packaging and portability. AZ-900 expects you to know that orchestration can be handled by Azure Kubernetes Service (AKS) at a high level—managed Kubernetes for running containerized applications at scale. Don’t over-rotate into Kubernetes details; focus on when orchestration is needed (many containers, scaling, rolling updates) versus running a single container instance.

Exam Tip: Look for the management boundary in the stem: “manage OS” → VM; “managed web hosting” → App Service; “event-driven/only run when triggered” → Functions; “portable packaged app” → Containers (AKS for orchestrated clusters).

Common trap: Picking VMs for any app hosting scenario. If the stem emphasizes reduced management and rapid deployment, the exam generally prefers PaaS/serverless over IaaS.

Section 3.4: Storage services: storage accounts, redundancy options, Blob vs File vs Queue vs Table

Azure storage questions often combine “which storage type” with “which redundancy option.” Start with the container concept: a storage account is the top-level object that provides a namespace for Azure Storage services (Blob, File, Queue, Table) and controls settings like redundancy. On AZ-900, you’re not expected to memorize every tier, but you must match the right service to the data pattern.

Blob storage is object storage for unstructured data (images, video, backups). If the stem says “store documents, media, or backups,” Blob is usually right. Azure Files provides managed file shares accessible via SMB (and other options); if the stem mentions “file share,” “lift-and-shift shared drive,” or “mount as a network drive,” Files is the target. Queue storage is for messaging between components (decoupling), often when the stem mentions “asynchronous processing” or “buffering requests.” Table storage (or the broader idea of NoSQL key-value) appears when the stem describes schemaless structured data with fast lookups.

Redundancy options test resiliency vocabulary: LRS replicates within a single datacenter; ZRS replicates across availability zones in a region; GRS replicates to a paired region (asynchronously); GZRS combines zonal plus geo-replication. You don’t need deep replication mechanics, but you must match “within region” vs “across regions” needs.

Exam Tip: Read for the failure scope: “datacenter failure” → ZRS; “regional disaster” or “secondary region” → GRS/GZRS; “lowest cost/basic protection” → LRS.

Common trap: Confusing Blob and Files. If users need a traditional shared folder experience (SMB), choose Files; if it’s app/object access to unstructured data, choose Blob.

Section 3.5: Networking services: VNets, subnets, peering, VPN Gateway, ExpressRoute, DNS, Load Balancer vs Application Gateway

Networking on AZ-900 is about recognizing the role of each service in connectivity, name resolution, and traffic distribution. Azure Virtual Network (VNet) is the foundational private network in Azure. Subnets segment a VNet for organization and security boundaries. If the question is simply “create an isolated network for resources,” VNet is the baseline answer; if it mentions segmentation, it’s pointing to subnets.

VNet peering connects VNets privately across Azure’s backbone. Use it when the stem says “connect two VNets” without going over the public internet and without needing encryption as the main differentiator. For connecting on-premises to Azure, the exam differentiates between VPN Gateway (encrypted tunnel over the public internet) and ExpressRoute (private dedicated connectivity with more predictable performance). If the stem emphasizes “private connection that doesn’t use the public internet,” ExpressRoute is usually intended.

Azure DNS provides DNS hosting for domains; if the stem is about hosting DNS zones/records, choose Azure DNS (not to be confused with DNS used inside VNets). Traffic distribution questions often hinge on Load Balancer vs Application Gateway. Load Balancer operates at Layer 4 (TCP/UDP), distributing traffic without understanding HTTP specifics. Application Gateway is Layer 7 (HTTP/HTTPS) and supports web-focused features like SSL termination and WAF integration.

Exam Tip: Identify the OSI clue: “HTTP/HTTPS, URL-based routing, WAF” → Application Gateway; “TCP/UDP, non-HTTP, raw port distribution” → Load Balancer.

Common trap: Selecting VPN Gateway when the stem says “does not traverse the public internet.” VPN uses the internet (encrypted). ExpressRoute is the private connectivity option.

Section 3.6: Practice questions: Azure architecture and services (core infrastructure and solutions)

This chapter’s domain drill set (45+ items in your practice bank) focuses on fast identification: region vs zone vs paired region; subscription vs resource group; IaaS vs PaaS vs serverless; and matching storage/network services to keywords. In timed conditions, you should aim to answer these items in under a minute each by using a consistent elimination approach.

Start each question by underlining the requirement noun and constraint phrase. The noun tells you the category (compute/storage/networking/organization). The constraint phrase usually disqualifies two distractors. Example constraints include “without managing servers,” “private connectivity,” “file share,” “event-driven,” “multi-region DR,” and “HTTP routing.” These phrases are intentionally repeated across the exam to reward pattern recognition.

Exam Tip: When two answers are both “possible,” choose the one that is (1) more managed, and (2) more specifically aligned to the stem. AZ-900 typically prefers platform services (App Service/Functions) over VMs when the stem does not require OS control.

Also watch for “scope” words: “across multiple subscriptions” suggests management groups; “all components of this application” suggests a resource group; “billing boundary” suggests subscription. For global infrastructure, “within the region” points to availability zones; “secondary region” points to geo-redundancy or region pairs.

Common trap: Over-reading into implementation details not asked. If the question is about selecting the right building block, ignore configuration-level distractors (specific SKUs, protocol minutiae) unless the stem explicitly calls them out.

As you work the drill set, keep a miss log with three columns: keyword you missed, the correct mapping, and the distractor you chose. You’ll usually find your errors cluster around a handful of confusions (Blob vs Files, VPN vs ExpressRoute, zones vs regions). Fixing those clusters is the fastest route to a higher AZ-900 score.

Microsoft Entra ID (formerly Azure Active Directory; the exam may still use “Azure AD” language) is Azure’s cloud identity and access management service. AZ-900 commonly tests whether you understand what a tenant is and what lives inside it. A tenant is a dedicated instance of Entra ID representing an organization. When you create an Azure subscription, it is associated with a tenant. If a scenario mentions “separate organizations,” “separate directories,” or “separate sign-in boundaries,” think separate tenants.

Users and groups are security principals in Entra ID. Users represent people (or sometimes service identities), while groups simplify assigning access at scale. For exam questions, the key is the reason groups exist: to avoid assigning permissions one-by-one. If the stem mentions “hundreds of users need the same access,” the intended best practice is usually group-based access.

Synchronization is another frequent topic. Many organizations already have on-premises Active Directory Domain Services (AD DS). They use synchronization to align identities between on-prem AD and Entra ID (commonly via Azure AD Connect, now aligned with Entra Connect branding). The exam stays conceptual: you should know that sync enables users to use the same identity in cloud services and can support hybrid identity scenarios.

Exam Tip: Don’t confuse AD DS with Entra ID. AD DS is traditional domain-join/Kerberos/LDAP for Windows domains; Entra ID is cloud-based identity for modern authentication and SaaS integration. If the question mentions “domain join,” “Group Policy,” or “LDAP,” it leans AD DS. If it mentions “SSO to Microsoft 365,” “OAuth,” or “cloud sign-in,” it leans Entra ID.

• Tenant = boundary for identities and directory objects.
• Users/Groups = identities and collections to manage access efficiently.
• Synchronization = hybrid identity bridge between on-prem and cloud directories.

Common trap: assuming a subscription is the same as a tenant. Subscriptions are billing/management containers; the tenant is the identity directory they trust for sign-in.

AZ-900 repeatedly tests the difference between authentication and authorization because many wrong options swap these terms. Authentication answers “Who are you?” (proving identity). Authorization answers “What are you allowed to do?” (permissions). If a question describes verifying credentials, tokens, or sign-in, it is authentication. If it describes granting permissions like read/write/delete, it is authorization.

Single sign-on (SSO) is a user experience and security concept: authenticate once, then access multiple apps/services without re-entering credentials (within policy boundaries). On the exam, SSO is often the correct choice when the stem focuses on reducing repeated logins while keeping centralized identity control.

Multi-factor authentication (MFA) strengthens authentication by requiring more than one factor (something you know/have/are). In stems about preventing account compromise due to password theft, MFA is usually the “best first control.” However, a subtle trap is when the question asks for limiting access based on conditions (device, location, risk, app). That is where conditional access fits.

Conditional access (conceptual for AZ-900) applies policies that can require MFA, block access, or enforce compliant devices based on signals such as user risk, sign-in risk, location, application, or device state. Think of it as “if this, then require that.”

Exam Tip: If the stem includes “from untrusted locations,” “only from compliant devices,” “require MFA for admins,” or “block legacy authentication,” you’re likely in conditional access territory. If it simply says “add an extra layer beyond passwords,” choose MFA.

• Authentication: identity proof (sign-in).
• Authorization: access rights (permissions).
• SSO: fewer prompts across apps.
• MFA: stronger sign-in protection.
• Conditional access: context-based enforcement (often includes MFA).

Common trap: picking RBAC for sign-in controls. RBAC does not control how you authenticate; it controls what you can do after authentication succeeds.

Azure role-based access control (Azure RBAC) is the authorization system for Azure resources. The exam wants you to know that RBAC is about permissions to manage Azure resources (for example, “can start a VM,” “can read storage account keys,” “can create resources”). It is implemented by assigning a role to a security principal (user, group, service principal, managed identity) at a specific scope.

Scopes form a hierarchy, and the AZ-900 exam often checks whether you understand inheritance: a role assignment at a higher scope flows down to lower scopes. The scope order to memorize is: Management group → Subscription → Resource group → Resource. If a user needs the same permission across multiple subscriptions, a management group assignment may be appropriate (conceptually). If they only need access to one app’s resources, resource group or resource scope aligns with least privilege.

Exam Tip: When you see “only this resource” or “only this resource group,” pick the smallest scope that meets requirements. Least privilege is a recurring exam theme: grant only what is necessary, at the narrowest scope.

Know the common built-in roles at a recognition level. “Owner” has full access including assigning access. “Contributor” can manage resources but cannot grant access. “Reader” can view. Many distractors invert Contributor and Owner; remember: only Owner (and User Access Administrator) can assign RBAC by default.

• Role assignment = who (principal) + what (role) + where (scope).
• Inheritance = higher-scope assignments apply downward.
• Least privilege = narrow scope + minimal role.

Common trap: mixing up Azure RBAC with Entra ID roles. Entra roles manage directory features (like managing users), while Azure RBAC manages Azure resources (like VMs and storage accounts).

Security on AZ-900 is about recognizing services and baseline concepts rather than configuring rules. Microsoft Defender for Cloud is a core topic: it provides security posture management (recommendations, Secure Score) and threat protection for Azure (and often hybrid/multi-cloud). If a stem mentions “security recommendations,” “improve security posture,” “regulatory compliance dashboard,” or “Secure Score,” Defender for Cloud is the likely match.

Encryption is another high-yield concept. The exam often frames it as “protect data at rest” or “protect data in transit.” Data at rest typically refers to storage encryption; data in transit refers to encryption during network communication (such as TLS). You may also see references to keys and key management; conceptually, Azure supports both platform-managed and customer-managed keys in many services.

For network protection, distinguish between Network Security Groups (NSGs) and Azure Firewall. NSGs are used to allow/deny inbound/outbound traffic to resources in Azure virtual networks (commonly subnets and NICs) using rules (ports, protocols, source/destination). Azure Firewall is a managed, stateful network firewall service offering more centralized control and features for filtering and logging at scale. In simplified exam terms: NSG is a basic network traffic filter close to resources; Azure Firewall is a centralized firewall service for broader control.

Exam Tip: If the scenario says “filter traffic to a subnet/VM” and the options include NSG, choose NSG. If it says “centralized firewall,” “enterprise-grade,” or implies a single controlled egress/ingress point, Azure Firewall is the better match.

• Defender for Cloud: posture, recommendations, Secure Score, threat protection.
• Encryption: at rest vs in transit (recognize the phrasing).
• NSG: rule-based filtering for VNet resources.
• Azure Firewall: managed, stateful, centralized firewall service.

Common trap: choosing Defender for Cloud as a “firewall.” It is not a packet-filtering device; it is a security management and protection platform.

AZ-900 expects you to recognize Azure’s management tooling and pick the best tool for a task. The Azure Portal is the web-based GUI for managing Azure resources. It is often the right answer when the stem emphasizes “graphical,” “browser-based,” or “no local tools installed.” But the exam also tests whether you know automation and command-line alternatives.

Azure Cloud Shell is a browser-accessible shell environment that provides pre-authenticated access to Azure tools. It commonly includes Azure CLI and Azure PowerShell modules. If a scenario asks for “run scripts/commands from the browser” or “without installing tools,” Cloud Shell is a strong candidate. Be alert to the subtle distinction: Cloud Shell is the environment; CLI/PowerShell are the tools you run inside it (and also locally).

Azure CLI is a cross-platform command-line tool (often used in Bash). Azure PowerShell is PowerShell-based and fits organizations standardized on PowerShell scripting. The exam usually won’t test command syntax, but it will test when to choose CLI vs PowerShell vs Portal based on preferences and automation needs.

ARM templates (Azure Resource Manager templates) represent infrastructure as code using declarative JSON (and often Bicep as a higher-level language, though AZ-900 emphasizes ARM templates conceptually). Stems that say “deploy the same environment repeatedly,” “consistent deployments,” “idempotent,” or “define resources in a file” are pointing at templates.

Exam Tip: If the question is about repeatable, consistent provisioning, choose ARM templates (or “infrastructure as code”). If it’s about interactive, one-off changes, Portal fits. If it’s about scripting/automation, CLI/PowerShell fit. If it must be done from a browser with no install, Cloud Shell fits.

• Portal: GUI management.
• Cloud Shell: browser-based shell with tools ready.
• Azure CLI: cross-platform command line.
• Azure PowerShell: PowerShell automation.
• ARM templates: declarative, repeatable deployments.

Common trap: confusing ARM templates with “monitoring” or “governance.” Templates deploy resources; they don’t inherently enforce ongoing compliance after deployment (that’s more in the governance/policy space).

This chapter’s drill set focuses on scenario recognition—the skill that drives high scores on AZ-900. You should be able to classify each scenario in seconds before reading the options. Ask yourself: is the problem about identity (Entra ID), permissions (RBAC), security posture (Defender for Cloud), network filtering (NSG/Azure Firewall), or management tooling (Portal/CLI/PowerShell/Cloud Shell/ARM templates)? The correct answer is usually the one that directly matches the category, while distractors are adjacent services that sound security-related or management-related but don’t solve the stated need.

Identity scenarios typically mention onboarding users, creating groups, enabling SSO to applications, synchronizing from on-prem directories, or enforcing sign-in security like MFA. Access scenarios mention “grant access,” “restrict who can delete,” “read-only,” or “manage resources in this resource group.” Security posture scenarios mention “recommendations,” “score,” “hardening,” or “regulatory compliance.” Tooling scenarios mention “automate deployments,” “run commands,” “use a browser,” or “deploy the same configuration repeatedly.”

Exam Tip: When two answers both seem plausible, look for the boundary word in the stem: “sign-in” implies authentication controls (MFA/conditional access); “permissions on resources” implies RBAC; “traffic allowed/blocked” implies NSG/Firewall; “recommendations/score” implies Defender for Cloud; “repeatable deployment” implies ARM templates.

• Time management approach: classify the scenario first, then eliminate options outside the category.
• Least privilege lens: if multiple scopes/roles work, the exam prefers the narrowest scope and minimal role.
• Term discipline: don’t let “security-sounding” distractors replace the exact control needed (identity vs network vs posture).

Common trap: overthinking implementation. AZ-900 rarely expects “how,” but it frequently expects “which service/feature.” Your goal in the 45+ question drill set is to answer quickly, then review explanations to refine your keyword-to-concept mapping and to learn why each distractor is wrong in that particular scenario.

Section 5.1: Governance controls: Azure Policy, initiatives, and compliance evaluation

Azure Policy is the primary exam answer when you must enforce standards for resources. It evaluates resources against rules (policy definitions) and can apply effects such as Deny, Audit, Append, and DeployIfNotExists. On AZ-900, you don’t need to author JSON policy rules, but you must know the purpose: prevent or evaluate noncompliant configurations across subscriptions and resource groups.

Initiatives (policy set definitions) group multiple policies so you can assign them together. This is commonly tested as “apply a set of policies to meet a compliance standard” or “assign multiple policies at once.” An initiative also rolls up compliance results, which helps you see an overall compliance posture instead of isolated policy results.

Compliance evaluation is a reporting concept: after assignment, Azure evaluates resources and marks them compliant or noncompliant. This is not the same as security monitoring alerts. It is governance posture reporting—often used for audits and internal controls.

• Use Policy when: enforcing allowed regions, requiring tags, requiring specific SKU types, restricting public IP creation, requiring encryption settings, or auditing resource configurations.
• Use Initiative when: bundling multiple policies to align with a standard (e.g., internal “baseline”) and tracking one compliance score for the set.

Common trap: confusing Azure Policy with RBAC. RBAC controls who can do actions; Policy controls what can be deployed/configured, even by authorized users. If the stem says “developers have Contributor but must be prevented from deploying to non-approved regions,” the correct tool is Policy, not RBAC.

Exam Tip: Look for verbs. “Restrict/allow/deny” maps to Policy. “Grant/assign permissions” maps to RBAC (typically discussed elsewhere). If both appear, the question is usually aiming at the one that directly satisfies the constraint without changing user roles—Policy.

Section 5.2: Resource governance: tags, locks, and standardization patterns

This section is where AZ-900 mixes practical operations with governance vocabulary. Tags are key-value metadata (for example, CostCenter=042, Owner=Finance, Environment=Prod) used for reporting, organization, and cost allocation. Tags do not enforce security and do not prevent actions by themselves; they are for consistent classification and downstream reporting (especially in Cost Management).

Resource locks protect resources from accidental changes. Two lock levels appear on the exam: ReadOnly (can’t modify) and Delete (can’t delete). Locks are applied at subscription, resource group, or resource scope, and they inherit downward. If a stem emphasizes “prevent accidental deletion” or “protect a critical resource,” a lock is the highest-probability answer.

Standardization patterns show up as “consistent deployments.” While AZ-900 doesn’t go deep into IaC, you should recognize the concept: use templates/standard definitions to reduce configuration drift. In practice, teams pair standard deployment patterns with Policy (guardrails) and tags (classification). Some stems may describe “ensuring every resource includes specific tags” or “standardize naming and environment metadata.” Tags support the organization; Policy can enforce tag presence.

• Tags: organize, filter, report, and allocate costs; not a security boundary.
• Locks: prevent deletion or modification—even by users with permissions—until the lock is removed.
• Standardization: consistent patterns + governance guardrails reduce drift and audit gaps.

Common trap: picking locks to “stop unauthorized access.” Locks do not replace RBAC; they stop changes, not viewing or reading data. Another trap is assuming tags affect billing automatically; tags enable cost analysis and chargeback, but you still must use Cost Management reporting to view costs by tag.

Exam Tip: If the requirement is “track costs by department,” think tags. If the requirement is “stop accidental deletion,” think locks. If the requirement is “ensure every resource has tags,” think Azure Policy (possibly using an initiative to cover multiple tag requirements).

Section 5.3: Cost management tools: Cost Management + Billing, budgets, alerts, and best practices

Cost questions on AZ-900 often combine two skills: (1) identifying the correct cost tool, and (2) knowing which factors drive cost. The primary platform service is Cost Management + Billing, which helps you analyze historical spend, create budgets, and set alerts. It supports scoping costs at subscription/resource group levels and breaking down costs using dimensions like resource type, location, and tags.

Budgets are a classic exam target: they don’t stop services; they notify via alerts when thresholds are reached. If a stem asks to “receive notification when costs exceed $X,” budgets and alerts are the right direction. If it asks to “reduce costs,” you likely need a combination: analyze spend, identify top cost drivers, and apply best practices (right-size resources, stop unused resources, reserved instances/savings plans where applicable, and pick appropriate SKUs).

• Cost analysis: understand where money is going (by service, region, resource group, tag).
• Budgets: set thresholds (actual and forecast) and trigger alerts.
• Alerts: notify stakeholders; they are not automatic enforcement mechanisms.
• Best practices: deallocate unused resources, right-size, use tagging, and review recommendations.

Common trap: choosing “budget” when the stem asks to cap spending. Azure budgets do not shut down resources automatically. Another trap is confusing “Billing” with “Pricing Calculator.” Billing is operational spend tracking; calculators are for estimating before deployment.

Exam Tip: Watch for “forecast.” Cost Management budgets can alert on forecasted costs (not just actual). If the question says “alert before we exceed,” forecast-based thresholds are the clue.

Section 5.4: Pricing concepts: TCO Calculator vs Pricing Calculator, SLAs and service lifecycle

The exam regularly asks you to differentiate estimation tools. The Pricing Calculator estimates the monthly cost of specific Azure resources you plan to deploy (VM sizes, storage, bandwidth, databases, etc.). Use it when you know the intended Azure architecture and need projected cost in Azure.

The Total Cost of Ownership (TCO) Calculator compares on-premises costs to Azure costs over time. It focuses on migration justification: servers, storage, networking, datacenter costs, and operational expenses. If the stem includes “compare current datacenter costs to Azure” or “justify moving to the cloud,” TCO Calculator is usually correct.

SLAs (Service Level Agreements) define uptime commitments and often specify conditions (for example, requiring deployment across multiple instances or availability zones to qualify). AZ-900 expects you to know what an SLA is and how to interpret it at a high level, not to memorize every percentage. You should recognize that higher availability designs can cost more, and that SLA wording matters.

Service lifecycle terms also appear: Preview vs General Availability (GA). GA services are production-ready and have full support/SLA; preview features may have limited support and typically no SLA. If the stem asks what is appropriate for production workloads, GA is the safe choice.

• Pricing Calculator: “What will this Azure design cost?”
• TCO Calculator: “How does Azure compare to on-prem over time?”
• SLA: uptime commitment; depends on architecture and service specifics.
• Preview vs GA: preview is for evaluation/testing; GA for production.

Common trap: thinking the Pricing Calculator is “actual billing.” It is only an estimate. Another trap is selecting “preview” as the best answer for mission-critical production because it sounds newer. On exams, “preview” is frequently a distractor when reliability and support are required.

Exam Tip: If you see “compare to on-prem,” pick TCO. If you see “estimate Azure services,” pick Pricing Calculator. If you see “guaranteed uptime,” pick SLA. If you see “not recommended for production,” it’s pointing at preview.

Section 5.5: Monitoring and health: Azure Monitor, Log Analytics concepts, Advisor, Service Health

Monitoring questions often test whether you can separate observability (metrics/logs) from platform incidents (outages and maintenance). Azure Monitor is the umbrella service for collecting and analyzing telemetry from Azure resources. At a high level, it works with metrics (near real-time numerical data like CPU percentage) and logs (queryable records).

Log Analytics is the log store and query experience commonly used with Azure Monitor. For AZ-900, focus on the concept: centralized log collection and analysis using queries, often for troubleshooting and trend analysis. Many stems will say “query logs” or “analyze data across resources,” which points to Log Analytics/Azure Monitor rather than Service Health.

Azure Advisor provides recommendations (cost, security, reliability, operational excellence, performance). It does not enforce changes; it recommends. If the stem says “recommend ways to reduce costs” or “improve reliability,” Advisor is a strong candidate.

Azure Service Health provides information about Azure service incidents, planned maintenance, and advisories. It answers, “Is Azure having an issue that affects me?” This is distinct from Azure Monitor, which answers, “How is my resource performing?”

• Azure Monitor: collect/visualize metrics and logs; alerts on resource conditions.
• Log Analytics: query and analyze logs across resources.
• Advisor: proactive recommendations, including cost optimization.
• Service Health: platform status, incidents, planned maintenance impacting your subscriptions/regions.

Common trap: picking Service Health for “CPU is high” or “app is slow.” That’s a resource-level monitoring problem—Azure Monitor. Conversely, choosing Azure Monitor when the question is about “Azure outage in a region” is incorrect; that’s Service Health.

Exam Tip: When the stem mentions “incident,” “planned maintenance,” or “service issue,” lean Service Health. When it mentions “metrics,” “logs,” “alerts,” “dashboard,” or “query,” lean Azure Monitor/Log Analytics. When it mentions “recommendations,” lean Advisor.

Section 5.6: Practice questions: management and governance (cost, policy, monitoring, compliance)

This chapter’s domain drill set targets the exam’s most frequent governance patterns: pick the correct control for standardization, identify the right cost tool, and distinguish monitoring telemetry from platform health. When you work through the practice set, your goal isn’t just to get the right option—it’s to articulate the one sentence reason why the other three are wrong. That is exactly how you build speed and accuracy for AZ-900.

Use this approach for each item:

• Underline the intent: prevent, audit, track, estimate, notify, troubleshoot, or check outage.
• Map intent to tool: Policy/initiative (prevent/audit), tags (track/allocate), locks (protect from delete/modify), Cost Management budgets (notify), calculators (estimate), Monitor/Log Analytics (telemetry), Service Health (Azure incidents), Trust/Compliance (privacy and certifications).
• Eliminate distractors by scope: RBAC controls identities; Policy controls resources; Service Health is Azure-wide events; Monitor is your telemetry.

Compliance and privacy are often tested with “where do I find Microsoft’s compliance reports, audit documentation, and privacy commitments?” The expected direction is Microsoft Trust Center and Azure compliance offerings (not a deployment tool). The exam likes to mix this with governance language; remember that compliance documentation is evidence and transparency, whereas Policy and initiatives are operational guardrails.

Common trap: overthinking. AZ-900 questions are usually written so that one governance tool is the clean match. If you find yourself combining three services to solve a simple stem, step back and ask: “Which single Azure feature is designed for this exact problem?”

Exam Tip: Practice timing: if you can’t decide in 45–60 seconds, pick the best match based on the verb (prevent/track/estimate/monitor/outage) and move on. Most missed questions in this domain come from mixing up pairs: Policy vs RBAC, Tags vs Budgets, Azure Monitor vs Service Health, Advisor vs Cost Management.

Run your mock like the real test: one sitting, uninterrupted, no notes, no phone, and a fixed time box. Treat every pause as a future risk. Your target pace is “steady and accurate,” not rushed. The biggest time loss on AZ-900 comes from rereading stems and debating between closely related governance/security tools.

Navigation strategy: do a first pass where you answer confidently solvable items immediately, and mark only the questions where you can state (a) what the exam objective is testing and (b) why two options compete. If you can’t articulate those two points, you’re not stuck on content—you’re stuck on reading. Reframe the stem: identify the noun phrases (e.g., “enforce standards,” “assign permissions,” “estimate costs,” “secure posture management”). Then match to the tool category (Policy, RBAC, Cost Management, Defender for Cloud, etc.).

Exam Tip: When a stem uses words like “enforce,” “require,” “deny,” think Azure Policy. When it says “who can,” “permissions,” “scope,” think RBAC. When it says “estimate before deploying,” think Pricing Calculator; “analyze/track after,” think Cost Management.

Do not second-guess simple definitions. AZ-900 distractors often add extra detail to make an option look “enterprise-grade,” but the correct answer is usually the clean definition. Save review time for mixed items that blend identity + governance or compute + networking.

In Part 1, expect early momentum questions across cloud concepts and core services—these are score-stabilizers. Your “answer key” process here is not listing Q/A in text, but learning how Microsoft frames correct reasoning. When you review your results, tag each miss into one of three buckets: (1) definition gap (you didn’t know), (2) confusion pair (you mixed two tools), (3) stem misread (you ignored a keyword like “enforce” vs “recommend”).

Common mixed-domain patterns in Part 1:

• Service model mapping: If the customer manages OS/patching, that points to IaaS. If Azure manages runtime/patching, you’re in PaaS. If the user just consumes the app, SaaS.
• Compute selection: VMs for full control, App Service for managed web apps, AKS for container orchestration, Functions for event-driven serverless. Traps include assuming containers automatically mean AKS; single app containers can be simpler on App Service or Container Apps depending on wording.
• Networking basics: VNets are isolation; subnets segment; NSGs filter; VPN/ExpressRoute connect on-prem. The exam often checks if you know ExpressRoute is private connectivity (not over public internet).

Exam Tip: If a question mentions “public endpoint exposure” and “restrict access,” think private endpoints, service endpoints, NSGs, or firewall features—then choose based on whether the stem targets network-layer control (NSG/firewall) versus resource access path (private endpoint).

Review method: for each incorrect item, write a one-line “because” statement tied to the domain objective (e.g., “Governance: Azure Policy enforces; RBAC authorizes users”). This converts mistakes into retrieval cues you’ll use under exam stress.

Part 2 typically feels harder because fatigue increases and items skew toward governance, security posture, and management tooling—areas where names sound similar. Your detailed answer key review should focus on differentiating tool intent: identity/authentication, authorization, configuration enforcement, monitoring, and compliance reporting.

High-frequency governance/security distinctions that appear in mixed-domain items:

• Microsoft Entra ID (Azure AD) vs RBAC: Entra ID handles identity/authentication and directory objects; RBAC controls authorization to Azure resources at scopes (management group/subscription/resource group/resource).
• Azure Policy vs RBAC: Policy enforces or audits configurations; RBAC assigns access rights. A trap is choosing RBAC when the stem asks to “ensure resources are in a specific region” or “require tags.”
• Defender for Cloud: Posture management and security recommendations; alerts and hardening guidance. Don’t confuse it with Policy (enforcement) or Sentinel (SIEM/SOAR) unless the stem explicitly mentions log analytics/SIEM workflows.
• Cost tools: Pricing Calculator estimates; TCO compares on-prem to cloud; Cost Management monitors and budgets after deployment.

Exam Tip: When the stem says “recommendations,” “secure score,” “improve security posture,” that is Defender for Cloud language. When it says “audit” or “deny,” that’s Azure Policy language.

Answer-key discipline: for every item you got right, confirm you chose it for the right reason. AZ-900 punishes “lucky guesses” because the next question will flip the keyword. Train yourself to underline (mentally) the deciding phrase: “require,” “estimate,” “assign permissions,” “private connection,” “managed service,” etc.

Your weak spot analysis should be objective-level, not service-by-service. Build a small score report matrix with the official domains: Cloud Concepts; Azure Architecture and Services; Identity/Access/Security/Management Tools; and Azure Management and Governance. For each domain, label your errors as definition, confusion pair, or stem misread. This tells you whether to reread content, build comparison tables, or practice stem parsing.

Create a remediation plan in two passes:

• Pass 1 (24–48 hours): Fix confusion pairs with side-by-side contrasts: RBAC vs Policy, Entra ID vs RBAC, Defender for Cloud vs Policy, Pricing Calculator vs Cost Management. Your goal is instant recognition.
• Pass 2 (next practice set): Reattempt only the missed objectives with fresh questions, focusing on speed and keyword spotting.

Exam Tip: If you consistently miss “governance” items, don’t memorize features in isolation. Memorize the verbs: RBAC assigns, Policy enforces/audits, Blueprints (legacy concept) packages, Cost Management analyzes/budgets, Pricing Calculator estimates.

Finally, set a threshold: if any domain is below your target (commonly 80% in practice), do not add new topics. Only tighten the high-frequency distinctions and retest. AZ-900 is breadth-heavy; your advantage comes from clean categorization and consistent reading habits.

In the final 48 hours, your job is recall and discrimination—no deep dives. Use rapid prompts: “What does this service do, and what does it NOT do?” Anchor everything to the domain names the exam uses.

Cloud Concepts: benefits (high availability, scalability, elasticity, agility, disaster recovery), and the difference between CapEx vs OpEx. Be able to identify the service model from who manages what.

Azure Architecture and Services: core components (subscriptions, management groups, resource groups, resources), regions/region pairs, availability zones. Compute choices (VMs, App Service, Functions, containers/AKS), networking basics (VNet, NSG, VPN/ExpressRoute), storage basics (Blob vs Files vs Queues vs Tables; redundancy options like LRS/GRS concepts at a high level).

Identity, Access, Security, and Management Tooling: Entra ID for identity, MFA/Conditional Access at a concept level, RBAC scopes, Defender for Cloud purpose, and management tools (Portal, PowerShell, CLI, ARM/Bicep as deployment concepts). Exam Tip: If a question asks “how do you interact with Azure,” the answer is often a tooling channel (Portal/CLI/PowerShell) rather than a governance feature.

Management and Governance: Policy, resource locks, tags, cost management/budgets, compliance concepts and the role of the Trust Center/Service Trust Portal. Your quick test: can you say, in one sentence, what each governance feature is designed to control?

Exam day success is logistics + execution. Confirm your appointment, allowed IDs, and whether you’re testing online or at a center. For online proctoring, prepare a quiet room, stable internet, and a cleared desk. Close all apps not required and disable notifications. If in a test center, arrive early to avoid cognitive drain from rushing.

During the exam, use a simple stress-proof loop: read the last line of the stem first (what are they asking?), then scan for keywords that map to an objective (enforce, assign permissions, estimate, secure posture, private connectivity). Eliminate distractors by category mismatch—if the stem is about authorization and an option is a compliance portal, it’s wrong even if it sounds “security-related.”

Exam Tip: When you feel stuck, ask: “Which option is a product/service, and which is a concept?” AZ-900 often tests whether you can choose the actual Azure service name rather than a general cloud idea.

Time management: avoid spending disproportionate time early. If you can’t decide in ~60–90 seconds, mark and move. Your second pass should be shorter because you’ll have already identified the competing options. Finally, keep your mental state neutral: one missed question does not change your outcome; the exam is designed to mix easy and tricky items. Execute your process, and your preparation will show.