HELP

AZ-900 Practice Test Bank: 200+ Questions & Answers

AI Certification Exam Prep — Beginner

AZ-900 Practice Test Bank: 200+ Questions & Answers

AZ-900 Practice Test Bank: 200+ Questions & Answers

Master AZ-900 with realistic practice, review, and mock exams.

Beginner az-900 · microsoft · azure fundamentals · azure

Prepare for the AZ-900 Azure Fundamentals Exam with Confidence

AZ-900 is Microsoft’s entry-level certification exam for Azure Fundamentals, designed for learners who want to understand cloud concepts, Azure architecture and services, and Azure management and governance. This course blueprint is built specifically for beginners with basic IT literacy and no prior certification experience. If you want a structured, question-driven path to exam readiness, this practice test bank course is designed to help you learn the exam domains while building confidence through realistic assessment.

The AZ-900 exam by Microsoft focuses on three official objective areas: Describe cloud concepts; Describe Azure architecture and services; and Describe Azure management and governance. Rather than overwhelming you with advanced implementation detail, this course keeps the focus on the level expected in Azure Fundamentals. Every chapter is aligned to the official objectives and organized to help you recognize common exam patterns, eliminate distractors, and understand why the correct answer is right.

How the 6-Chapter Structure Supports Exam Success

Chapter 1 introduces the certification itself. You will review the exam structure, registration and scheduling options, question formats, scoring expectations, and a practical study strategy for beginners. This foundation matters because many candidates lose points not from lack of knowledge, but from poor pacing, weak planning, or unfamiliarity with how Microsoft exams are presented.

Chapters 2 through 5 cover the official domains in a logical progression. First, you will master cloud fundamentals such as public, private, and hybrid cloud models, shared responsibility, and IaaS, PaaS, and SaaS. Then you will move into Azure architectural components, core services, networking, compute, storage, identity, and database offerings. Finally, you will study management and governance topics such as cost management, SLAs, Azure Policy, RBAC, monitoring, and compliance tools.

Chapter 6 brings everything together through a full mock exam and final review process. This is where learners test readiness across all three official domains, analyze weak spots, and apply a final exam-day checklist.

What Makes This Course Effective for Beginners

  • Aligned to the official AZ-900 Microsoft exam domains
  • Built for beginner-level learners with no prior certification background
  • Practice-test-first structure to improve retention and exam confidence
  • Detailed answer explanations designed to teach, not just score
  • Focused review of commonly confused Azure services and governance tools
  • Full mock exam chapter for final readiness assessment

This course is especially useful for learners who prefer to study by answering questions and then reviewing the reasoning behind each option. That method is highly effective for AZ-900 because the exam often tests your ability to distinguish between similar-sounding services, choose the best cloud model for a scenario, or identify the most appropriate governance and cost-management tool. Repetition through practice questions helps build the pattern recognition needed to succeed.

Domain Coverage Included in the Blueprint

  • Describe cloud concepts: cloud models, service types, shared responsibility, consumption-based pricing, and cloud benefits
  • Describe Azure architecture and services: regions, availability zones, subscriptions, resource groups, compute, networking, storage, identity, and databases
  • Describe Azure management and governance: cost management, SLAs, Azure Policy, RBAC, monitoring, resource locks, and compliance resources

Whether you are exploring cloud careers, validating foundational knowledge, or preparing for more advanced Azure certifications, this AZ-900 course gives you a clear and practical route to exam readiness. If you are just getting started, Register free to begin your preparation. You can also browse all courses to explore additional certification pathways after Azure Fundamentals.

Why This Course Helps You Pass

Passing AZ-900 requires more than memorizing terms. You need to understand the intent behind Microsoft’s cloud platform, identify service categories at a high level, and answer exam-style questions efficiently. This course blueprint emphasizes objective alignment, progressive learning, and repeated practice with detailed feedback. By the end of the six chapters, learners will have reviewed all key exam domains, completed targeted practice, and finished a realistic mock exam sequence that supports stronger performance on test day.

What You Will Learn

  • Describe cloud concepts including shared responsibility, cloud models, and consumption-based pricing.
  • Describe the benefits of cloud computing such as high availability, scalability, elasticity, reliability, and disaster recovery.
  • Describe Azure architecture and services including regions, availability zones, resource groups, subscriptions, and management groups.
  • Describe Azure compute and networking services such as virtual machines, containers, virtual networks, VPN, and ExpressRoute.
  • Describe Azure storage, identity, and database services including Blob Storage, Microsoft Entra ID, and core data options.
  • Describe Azure management and governance using cost management, RBAC, Policy, locks, Service Trust Portal, and monitoring tools.
  • Answer AZ-900 exam-style questions with confidence through detailed rationales and full mock exam practice.

Requirements

  • Basic IT literacy and general familiarity with computers, networking, and software concepts.
  • No prior Microsoft certification experience is required.
  • No hands-on Azure experience is required, though curiosity about cloud computing is helpful.
  • A willingness to practice exam-style questions and review answer explanations.

Chapter 1: AZ-900 Exam Orientation and Study Plan

  • Understand the AZ-900 exam structure and objectives
  • Learn registration, scheduling, and exam delivery options
  • Understand scoring, question types, and retake policy
  • Build a beginner-friendly study strategy and review plan

Chapter 2: Describe Cloud Concepts

  • Explain core cloud computing principles
  • Compare public, private, and hybrid cloud models
  • Describe IaaS, PaaS, and SaaS in exam context
  • Practice Describe cloud concepts exam-style questions

Chapter 3: Describe Azure Architecture and Core Services

  • Understand Azure architectural components
  • Identify core Azure resources and organizational hierarchy
  • Recognize Azure compute and application hosting services
  • Practice Describe Azure architecture and services questions

Chapter 4: Describe Azure Storage, Identity, and Database Services

  • Identify Azure storage services and use cases
  • Explain identity, access, and security basics in Azure
  • Compare Azure database and analytics options at a high level
  • Practice service-selection and architecture questions

Chapter 5: Describe Azure Management and Governance

  • Understand cost management and SLA-related decision making
  • Use governance tools to control and standardize Azure resources
  • Recognize monitoring, compliance, and deployment tools
  • Practice Describe Azure management and governance questions

Chapter 6: Full Mock Exam and Final Review

  • Mock Exam Part 1
  • Mock Exam Part 2
  • Weak Spot Analysis
  • Exam Day Checklist

Daniel Mercer

Microsoft Certified Trainer and Azure Solutions Architect Expert

Daniel Mercer is a Microsoft Certified Trainer with extensive experience teaching Azure certification pathways from fundamentals to architect-level roles. He has coached hundreds of learners on Microsoft exam strategy, Azure core services, governance, and cloud concepts with a strong focus on beginner-friendly explanations.

Chapter 1: AZ-900 Exam Orientation and Study Plan

The AZ-900: Microsoft Azure Fundamentals exam is the starting point for many cloud learners, career changers, students, and technical professionals who need a structured introduction to Microsoft Azure. This chapter is designed to orient you to the exam before you begin memorizing services or drilling practice questions. That matters because AZ-900 is not just a vocabulary test. It measures whether you can recognize foundational cloud concepts, distinguish core Azure services, and identify the right answer when several options sound similar. Candidates often underestimate the exam because it is labeled “fundamentals,” but the test still expects precision with terminology, pricing ideas, governance basics, and common Azure architecture components.

This course aligns directly to the exam-level outcomes you are expected to know: cloud concepts such as shared responsibility, cloud models, and consumption-based pricing; cloud benefits including high availability, scalability, elasticity, reliability, and disaster recovery; Azure architecture elements like regions, availability zones, resource groups, subscriptions, and management groups; Azure compute and networking services such as virtual machines, containers, virtual networks, VPN, and ExpressRoute; Azure storage, identity, and database services including Blob Storage, Microsoft Entra ID, and core data options; and Azure management and governance tools such as cost management, RBAC, Policy, locks, Service Trust Portal, and monitoring services.

In practical terms, your first goal is to understand what the exam is trying to test. Microsoft wants to confirm that you can describe concepts, compare services at a high level, and choose the best fit for basic business or technical scenarios. You usually do not need deep hands-on administrator experience, but you do need to spot distinctions. For example, you may need to know the difference between scalability and elasticity, or when a question is testing governance rather than identity. Exam Tip: On AZ-900, many wrong answers are not absurd. They are often real Azure services placed in the wrong context. Your advantage comes from knowing what category a service belongs to and what problem it solves.

This chapter also explains logistics: how registration works, what to expect from online proctoring or test center delivery, how scoring and question formats usually feel, and how to create a beginner-friendly study plan. If you build your study approach correctly from the beginning, your later work with the test bank becomes more productive. Instead of simply checking whether an answer is right or wrong, you will learn how to analyze why Microsoft framed the question that way and which exam objective is being measured.

You should treat this chapter as your exam roadmap. It gives you the “why” behind the study sequence used in this course. By the end, you should understand how to prepare strategically, how to avoid common traps, and how to use practice tests as a learning tool rather than a guessing exercise. That mindset is often the difference between barely passing and walking into the exam with confidence.

Practice note for Understand the AZ-900 exam structure and objectives: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Practice note for Learn registration, scheduling, and exam delivery options: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Practice note for Understand scoring, question types, and retake policy: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Practice note for Build a beginner-friendly study strategy and review plan: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Sections in this chapter
Section 1.1: AZ-900 exam overview, audience, and certification value

Section 1.1: AZ-900 exam overview, audience, and certification value

AZ-900 is Microsoft’s Azure Fundamentals certification exam. It is designed for beginners, but “beginner” does not mean superficial. The exam is intended for people who are new to Azure, new to cloud computing, or moving into roles that require cloud awareness. This includes students, sales and business professionals, project managers, support staff, aspiring administrators, and technical learners preparing for role-based Azure certifications later. The test does not assume deep scripting, architecture, or deployment experience. Instead, it evaluates whether you understand the language of Azure well enough to participate in cloud discussions and make basic service distinctions.

From an exam-prep standpoint, AZ-900 tests recognition, comparison, and explanation. You should be able to describe cloud models such as public, private, and hybrid cloud; identify benefits such as high availability and scalability; and recognize Azure building blocks like regions, subscriptions, and resource groups. You are also expected to know broad service categories such as compute, networking, storage, identity, databases, governance, and monitoring. What the exam typically does not ask for is highly detailed configuration knowledge. That is a major clue for studying: focus on what a service is for, not every setting it has.

The certification has practical value beyond the credential itself. It gives you a framework for understanding Azure documentation, helps you communicate more clearly in interviews, and serves as a foundation for more advanced Azure exams. Employers often see AZ-900 as evidence that a candidate understands cloud basics and can learn within the Microsoft ecosystem. Exam Tip: If you are planning future certifications such as Azure Administrator or Azure Security Engineer, treat AZ-900 as your terminology and concept base. Strong fundamentals reduce confusion later when multiple services overlap.

A common trap is assuming that business-oriented candidates can ignore technical concepts, or that technical candidates can ignore pricing and governance. AZ-900 spans both. Microsoft wants cloud literacy across business and technical language. If a question mentions cost optimization, responsibility, compliance, or management structure, do not automatically look for the most technical answer. Instead, ask what category of knowledge the question is measuring and match the response to that objective.

Section 1.2: Official exam domains and how they map to this course

Section 1.2: Official exam domains and how they map to this course

One of the smartest ways to study for AZ-900 is to organize your preparation by the official exam domains rather than by random service names. Microsoft periodically updates domain weighting and wording, but the core areas remain consistent: describe cloud concepts, describe Azure architecture and services, and describe Azure management and governance. This course maps directly to those objectives so that your practice test work reinforces the structure of the real exam.

The first major objective covers cloud concepts. This includes shared responsibility, cloud deployment models, service models, and consumption-based pricing. It also includes benefits such as high availability, scalability, elasticity, reliability, predictability, security, governance, and disaster recovery. When you study these topics, focus on comparison language. The exam often measures whether you can tell similar terms apart. For example, scalability is about adjusting capacity, while elasticity emphasizes automatic or dynamic resource adjustment based on demand. That difference is subtle but testable.

The second objective area covers Azure architecture and services. In this course, that includes regions, region pairs, availability zones, resource groups, subscriptions, and management groups, plus service categories such as compute, networking, storage, identity, and databases. Questions in this area often test classification: is a service related to identity, governance, connectivity, or compute? You should be ready to identify virtual machines, containers, virtual networks, VPN Gateway, ExpressRoute, Blob Storage, and Microsoft Entra ID at a foundational level.

The third major objective area is management and governance. This includes cost management, tagging, RBAC, Azure Policy, resource locks, Service Trust Portal, and monitoring tools. These topics are frequent sources of confusion because several services sound administrative. Exam Tip: Build a mental map: RBAC controls who can do what, Policy controls what is allowed, locks help prevent deletion or modification, and Cost Management helps analyze and optimize spending. If you can sort each tool by purpose, many questions become easier.

This course uses the exam domains as its spine. As you move through later chapters and the test bank, label each question by domain. Doing so helps you identify weak areas and prevents a common study mistake: overfocusing on favorite topics while neglecting lower-confidence objectives. The exam does not reward comfort-zone studying; it rewards balanced readiness across all blueprint areas.

Section 1.3: Registration process, scheduling, online proctoring, and test center options

Section 1.3: Registration process, scheduling, online proctoring, and test center options

Before exam day, you should understand the registration and scheduling process so logistics do not become a distraction. Microsoft certification exams are typically scheduled through the official certification portal and delivered by an authorized exam provider. The exact interface or provider details can change over time, so always verify the current process on Microsoft Learn and the certification dashboard. Your job is to check the live exam page, confirm the current skills measured, pricing, language availability, identification requirements, and delivery options before booking.

You will generally choose between online proctored delivery and a physical test center. Online proctoring offers convenience, but it also comes with stricter environmental requirements. You may need a quiet room, a clean desk, a functioning webcam and microphone, valid identification, and a device that passes the provider’s system check. Interruptions, background noise, unauthorized materials, or unsupported hardware can create unnecessary stress. If your home setup is unpredictable, a test center may be the better choice.

Test center delivery is often preferred by candidates who want a controlled environment and fewer technology concerns. The tradeoff is travel time and limited scheduling flexibility. If you choose a center, arrive early and bring the required ID exactly as specified. If you choose online delivery, complete all system tests ahead of time and read the check-in instructions carefully. Exam Tip: Do not assume your work laptop is acceptable. Corporate security settings, VPN tools, and restricted permissions can interfere with online proctoring software.

Scheduling strategy matters too. Book your exam only after you can consistently perform well in practice by objective area, not just on one lucky attempt. Many candidates benefit from selecting a date two to four weeks out, then using that deadline to drive review. Rescheduling policies and cancellation windows vary, so know them before you commit. Also be aware of retake rules if you do not pass on the first attempt. The exact waiting periods can change, so verify the current policy directly from Microsoft’s certification information.

The exam itself begins before the first question appears. Your readiness includes identity checks, environment checks, timing awareness, and confidence in your delivery method. Taking care of these details in advance protects your focus for what really matters: reading carefully and recognizing the concept being tested.

Section 1.4: Exam format, scoring model, passing expectations, and question styles

Section 1.4: Exam format, scoring model, passing expectations, and question styles

AZ-900 is a fundamentals exam, but it still requires disciplined exam technique. Microsoft exams can include a mix of question styles, such as single-answer multiple choice, multiple-selection items, matching, drag-and-drop style tasks, and scenario-based prompts. The exact number of questions and operational format can vary, and Microsoft may include unscored items. Because of that, do not try to calculate your score during the exam based on how many questions you think you missed. Focus instead on one item at a time.

The scoring model is scaled, and the commonly cited passing mark is 700 on a scale of 100 to 1000. That does not mean 70 percent in a simple one-question-equals-one-point way. Different items may carry different weight, and partial-credit style interactions may behave differently than standard multiple choice. For exam prep, the practical takeaway is simple: aim well above the minimum in your practice work. If you are repeatedly scoring near the edge, you are not truly ready yet.

Question wording is often the real challenge. Many AZ-900 items are written to test whether you can identify the best answer, not just a technically possible one. For example, several answer choices may all sound helpful, but only one aligns most directly with the objective being tested. A question about secure identity management points toward Microsoft Entra ID, while a question about compliance documentation may point toward the Service Trust Portal. Exam Tip: Underline the keyword mentally: cost, identity, governance, connectivity, resilience, or deployment model. That keyword usually reveals the exam domain and narrows the answer set quickly.

Another common feature is the use of realistic but short business scenarios. You may be asked to identify a service suitable for variable demand, secure network connectivity, or role-based access. In these cases, resist overengineering. AZ-900 usually rewards the simplest correct conceptual fit. If the scenario asks for private dedicated connectivity to Azure, ExpressRoute is the conceptual match; if it asks for encrypted connectivity over the internet, VPN is a better fit.

Read every option carefully, especially in questions using words such as “most,” “best,” “primary,” or “minimize.” These words often determine the correct answer. Candidates lose points not because they lack knowledge, but because they answer too quickly when two options are close. Slow down enough to identify what the test writer is prioritizing.

Section 1.5: Study planning for beginners using practice tests and answer reviews

Section 1.5: Study planning for beginners using practice tests and answer reviews

If you are new to Azure, your study plan should be structured, repetitive, and objective-driven. Start by dividing your time across the exam domains rather than trying to memorize every Azure service you encounter online. A beginner-friendly approach is to learn concepts first, then service categories, then common comparisons, and finally practice under timed conditions. This course is built to support that sequence.

In the first phase, focus on understanding definitions and distinctions: public vs. private vs. hybrid cloud, IaaS vs. PaaS vs. SaaS, CapEx vs. OpEx, scalability vs. elasticity, and high availability vs. disaster recovery. In the second phase, attach those concepts to Azure examples such as virtual machines, Azure App Services, containers, Blob Storage, Microsoft Entra ID, Azure Virtual Network, VPN Gateway, and ExpressRoute. In the third phase, add governance and management topics like RBAC, Policy, locks, Cost Management, and monitoring tools. This layered method prevents a common beginner problem: knowing service names without understanding what business or technical problem they solve.

Practice tests should not be used only to generate a score. They are diagnostic tools. After each attempt, review every explanation, including questions you answered correctly. Ask yourself why each wrong answer was wrong and what clue in the wording pointed to the right one. Keep a mistake log organized by domain. For example, if you repeatedly confuse governance tools, create a one-page comparison sheet for RBAC, Policy, locks, and tags. Exam Tip: Your fastest score improvement often comes not from learning brand-new material, but from analyzing repeated errors and fixing pattern-level misunderstandings.

  • Set a study calendar with short daily sessions instead of occasional long cramming sessions.
  • Use one review block each week to revisit weak domains only.
  • Retake practice sets after reviewing explanations, but do not rely on memory alone.
  • Translate every missed question into a concept statement you can explain in your own words.

As your exam date approaches, shift from open-book learning to exam-like practice. Time yourself, avoid notes, and practice careful reading. If your scores are uneven, postpone heavy memorization and return to understanding. AZ-900 rewards clarity more than brute-force recall. A candidate who truly knows the categories and purpose of services will usually outperform someone who has memorized isolated facts.

Section 1.6: Common AZ-900 mistakes and how to avoid them

Section 1.6: Common AZ-900 mistakes and how to avoid them

The most common AZ-900 mistake is underestimating the exam. Because it is a fundamentals certification, many candidates assume broad familiarity with cloud terms is enough. On test day, they discover that Microsoft expects precise distinctions. Avoid this by studying definitions comparatively. Do not just learn what a term means; learn how it differs from related terms. If you cannot explain why availability zones are different from regions, or how RBAC differs from Azure Policy, you are vulnerable to distractors.

A second mistake is memorizing isolated service names without understanding categories. Candidates often know that ExpressRoute, VPN, Blob Storage, and Microsoft Entra ID are Azure services, but they cannot quickly identify whether a question is testing networking, storage, or identity. The solution is to build a category-first mindset. Whenever you study a service, label it by domain, purpose, and common exam wording. This improves both recall and answer selection.

A third mistake is missing qualifier words in the question. Terms like “best,” “primary,” “minimize management,” “dedicated,” or “over the internet” matter enormously. Azure often offers multiple valid technologies, but the exam wants the most appropriate one for the scenario. Exam Tip: Before choosing an answer, restate the question in a few words: “This is asking about cost control,” or “This is about private connectivity,” or “This is about preventing deletion.” That habit reduces impulsive answers.

Another trap is confusing governance and security controls. For example, RBAC determines authorized actions for users and groups, Policy evaluates or enforces compliance rules on resources, and locks help protect resources from accidental changes. These are related but not interchangeable. Similar confusion happens with cloud benefits: reliability, availability, scalability, elasticity, and disaster recovery are connected ideas, but each has a specific emphasis the exam can test.

Finally, do not let practice scores create false confidence. If you are recognizing repeated questions but cannot explain the reasoning behind the answers, your readiness is weaker than it appears. Real exam success comes from transferable understanding. As you move into the rest of this course, use every practice item to answer two questions: what concept is being tested, and what wrong assumption is the exam trying to tempt me into making? That is the mindset of a strong AZ-900 candidate.

Chapter milestones
  • Understand the AZ-900 exam structure and objectives
  • Learn registration, scheduling, and exam delivery options
  • Understand scoring, question types, and retake policy
  • Build a beginner-friendly study strategy and review plan
Chapter quiz

1. A candidate is beginning preparation for the AZ-900 exam. Which study approach best aligns with the purpose and difficulty of the exam?

Show answer
Correct answer: Focus on foundational concepts, core Azure service categories, and how to distinguish similar-sounding options in context
AZ-900 measures foundational understanding of cloud concepts, Azure services, governance, pricing, and architecture at a high level. Candidates are expected to compare services and recognize the best fit in basic scenarios, not just memorize names. Option A is incorrect because the exam is not a vocabulary-only test; many distractors are real Azure services used in the wrong context. Option C is incorrect because deep administrator-level portal experience is not the main target of AZ-900, and skipping core cloud concepts would leave major exam objectives uncovered.

2. A learner says, "Because AZ-900 is a fundamentals exam, I only need to know broad ideas and can ignore precise terminology." Which response is most accurate?

Show answer
Correct answer: That is incorrect, because AZ-900 often requires you to distinguish related concepts such as scalability, elasticity, governance, and identity
AZ-900 is introductory, but it still expects precision with terminology and the ability to distinguish similar concepts and services. Microsoft commonly tests whether you can identify what category a service belongs to and what problem it solves. Option A is wrong because fundamentals questions still assess accurate conceptual understanding. Option C is wrong because limited hands-on exposure does not replace knowing the exam objectives or understanding the differences among related Azure terms.

3. A company employee must choose how to take the AZ-900 exam. They want to understand the available delivery choices before booking. Which topic should they review first?

Show answer
Correct answer: Registration, scheduling, and whether to take the exam through online proctoring or at a test center
Chapter 1 covers exam logistics, including registration, scheduling, and exam delivery options such as online proctoring or test center testing. That information directly supports deciding how to book the exam. Option B is incorrect because virtual network and ExpressRoute configuration are technical Azure topics, not exam-delivery planning topics. Option C is incorrect because deploying production workloads across regions is beyond the immediate logistics of registering and scheduling the certification exam.

4. A student uses practice questions by checking only whether each answer is right or wrong, then moving on immediately. Based on an effective AZ-900 study strategy, what should the student do instead?

Show answer
Correct answer: Use practice tests as a learning tool by analyzing why the correct answer fits the objective and why the distractors are incorrect
A strong AZ-900 study plan treats practice tests as a way to understand exam framing, objective mapping, and why similar Azure terms are being contrasted. This improves transfer to new questions rather than simple recall. Option B is wrong because memorizing answer positions does not build the conceptual understanding needed for real exam scenarios. Option C is wrong because explanations are one of the best tools for learning the reasoning behind Microsoft-style questions and identifying gaps in domain knowledge.

5. A candidate wants to know what kinds of exam information are important to understand before test day. Which combination is most relevant?

Show answer
Correct answer: Scoring expectations, common question types, and the retake policy
For exam orientation, candidates should understand scoring at a high level, the types of questions they may encounter, and the retake policy so they can prepare appropriately. Option A is incorrect because SDK syntax and template schema details are not core orientation topics for AZ-900 fundamentals preparation. Option C is incorrect because on-premises hardware lifecycle planning is not part of the exam logistics and orientation focus described for this chapter.

Chapter 2: Describe Cloud Concepts

This chapter targets one of the highest-yield AZ-900 domains: core cloud concepts. On the exam, Microsoft expects you to recognize foundational definitions, distinguish similar-looking answer choices, and apply cloud ideas to short business scenarios. That means memorizing terms is not enough. You must also understand how exam writers phrase questions about shared responsibility, cloud deployment models, cloud service types, and consumption-based pricing. This chapter is built to help you identify what the test is really asking and avoid the common traps that lead candidates to choose technically possible, but not best, answers.

In AZ-900, cloud concepts are often presented in plain business language rather than deep technical detail. You may see prompts about reducing capital expense, increasing flexibility, shifting administrative burden, improving availability, or supporting regulatory requirements. Your job is to map those business goals to the correct cloud concept. For example, if a question focuses on paying only for what is used, think consumption-based pricing. If it focuses on keeping some systems on-premises while using cloud services, think hybrid cloud. If it asks which model gives customers the most control over operating systems and virtual machines, think IaaS.

The lessons in this chapter align directly to the exam objectives: explain core cloud computing principles, compare public, private, and hybrid cloud models, describe IaaS, PaaS, and SaaS in exam context, and practice cloud concepts using exam-style reasoning. Throughout the chapter, pay attention to the wording of the answer choices. AZ-900 often tests whether you can tell the difference between responsibility and ownership, elasticity and scalability, or private cloud and on-premises infrastructure. Those distinctions matter.

Exam Tip: When two answer choices both sound true, choose the one that most directly matches the cloud concept named in the objective. AZ-900 usually rewards the best conceptual fit, not the most complex or expensive solution.

A strong strategy is to classify every question into one of four buckets: deployment model, pricing model, service model, or benefit. Once you identify the bucket, many distractors become easy to eliminate. For instance, a question about who manages patching in a managed application platform belongs to the service model bucket, not pricing. A question about reducing up-front hardware purchases belongs to pricing and cloud economics, not availability.

  • Shared responsibility asks who manages what in cloud environments.
  • Cloud models ask where services run and how they are deployed.
  • Consumption-based pricing asks how customers are billed and why OpEx matters.
  • Service types ask how much control the customer keeps.
  • Cloud benefits ask why an organization would adopt cloud services in the first place.

As you work through the sections, focus on identifying keywords. Terms such as hosted, on-premises, isolated, subscription, pay-as-you-go, managed platform, scaling, failover, and uptime often point to the intended answer. The exam is not trying to trick you with implementation depth here; it is testing whether you can describe cloud concepts clearly and select the most appropriate description in a business-ready context.

By the end of this chapter, you should be able to explain the shared responsibility model, compare public, private, and hybrid cloud approaches, describe consumption-based pricing, differentiate IaaS, PaaS, and SaaS, and connect core cloud benefits such as high availability, agility, elasticity, reliability, and scalability to practical examples. Those skills form the conceptual base for later Azure-specific topics such as regions, availability zones, compute, storage, networking, governance, and monitoring.

Practice note for Explain core cloud computing principles: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Practice note for Compare public, private, and hybrid cloud models: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Practice note for Describe IaaS, PaaS, and SaaS in exam context: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Sections in this chapter
Section 2.1: Describe cloud computing and the shared responsibility model

Section 2.1: Describe cloud computing and the shared responsibility model

Cloud computing is the delivery of computing services over the internet. These services can include servers, storage, databases, networking, analytics, and software. For AZ-900, you should think of the cloud as a way to access IT resources on demand without owning all of the underlying infrastructure yourself. Instead of buying and maintaining every physical server and data center asset, an organization can consume services from a cloud provider such as Microsoft Azure.

The shared responsibility model is one of the most tested foundational ideas. It explains that cloud security and management are not handled entirely by either the customer or the provider. Responsibility is shared, and the split changes depending on the service type. The cloud provider is always responsible for the physical infrastructure: physical servers, physical networking, physical data center facilities, and environmental controls. The customer is always responsible for their data, access management, and how they configure what they use.

What changes is the middle layer. In IaaS, the customer manages more, including operating systems, patches for guest OS instances, and many application-level controls. In PaaS, the provider manages more of the platform, so the customer focuses primarily on applications and data. In SaaS, the provider manages almost everything except customer data, identities, and usage configuration.

Exam Tip: If the question asks who is responsible for the physical hosts or the physical network in Azure, the answer is Microsoft. If it asks who is responsible for account access, information classification, or data entered into a service, the customer still has responsibility.

A common trap is assuming that moving to the cloud transfers all security responsibility to the provider. That is false. The provider secures the cloud infrastructure, but the customer must still secure what they put in the cloud. Another common trap is confusing identity configuration with platform management. Even in SaaS, the customer often remains responsible for user accounts, permissions, and appropriate data governance.

To identify the correct answer on the exam, first determine the service model. Then ask: is the item physical, platform-related, or customer-specific? Physical usually belongs to the provider. Customer-specific data and identity usually belong to the customer. The more managed the service, the more responsibility shifts to the provider.

  • Provider responsibility: physical data centers, physical servers, physical storage devices, host infrastructure.
  • Customer responsibility: data, user access, account protection, endpoint security, information governance.
  • Shared or variable responsibility: operating systems, network controls, applications, depending on IaaS, PaaS, or SaaS.

On AZ-900, expect conceptual wording rather than detailed architecture diagrams. If the scenario says an organization wants less infrastructure management, remember that more responsibility shifts to the provider as you move from IaaS to PaaS to SaaS.

Section 2.2: Describe cloud models: public cloud, private cloud, and hybrid cloud

Section 2.2: Describe cloud models: public cloud, private cloud, and hybrid cloud

Cloud deployment models describe where resources run and who uses the underlying environment. The three models you must know for AZ-900 are public cloud, private cloud, and hybrid cloud. Questions in this area usually test whether you can match a business requirement to the correct model.

A public cloud is owned and operated by a third-party cloud provider and delivered over the internet. Azure is a public cloud platform. Multiple customers share the same broad infrastructure environment, although their resources remain logically isolated. Public cloud is known for rapid provisioning, global scale, and reduced capital expense. Organizations choose it when they want flexibility, speed, and broad service availability without managing data center hardware.

A private cloud is used by a single organization. It may be hosted in that organization’s own data center or by a third party, but it is dedicated to one customer. Private cloud can provide greater control, customization, and support for strict regulatory or operational requirements. However, it generally involves higher cost and more management overhead than a public cloud approach.

A hybrid cloud combines public cloud and private infrastructure or on-premises resources, allowing data and applications to move between them. This model is common in real organizations. It helps when some workloads must remain on-premises due to compliance, latency, or legacy application needs, while other workloads benefit from cloud scale and agility.

Exam Tip: If a question says an organization must keep some systems in its own environment but wants to use cloud services for others, the answer is usually hybrid cloud. If the question emphasizes dedicated infrastructure for one organization, think private cloud.

A common trap is assuming private cloud simply means any system in a company data center. For exam purposes, private cloud refers to cloud characteristics delivered for one organization, not just “old servers on-premises.” Another trap is confusing hybrid cloud with multicloud. Hybrid means combining cloud with private or on-premises environments; multicloud means using multiple cloud providers, which is a different idea.

To answer these questions correctly, focus on keywords:

  • Shared provider infrastructure, internet-delivered, quick provisioning = public cloud
  • Dedicated to one organization, maximum control, isolated environment = private cloud
  • Mix of on-premises and cloud, workload portability, phased migration = hybrid cloud

Exam writers often include cost, control, compliance, and migration language. Public cloud usually aligns with lower upfront cost and faster innovation. Private cloud aligns with dedicated control. Hybrid cloud aligns with transition, coexistence, and flexibility across environments.

Section 2.3: Describe the consumption-based model and cloud pricing basics

Section 2.3: Describe the consumption-based model and cloud pricing basics

The consumption-based model is central to cloud economics. In traditional IT, organizations often buy hardware and software capacity in advance, leading to capital expenditure, or CapEx. In cloud computing, customers commonly pay for what they use, shifting spending toward operational expenditure, or OpEx. This means they can scale usage up or down and align cost more closely to demand.

For AZ-900, understand that consumption-based pricing does not mean every service is billed the same way. Some services may be billed per second, per hour, per transaction, per GB stored, per user, or by subscription tier. The exam is not testing detailed pricing tables. Instead, it tests whether you know the general principles: no need for large upfront purchases, ability to stop paying for resources that are no longer used, and improved cost predictability when usage is monitored properly.

This model is especially attractive when workloads vary. For example, if demand spikes seasonally, a business can provision more resources temporarily instead of purchasing permanent hardware for peak demand. That avoids overprovisioning. It also helps startups and smaller organizations reduce the barrier to entry because they do not need to build a full data center before launching services.

Exam Tip: If a question asks which cloud financial benefit reduces the need to buy hardware before it is needed, the answer is usually CapEx reduction through consumption-based pricing, not scalability. Scalability is a technical capability; pay-as-you-go is the financial model.

Common traps include mixing pricing concepts with service benefits. Scalability allows growth; consumption-based pricing determines how you pay. Another trap is assuming cloud always costs less. The exam position is more nuanced: cloud can reduce upfront costs and increase flexibility, but poor governance can still create high spending. Cost control depends on monitoring, rightsizing, and choosing the correct services.

To identify correct answers, look for wording such as pay only for used resources, avoid upfront capital investments, billed based on usage, or stop paying when resources are deallocated. These are direct clues pointing to the consumption-based model.

  • CapEx: large upfront spending on owned infrastructure.
  • OpEx: ongoing spending as services are consumed.
  • Consumption-based pricing: pay for actual usage rather than fixed owned capacity.
  • Financial advantage: reduced waste from overprovisioning.

The exam also expects you to understand that cloud pricing supports agility. Organizations can test solutions quickly without committing to long procurement cycles. That said, do not confuse “subscription” with “consumption” in every case. Some cloud services are licensed per user or per plan. The key idea remains that cloud shifts spending away from buying and maintaining everything yourself.

Section 2.4: Describe cloud service types: IaaS, PaaS, and SaaS

Section 2.4: Describe cloud service types: IaaS, PaaS, and SaaS

Service models define how much of the technology stack the cloud provider manages versus how much the customer manages. AZ-900 commonly tests this by describing a business need and asking which service model best fits. The correct approach is to look for the level of control required and the amount of management the customer wants to avoid.

Infrastructure as a Service, or IaaS, provides basic building blocks such as virtual machines, storage, and networking. The provider manages the physical infrastructure, but the customer manages the operating system, installed software, and much of the configuration. IaaS is best when an organization wants flexibility and control similar to traditional servers, but without owning the hardware.

Platform as a Service, or PaaS, provides a managed application platform. The provider manages the infrastructure, operating systems, runtime, and much of the platform maintenance. The customer focuses on deploying and managing applications and data. PaaS is ideal for developers who want to build applications without handling server patching and lower-level platform operations.

Software as a Service, or SaaS, provides fully managed software delivered over the internet. End users access the application directly, often through a browser or client app. The provider manages the application, platform, and infrastructure. The customer mainly manages users, data, and configuration settings. Examples in the broader cloud world include hosted email, collaboration suites, and CRM platforms.

Exam Tip: Think of the models in terms of control. IaaS = most customer control. PaaS = focus on apps, less infrastructure management. SaaS = use the software, manage users and data, but not the underlying stack.

A common exam trap is choosing IaaS just because virtual machines are mentioned somewhere in the scenario. If the question emphasizes rapid application development and minimizing OS maintenance, PaaS is likely the better answer. Another trap is treating SaaS as if the customer manages the platform. In SaaS, the customer consumes the software itself, not the underlying application runtime or servers.

Use this quick mental model:

  • IaaS: rent infrastructure.
  • PaaS: rent a managed application platform.
  • SaaS: use a complete software application.

When evaluating answer choices, look for the action word. Build and deploy apps with managed runtime usually indicates PaaS. Create and administer virtual servers points to IaaS. Access a ready-to-use software product indicates SaaS. The exam often rewards understanding of management boundaries more than technical implementation detail.

Section 2.5: Describe benefits of cloud computing: high availability, scalability, elasticity, agility, and reliability

Section 2.5: Describe benefits of cloud computing: high availability, scalability, elasticity, agility, and reliability

This objective tests whether you can connect cloud adoption to real business benefits. Microsoft frequently uses similar-sounding terms here, so precision matters. High availability refers to keeping services accessible with minimal downtime. In cloud environments, this is supported by redundant resources, fault-tolerant design, and distributed infrastructure. If a service is designed to remain operational despite failures, that points to high availability.

Scalability means the ability to increase or decrease resources to meet demand. This can happen vertically by increasing the capability of a resource, or horizontally by adding more instances. Elasticity is related but more dynamic. It refers to the ability to automatically or rapidly scale resources up and down as demand changes. A sudden traffic surge handled without long-term overprovisioning is a classic elasticity example.

Agility means being able to provision and adapt resources quickly. In business terms, agility supports faster experimentation, shorter deployment cycles, and quicker response to changing requirements. Reliability refers to the ability of a system to recover from failures and continue to function predictably. It is closely related to resiliency and consistent service delivery.

Exam Tip: If the question describes automatic growth and shrinkage based on demand, choose elasticity. If it describes the general ability to add capacity, choose scalability. These are not identical terms.

A frequent trap is confusing high availability with disaster recovery. High availability focuses on minimizing interruption during normal component failures. Disaster recovery focuses on restoring service after a major outage or catastrophic event. Another trap is using agility as if it means performance. Agility is about speed of deployment and adaptation, not raw processing speed.

Look for clue words in the scenario:

  • Minimal downtime, fault tolerance, uptime target = high availability
  • Add more resources to support growth = scalability
  • Automatic or near-instant resource adjustment = elasticity
  • Deploy quickly, innovate faster, shorten procurement = agility
  • Consistent operation and recovery from failures = reliability

These benefits are often tied back to why organizations move to cloud. They gain flexibility in resource allocation, reduce delays caused by hardware procurement, and improve service continuity through globally managed infrastructure. On AZ-900, the best answer usually matches the most direct benefit stated in the prompt, even if other benefits are also true in a broader sense.

Section 2.6: Describe cloud concepts practice set with detailed answer rationales

Section 2.6: Describe cloud concepts practice set with detailed answer rationales

When reviewing practice items for this objective, your focus should not be on memorizing isolated answers. Instead, train yourself to recognize the pattern behind the question. AZ-900 cloud concept items tend to present a short requirement and ask you to identify the best model, benefit, or pricing principle. The winning strategy is to underline the business clue in your mind before reading the options in detail.

For example, if the rationale explains that an answer is correct because an organization only pays for resources while they are running, that is a consumption-based pricing clue. If the rationale says the provider manages the operating system and runtime while the customer deploys the application, that points to PaaS. If the rationale states that services remain available despite component failure, that describes high availability. Practice becomes much easier once you classify each scenario into the correct concept family.

Exam Tip: During review, always ask why the wrong choices are wrong. AZ-900 distractors are often close relatives of the correct concept. Learning those distinctions is what raises your score.

Use these rationale patterns when checking your answers:

  • If the explanation mentions reduced upfront hardware investment, think OpEx and cloud consumption model.
  • If it mentions a dedicated environment for one organization, think private cloud.
  • If it mentions combining on-premises systems with cloud services, think hybrid cloud.
  • If it mentions the greatest customer control over the OS, think IaaS.
  • If it mentions a fully managed end-user application, think SaaS.
  • If it mentions rapid automatic response to changing demand, think elasticity.

Common traps in practice sets include overthinking the scenario, choosing the most technical option, or missing the single keyword that defines the concept. Keep your reasoning simple and objective-aligned. Ask: is this question about where the workload runs, who manages it, how it is billed, or what benefit it provides? That four-part filter will eliminate many distractors immediately.

As you prepare for the exam, revisit any explanations involving shared responsibility, cloud models, and service types. Those areas frequently overlap. A prompt may mention both pricing and service management, but one of those will be the real testing point. Strong candidates identify the primary objective being assessed and answer from that perspective. If you can consistently classify the scenario, eliminate similar distractors, and justify the best answer in one sentence, you are ready for this chapter’s exam domain.

Chapter milestones
  • Explain core cloud computing principles
  • Compare public, private, and hybrid cloud models
  • Describe IaaS, PaaS, and SaaS in exam context
  • Practice Describe cloud concepts exam-style questions
Chapter quiz

1. A company wants to reduce upfront hardware purchases and pay only for the compute resources it uses each month. Which cloud pricing concept does this describe?

Show answer
Correct answer: Consumption-based pricing
Consumption-based pricing is correct because cloud services are commonly billed based on actual usage, which aligns with pay-as-you-go and reduced upfront cost. Capital expenditure planning is incorrect because it focuses on large initial purchases of hardware or infrastructure. Perpetual licensing is incorrect because it refers to owning software rights long term, not variable cloud usage billing.

2. A company must keep some applications on-premises due to regulatory requirements, but it also wants to use cloud resources for other workloads. Which cloud model best fits this requirement?

Show answer
Correct answer: Hybrid cloud
Hybrid cloud is correct because it combines on-premises or private infrastructure with public cloud services, which is a common exam scenario when some systems must remain local. Public cloud is incorrect because it does not describe keeping part of the environment on-premises. Private cloud is incorrect because it may satisfy isolation needs, but it does not describe combining local systems with cloud services.

3. A development team wants a cloud solution where the provider manages the operating system, runtime, and patching, while the team focuses on deploying application code. Which service model should they choose?

Show answer
Correct answer: Platform as a Service (PaaS)
Platform as a Service (PaaS) is correct because the cloud provider manages the underlying platform components such as the operating system and runtime, allowing developers to focus on the application. IaaS is incorrect because the customer typically manages the operating system and more of the environment. SaaS is incorrect because it provides a complete application to end users rather than a managed platform for app deployment.

4. A company deploys virtual machines in Azure and wants to know which task remains primarily its responsibility under the shared responsibility model. Which task should the company manage?

Show answer
Correct answer: Configuring and patching the guest operating system
Configuring and patching the guest operating system is correct because in an IaaS model, the customer is typically responsible for the OS inside the virtual machine. Maintaining the physical datacenter building is incorrect because that is handled by the cloud provider. Replacing failed physical disks in host servers is also incorrect because physical infrastructure management remains the provider's responsibility.

5. An organization experiences unpredictable traffic spikes on its customer-facing application and wants resources to automatically increase during peak periods and decrease when demand falls. Which cloud benefit does this scenario describe most directly?

Show answer
Correct answer: Elasticity
Elasticity is correct because it refers to automatically scaling resources up or down based on demand, a core cloud concept tested in AZ-900. Isolation is incorrect because it relates more to separation of environments or tenants, not dynamic adjustment to workload. Private ownership is incorrect because owning infrastructure does not describe the cloud capability of responding automatically to changing demand.

Chapter 3: Describe Azure Architecture and Core Services

This chapter maps directly to one of the highest-value AZ-900 objective areas: understanding how Azure is organized and which core services solve common business and technical needs. On the exam, Microsoft is not asking you to configure services in depth. Instead, it tests whether you can recognize the right Azure building block for a scenario, distinguish similar terms, and understand how Azure organizes resources at scale. That means you must be comfortable with global infrastructure concepts such as regions and availability zones, organizational concepts such as resource groups and subscriptions, and service categories such as compute, hosting, and networking.

The exam often rewards precise vocabulary. For example, many candidates confuse a region with an availability zone, or a resource group with a subscription. Those are classic exam traps because the names sound related, but they answer different questions. A region tells you where resources run. An availability zone improves resiliency within a region. A resource group provides a logical management container for Azure resources. A subscription provides billing, access, and policy boundaries. A management group sits above subscriptions for governance at scale. If you can identify what problem each layer solves, you can eliminate wrong answer choices quickly.

This chapter also supports the broader course outcomes around cloud benefits, resiliency, governance, and service selection. Azure architecture is not just about memorizing definitions. The exam expects you to connect architecture to outcomes such as high availability, disaster recovery, centralized management, network connectivity, and workload hosting. For example, if a scenario emphasizes fault isolation in a single metropolitan area, availability zones are likely involved. If it emphasizes hierarchy and applying policy across many subscriptions, management groups are likely the correct direction. If the requirement is private connectivity from on-premises to Azure without traversing the public internet, ExpressRoute becomes the key term.

As you study, focus on identifying trigger words in scenario language. Terms like global presence, compliance, resiliency, logical grouping, billing boundary, autoscaling, serverless, hybrid connectivity, and host web apps usually point to specific services. Exam Tip: AZ-900 questions are often easier when you first decide the category being tested: infrastructure location, organization/governance, compute, hosting, or networking. Once you identify the category, only a small number of answer choices remain plausible.

Another important strategy is to separate “what it is” from “what it does not do.” A resource group can contain resources, but it is not a billing hierarchy like a subscription. Availability zones provide datacenter-level separation, but they do not span multiple regions. Virtual machines provide full operating system control, but Azure Functions are event-driven and serverless. App Service hosts web applications and APIs, while Azure Virtual Desktop provides desktop and app virtualization to end users. On the exam, wrong choices are frequently based on near-miss concepts.

In the sections that follow, you will build a clean mental model of Azure architecture and core services. The lessons are integrated in practical exam language: understanding Azure architectural components, identifying core Azure resources and organizational hierarchy, recognizing Azure compute and application hosting services, and practicing how these ideas appear in exam-style scenarios. Read for pattern recognition, not just memorization. If you can match a requirement to the correct Azure service family and explain why the alternatives do not fit, you are preparing at the right depth for AZ-900.

Practice note for Understand Azure architectural components: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Practice note for Identify core Azure resources and organizational hierarchy: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Practice note for Recognize Azure compute and application hosting services: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Sections in this chapter
Section 3.1: Describe Azure regions, region pairs, availability zones, and edge locations

Section 3.1: Describe Azure regions, region pairs, availability zones, and edge locations

Azure’s global infrastructure is a foundational exam objective because it connects directly to availability, performance, compliance, and disaster recovery. An Azure region is a geographical area containing one or more datacenters connected through a low-latency network. Regions allow organizations to deploy resources close to users, meet data residency requirements, and improve application responsiveness. When the exam mentions choosing a location for legal compliance, latency reduction, or customer proximity, it is usually testing your understanding of regions.

A region pair is a Microsoft-defined pairing of two regions within the same geography in most cases. Region pairs support certain disaster recovery and platform update strategies. If one region in the pair experiences a major outage, the paired region is a candidate for prioritized recovery in some Azure services. Candidates often overstate what region pairs mean. They do not automatically replicate every workload you deploy. You must still choose services and configurations that support replication or failover.

Availability zones are physically separate datacenter locations within a single Azure region. They are designed to provide fault isolation for power, cooling, and networking. If a question asks how to increase resiliency against datacenter failure without leaving a region, availability zones are the likely answer. This is a common trap: many learners confuse zones with regions. Zones are inside one region; regions are larger geographic deployment areas.

Edge locations are used for services that bring content or network presence closer to users, such as content delivery and edge-based optimization. On the exam, edge locations are less about infrastructure administration and more about recognizing that Azure can improve performance by serving content from locations nearer to end users rather than always from the primary hosting region.

  • Region = broad geographic deployment area
  • Region pair = Microsoft-associated regional partner for resiliency planning
  • Availability zone = separate datacenter location within one region
  • Edge location = closer delivery point for content and network services

Exam Tip: If the requirement says “protect against a datacenter failure,” think availability zones. If it says “support disaster recovery across large geographic separation,” think regions or region pairs. If it says “reduce content latency for users around the world,” think edge locations.

What the exam tests here is your ability to choose the right resiliency layer. Do not assume the most complex option is always correct. A scenario needing local fault tolerance may only require zone-aware deployment, not multi-region architecture. Likewise, if the scenario mentions legal or sovereignty constraints, the core issue is usually the region selection rather than the compute service itself.

Section 3.2: Describe Azure resources, resource groups, subscriptions, and management groups

Section 3.2: Describe Azure resources, resource groups, subscriptions, and management groups

This section is heavily tested because Azure organization and governance are core to understanding how everything fits together. An Azure resource is an individual manageable item such as a virtual machine, storage account, virtual network, or database. Resources are the actual services you create and use. On the exam, if the wording points to something deployable and billable as a service instance, it is likely referring to a resource.

A resource group is a logical container for resources. It helps you organize and manage related services, often by application, environment, or lifecycle. A common practical example is placing a web app, database, and storage account for one solution into the same resource group so they can be managed together. Resource groups are not simply folders; they support management operations, permissions, and tagging strategies. However, they are not the top-level billing boundary.

A subscription is an agreement with Azure that provides a billing boundary and an access control boundary. It is common to use separate subscriptions for development, test, and production, or for different departments or business units. The exam often contrasts subscriptions and resource groups. The easiest way to distinguish them is this: if the requirement involves billing separation, quotas, or broad access segmentation, think subscription. If the requirement is grouping related resources for management, think resource group.

Management groups sit above subscriptions and allow governance across multiple subscriptions. They are especially useful in large organizations that need consistent Azure Policy assignment or role-based access strategies across enterprise environments. If a scenario says a company has many subscriptions and wants to apply standards at a higher level, management groups are the correct concept.

  • Resources live inside resource groups
  • Resource groups exist inside subscriptions
  • Subscriptions can be organized under management groups

Exam Tip: Watch for hierarchy questions. The exam likes to test whether you know the order and purpose of each level. Management groups are above subscriptions; resource groups are below subscriptions; resources are the deployed service instances.

Common traps include assuming a resource group can contain resources from multiple subscriptions, or believing a subscription is just another logical grouping like a folder. The exam expects you to know that these concepts affect administration differently. Another trap is forgetting that resources in one resource group can depend on resources in another, even though grouping by lifecycle is often recommended. When choosing the correct answer, ask yourself: is the question about organizing resources, separating billing/access, or applying governance across many subscriptions? That one distinction usually reveals the answer.

Section 3.3: Describe core Azure compute services: virtual machines, scale sets, functions, and containers

Section 3.3: Describe core Azure compute services: virtual machines, scale sets, functions, and containers

Azure compute services are a major AZ-900 area because they represent different hosting models. The exam does not expect you to administer them deeply, but it does expect you to recognize the right fit. Virtual machines provide infrastructure as a service. They give you the most control over the operating system, software stack, and configuration. If a scenario requires custom OS-level access, legacy application support, or full administrator control, virtual machines are usually the right answer.

Virtual machine scale sets extend the VM concept by enabling deployment and management of a set of identical load-balanced VMs. They are designed for scalability and high availability. If a question highlights automatic scaling of many identical VM instances for fluctuating demand, scale sets are more appropriate than a single VM. This is a frequent exam distinction: one VM for a single host versus scale sets for coordinated, scalable groups.

Azure Functions are a serverless compute service. They are event-driven and ideal for running code in response to triggers such as HTTP requests, timer schedules, or storage changes. The key exam clue is that you do not want to manage servers and may only need code to run when an event occurs. Candidates sometimes choose virtual machines because they are familiar, but if the requirement emphasizes minimal infrastructure management and pay-for-execution behavior, Functions is the better fit.

Containers package an application and its dependencies for consistent deployment. Azure supports container-based workloads through services such as Azure Container Instances and Azure Kubernetes Service. For AZ-900, the focus is usually conceptual: containers are lightweight, portable, and well-suited for microservices or rapidly deployed application components. If the scenario mentions portability, consistent runtime environments, or container orchestration, containers are the intended direction.

  • Virtual machines = maximum OS control
  • Scale sets = large sets of identical VMs with scaling
  • Functions = serverless, event-driven code execution
  • Containers = packaged applications with dependencies

Exam Tip: Read the requirement for management responsibility. If the scenario says the company wants to avoid managing servers, virtual machines are probably not correct. If it says they need direct control of the operating system, Functions and most platform services are probably not correct.

What the exam is really testing is your ability to match workload style to compute model. A legacy line-of-business app often points to VMs. Bursty event-based processing points to Functions. Fast, portable deployment points to containers. Horizontal growth across many identical instances points to scale sets. Eliminate answers by asking what level of control, scaling, and operational simplicity the scenario demands.

Section 3.4: Describe application hosting options including App Service and Azure Virtual Desktop

Section 3.4: Describe application hosting options including App Service and Azure Virtual Desktop

Beyond raw compute, AZ-900 expects you to recognize Azure services built specifically for hosting applications or delivering desktop experiences. Azure App Service is a platform as a service offering for hosting web apps, REST APIs, and mobile app back ends. It abstracts much of the underlying infrastructure so developers can focus on code and deployment instead of server maintenance. If the exam scenario involves hosting a website or API quickly with built-in scaling, deployment support, and reduced management overhead, App Service is a leading answer.

App Service is especially important because it represents the platform-service model that sits between full infrastructure control and pure serverless execution. Candidates sometimes confuse App Service with virtual machines. The key difference is that App Service does not require you to manage the underlying OS in the same way. It is ideal when the goal is application hosting, not infrastructure administration.

Azure Virtual Desktop is a desktop and application virtualization service. It allows organizations to deliver Windows desktops and apps securely from Azure to users on various devices. On the exam, if the requirement involves remote desktop experiences, centralized desktop management, secure access for remote workers, or publishing desktop applications to users, Azure Virtual Desktop is the correct concept. It is not a website hosting service and not a replacement for general web app platforms.

This section is often tested through scenario language that blends hosting and end-user access. A company wanting to modernize a customer-facing web application likely needs App Service. A company wanting to give employees remote access to desktop environments likely needs Azure Virtual Desktop. Those are very different needs, and the exam may place both options in the answer set to see whether you understand the distinction.

  • App Service hosts web apps and APIs
  • Azure Virtual Desktop delivers desktops and apps to users
  • App Service reduces infrastructure management for application hosting
  • Azure Virtual Desktop supports centralized desktop delivery

Exam Tip: If users need a browser-based or API-hosted application, think App Service. If users need a full desktop or virtualized application experience, think Azure Virtual Desktop.

A common trap is selecting a more general service when a specialized one fits better. Virtual machines can host web applications, but App Service is the more direct platform service for many web workloads. Likewise, VMs can provide remote desktop access, but Azure Virtual Desktop is the service designed specifically for managed desktop virtualization scenarios. On the exam, the most Azure-native and purpose-built service is often the best answer.

Section 3.5: Describe core Azure networking services: virtual networks, DNS, VPN Gateway, ExpressRoute, and load balancing

Section 3.5: Describe core Azure networking services: virtual networks, DNS, VPN Gateway, ExpressRoute, and load balancing

Networking questions in AZ-900 usually focus on identifying the service by use case rather than performing technical configuration. An Azure Virtual Network is the fundamental private network for Azure resources. It enables Azure resources such as virtual machines to communicate securely with each other, with the internet, and with on-premises networks when connected appropriately. If a question asks how Azure resources communicate privately or how to isolate network traffic, a virtual network is the foundation.

Azure DNS provides domain hosting and name resolution using Azure infrastructure. The exam may reference mapping human-readable names to IP addresses or hosting DNS zones. This is more about service recognition than administration details. If the scenario is clearly about name resolution rather than connectivity, DNS is the likely answer.

VPN Gateway enables encrypted traffic between an Azure virtual network and another network, commonly an on-premises environment, over the public internet. This is suitable for secure hybrid connectivity when internet-based transport is acceptable. ExpressRoute, by contrast, provides a private dedicated connection between on-premises infrastructure and Azure. This distinction is extremely testable. If the scenario requires private connectivity that does not traverse the public internet, ExpressRoute is the expected answer. If it simply requires secure encrypted connectivity and cost-effectiveness over the internet, VPN Gateway is often appropriate.

Load balancing distributes traffic across multiple resources to improve availability and performance. For AZ-900, know the concept: spreading incoming requests across healthy instances helps prevent any single instance from becoming a bottleneck or single point of failure. The exam may mention increased availability, traffic distribution, or routing requests to multiple servers as clues.

  • Virtual Network = private Azure networking foundation
  • DNS = name resolution
  • VPN Gateway = encrypted hybrid connection over the internet
  • ExpressRoute = private dedicated hybrid connection
  • Load balancing = distribute traffic across instances

Exam Tip: The VPN Gateway versus ExpressRoute distinction appears often. Remember the trigger phrase: “private dedicated connection” points to ExpressRoute. “Encrypted connection over the public internet” points to VPN Gateway.

Common traps include confusing DNS with network transport or assuming load balancing is the same as autoscaling. Load balancing distributes traffic; autoscaling adds or removes instances. They often work together, but they are not the same concept. To choose correctly, ask whether the scenario is about private networking, hybrid connectivity, name resolution, or traffic distribution.

Section 3.6: Describe Azure architecture and services practice set with exam-style scenarios

Section 3.6: Describe Azure architecture and services practice set with exam-style scenarios

This final section ties the chapter together by showing how Azure architecture and core services are tested through practical scenario thinking. AZ-900 exam items often combine several concepts in one short business requirement. Your job is to isolate the dominant requirement first. Is the scenario mainly about location and resiliency, organizational structure, compute model, application hosting, or network connectivity? Once you identify the category, most distractors become easier to reject.

For example, if a company wants to place resources near European customers for latency and possible data residency reasons, the key concept is region selection. If the same company wants resilience against a datacenter outage in that region, availability zones become relevant. If it wants to separate production billing from development billing, that points to subscriptions. If it wants to apply governance standards across many subscriptions, management groups are the stronger answer. Notice that each requirement maps to a different Azure architectural layer.

Compute scenarios are also pattern based. If developers need full control of the operating system for a custom legacy app, virtual machines fit. If the company needs many identical VM instances that scale with demand, scale sets fit better. If code must run only when triggered and the team wants minimal infrastructure management, Azure Functions is the likely answer. If application portability and packaged dependencies are emphasized, containers should stand out. The exam tests whether you can distinguish control, scalability, and management model.

Hosting and networking scenarios work the same way. A customer-facing website or API generally points to App Service when reduced administration is desired. Remote employee desktops point to Azure Virtual Desktop. A secure internet-based tunnel from on-premises to Azure suggests VPN Gateway. A private dedicated circuit suggests ExpressRoute. Traffic distribution across multiple instances indicates load balancing. Name resolution indicates Azure DNS. Azure Virtual Network remains the base private network concept beneath many of these scenarios.

Exam Tip: When two answers both seem possible, choose the one that most directly satisfies the stated requirement with the least extra assumption. AZ-900 favors service recognition over clever architecture. If the scenario explicitly says web app hosting, App Service is stronger than a generic VM unless OS-level control is specifically required.

Final common traps to avoid:

  • Choosing availability zones when the scenario actually requires cross-region disaster recovery
  • Confusing resource groups with subscriptions for billing or access boundaries
  • Selecting virtual machines when a platform or serverless service better matches the requirement
  • Mixing up VPN Gateway and ExpressRoute
  • Assuming all networking terms refer to the same function

Master this chapter by learning the “best fit” purpose of each service or concept. That is the heart of the exam objective. If you can read a short requirement and identify the Azure component that most naturally solves it, you are prepared not only for practice questions but also for real cloud conversations in the workplace.

Chapter milestones
  • Understand Azure architectural components
  • Identify core Azure resources and organizational hierarchy
  • Recognize Azure compute and application hosting services
  • Practice Describe Azure architecture and services questions
Chapter quiz

1. A company plans to deploy a critical application in Azure. The solution must remain available if one datacenter in a single Azure region fails. Which Azure architecture component should the company use?

Show answer
Correct answer: Availability zones
Availability zones provide physically separate datacenter locations within the same Azure region, which helps protect against a single datacenter failure. Resource groups are logical containers for managing related resources, but they do not provide resiliency. Management groups are used to organize and govern multiple subscriptions, not to provide workload availability.

2. An organization wants to apply governance policies and compliance settings across several Azure subscriptions from a single level in the hierarchy. Which Azure component should it use?

Show answer
Correct answer: Management group
Management groups sit above subscriptions and allow administrators to apply governance, such as Azure Policy and access controls, across multiple subscriptions. A resource group is a logical container within a subscription for resources, not a cross-subscription governance boundary. An availability set is used to improve virtual machine availability within a datacenter scenario and is unrelated to governance hierarchy.

3. A company needs a boundary for billing, access management, and policy assignment in Azure. Which Azure organizational construct should it choose?

Show answer
Correct answer: Subscription
A subscription provides a billing boundary and is also a key scope for access control and policy assignment in Azure. A region defines a geographic location where Azure services run, so it is about infrastructure location rather than billing or governance. A resource group helps organize related resources for management, but it is not the primary billing boundary.

4. A development team wants to run code in response to events without managing servers or operating systems. The solution should scale automatically based on demand. Which Azure service is the best fit?

Show answer
Correct answer: Azure Functions
Azure Functions is a serverless compute service designed for event-driven execution and automatic scaling, which matches the requirement. Azure Virtual Machines provide full operating system control, but they require server management and are not inherently serverless. Azure Virtual Desktop delivers desktop and application virtualization to users, not event-driven code execution.

5. A company wants to host a customer-facing web application and REST API in Azure with a managed platform approach. The company does not want to manage the underlying servers. Which service should it select?

Show answer
Correct answer: Azure App Service
Azure App Service is a platform as a service offering for hosting web apps and APIs without managing the underlying infrastructure. Azure Virtual Machines can host web applications, but they require the customer to manage the operating system and server configuration. ExpressRoute provides private network connectivity between on-premises environments and Azure, so it is a networking service rather than an application hosting platform.

Chapter 4: Describe Azure Storage, Identity, and Database Services

This chapter targets one of the highest-value AZ-900 objective areas: recognizing core Azure services and matching them to the correct business need. On the exam, Microsoft is not asking you to design highly complex enterprise architectures. Instead, it tests whether you can identify the most appropriate Azure storage, identity, security, database, and analytics service at a high level. That means you must know the purpose of each service, the common use cases, and the key differences that separate similar-looking answer choices.

The lessons in this chapter connect directly to the exam objective that requires you to describe Azure storage, identity, and database services including Blob Storage, Microsoft Entra ID, and core data options. You will also see how these topics overlap with governance and security. In many AZ-900 questions, Microsoft combines topics. For example, a scenario may mention storing backup files, enforcing access to a cloud application, and selecting a database for globally distributed applications. To answer correctly, you must recognize the clue words in the scenario and map them to the right Azure service family.

Start by thinking in categories. Azure storage services answer questions such as: where should the data live, how will it be accessed, and what cost or durability requirements apply? Identity services answer questions such as: who is the user, how do they sign in, and what are they allowed to do? Database services answer questions such as: is the data relational or non-relational, does it need global distribution, and is the goal transaction processing or analytics? If you organize your knowledge this way, many exam choices become easier to eliminate.

A common exam trap is confusing file storage with object storage, or authorization with authentication. Another frequent trap is choosing the most advanced-sounding service instead of the simplest correct one. AZ-900 rewards clarity over complexity. If a scenario mentions unstructured images, video, or backups, think Blob Storage. If it mentions shared files accessed like a file share, think Azure Files. If it mentions sign-in and identity, think Microsoft Entra ID. If it mentions role permissions on Azure resources, think authorization and RBAC. If it mentions relational data, think Azure SQL or Azure Database services. If it mentions globally distributed NoSQL, think Azure Cosmos DB.

Exam Tip: Watch for wording that signals the service category. “Objects,” “images,” and “backup” usually point to Blob Storage. “Shared file access” points to Azure Files. “Disks for virtual machines” points to Disk Storage. “Cold data retained for long periods” points to archive tier concepts. “Identity provider” points to Microsoft Entra ID. “Grant access” points to authorization. “Verify identity” points to authentication.

This chapter also builds your service-selection skills. The exam frequently presents short business scenarios and asks which Azure offering is most appropriate. Your task is not to memorize every product feature. Instead, learn the default association between business requirements and core services. The sections that follow explain what the exam expects you to know, where candidates commonly get distracted, and how to identify the best answer choice quickly and confidently.

Practice note for Identify Azure storage services and use cases: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Practice note for Explain identity, access, and security basics in Azure: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Practice note for Compare Azure database and analytics options at a high level: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Sections in this chapter
Section 4.1: Describe Azure storage services: Blob Storage, Disk Storage, Files, and Archive

Section 4.1: Describe Azure storage services: Blob Storage, Disk Storage, Files, and Archive

Azure storage questions on AZ-900 focus on service recognition and use cases. You need to distinguish among object storage, file storage, and disk-based storage. Blob Storage is Azure’s object storage service and is designed for massive amounts of unstructured data such as images, media, documents, logs, and backup files. It is commonly used when applications need HTTP or HTTPS access to data, or when an organization wants scalable, low-cost storage for content that does not need a traditional file system.

Disk Storage is different because it supports Azure virtual machines. If the scenario mentions operating system disks, data disks, high performance for VM workloads, or persistent storage attached to virtual machines, Disk Storage is the correct direction. Candidates sometimes confuse disks and files because both store data, but the exam expects you to connect disks specifically to VM storage needs.

Azure Files provides managed file shares in the cloud using standard SMB and NFS protocols. If the requirement is to share files across users, devices, or servers with familiar file share access, Azure Files is usually the best match. This is a common comparison point on the exam: Blob Storage is object storage, while Azure Files is shared file storage. If a scenario sounds like a network file share replacement, choose Azure Files, not Blob Storage.

Archive is not a separate storage account type but a low-cost access tier associated with Blob Storage for rarely accessed data. It is meant for long-term retention where retrieval is infrequent and slower access is acceptable. If the question emphasizes minimizing storage cost for old compliance records or backup data that is kept for years, archive tier concepts are likely being tested.

  • Blob Storage: unstructured object data, backups, media, static content
  • Disk Storage: persistent disks for Azure virtual machines
  • Azure Files: managed file shares, lift-and-shift file share scenarios
  • Archive tier: lowest-cost tier for rarely accessed blob data

Exam Tip: If you see “shared drive,” “legacy application expects a file share,” or “users need to map a drive,” think Azure Files. If you see “store millions of images” or “retain backup objects,” think Blob Storage. If the question mentions “attached to a VM,” think Disk Storage immediately.

A common trap is overthinking storage terminology. On AZ-900, the test is usually checking whether you can match a straightforward requirement to the correct storage service. Choose the simplest service that satisfies the use case rather than searching for an advanced feature the question never asked for.

Section 4.2: Describe storage redundancy, migration, and data lifecycle concepts

Section 4.2: Describe storage redundancy, migration, and data lifecycle concepts

Beyond identifying storage services, the AZ-900 exam also expects you to understand basic durability and cost optimization concepts. Storage redundancy refers to how Azure replicates data to protect against hardware failure, datacenter failure, or regional failure. At a high level, locally redundant storage keeps copies within a single datacenter, zone-redundant storage spreads copies across availability zones in a region, and geo-redundant options replicate to a secondary region. The exam usually tests whether you know that more redundancy generally means higher resilience and often higher cost.

Do not get lost in memorizing every acronym in extreme detail. Focus on the big-picture distinction: local redundancy protects against localized hardware issues, zone redundancy adds protection against zone-level failure, and geo-redundancy helps with regional disasters. If a scenario emphasizes disaster recovery across regions, geo-redundant choices are usually favored. If it emphasizes lower cost and no need for cross-region protection, locally redundant storage may be sufficient.

Migration concepts also appear at a high level. Microsoft may describe moving large volumes of existing data into Azure and ask which type of service or approach fits. For AZ-900, know that Azure supports migration tools and services for transferring data and workloads into the cloud. You are not expected to master implementation steps, but you should recognize that Azure provides ways to move on-premises data into Azure storage and databases.

Data lifecycle management is another practical topic. Azure lets organizations place blob data into different access tiers such as hot, cool, and archive based on how often data is accessed. Hot is for frequently accessed data, cool is for infrequently accessed data with lower cost and slightly different access economics, and archive is for rarely accessed long-term retention. Lifecycle policies can automate movement between tiers to reduce cost over time.

Exam Tip: When a question combines storage and cost management, look for lifecycle language such as “older than 90 days,” “rarely accessed,” or “retain for years.” These clues often indicate cool or archive tier decisions rather than a different storage service.

A common exam trap is confusing redundancy with backup. Redundancy means Azure stores multiple copies to improve durability and availability. It does not automatically mean traditional backup, restore points, or long-term recovery strategy. Another trap is assuming archive means deleted or unusable. Archive data is still retained, but retrieval is slower and intended for infrequent access scenarios.

Section 4.3: Describe Microsoft Entra ID, authentication, authorization, and conditional access basics

Section 4.3: Describe Microsoft Entra ID, authentication, authorization, and conditional access basics

Microsoft Entra ID, formerly Azure Active Directory, is Azure’s cloud-based identity and access management service. On the AZ-900 exam, this is one of the most tested identity topics. You should understand that Microsoft Entra ID helps users sign in to cloud applications, supports identity management, and enables access control for Azure and many Microsoft cloud services. If the scenario is about users signing in, identities, single sign-on, or managing access to cloud apps, Microsoft Entra ID is central.

The exam often checks whether you can distinguish authentication from authorization. Authentication answers the question, “Who are you?” It verifies identity through credentials such as passwords, multifactor authentication, or other sign-in methods. Authorization answers the question, “What are you allowed to do?” It determines permissions after identity has been verified. In Azure, role-based access control is a common authorization mechanism for resources. If a user can sign in but cannot modify a resource, that is an authorization issue, not an authentication issue.

Single sign-on is another important concept. It allows users to sign in once and access multiple applications without repeatedly entering credentials. Multifactor authentication improves security by requiring an additional verification factor beyond a password. Conditional Access builds on this by applying policies based on conditions such as user location, device state, or application risk. At the AZ-900 level, you only need to know the purpose: Conditional Access helps enforce access decisions dynamically to improve security.

Exam Tip: If the question asks how to improve sign-in security, think multifactor authentication or Conditional Access. If it asks how to verify identity, think authentication. If it asks how to grant permissions to resources, think authorization and RBAC.

Common traps include mixing up Microsoft Entra ID and Azure subscriptions. A subscription is a billing and resource boundary, while Microsoft Entra ID is an identity service. Another trap is assuming Conditional Access is the same as authentication. It uses identity signals and policy rules to decide whether and how access is allowed, often requiring extra controls under certain conditions.

To answer identity questions correctly, find the verb in the scenario. “Sign in” suggests authentication. “Access” under certain conditions suggests Conditional Access. “Assign permissions” suggests authorization. “One login for many apps” suggests single sign-on. The exam rewards precise vocabulary.

Section 4.4: Describe Azure security basics including Zero Trust, defense in depth, and Microsoft Defender for Cloud

Section 4.4: Describe Azure security basics including Zero Trust, defense in depth, and Microsoft Defender for Cloud

Security fundamentals are woven through many AZ-900 objectives, and this chapter’s identity coverage naturally connects to broader Azure security principles. Zero Trust is a strategic model based on the idea of never automatically trusting a user, device, or network location. Instead, every access request should be explicitly verified using available signals. For the exam, know the principle, not just the phrase. Zero Trust means verify explicitly, use least privilege access, and assume breach.

Defense in depth refers to using multiple security layers so that if one control fails, others still provide protection. These layers can include physical security, identity, perimeter controls, network protections, compute safeguards, application security, and data protection. On the exam, Microsoft may ask which concept involves multiple overlapping controls. That points to defense in depth.

Microsoft Defender for Cloud is Azure’s cloud security posture management and workload protection offering. At a high level, it helps assess security posture, identify recommendations, and provide threat protection across hybrid and cloud workloads. You do not need deep product configuration knowledge for AZ-900, but you should recognize that Defender for Cloud helps monitor, strengthen, and protect Azure resources and beyond.

These topics are frequently tested in scenario form. For example, if the goal is to reduce risk by limiting permissions to only what a user needs, that aligns with least privilege under Zero Trust. If the goal is to improve an organization’s view of security recommendations and compliance posture, Defender for Cloud is a likely answer. If the question describes multiple security controls across different layers, that points to defense in depth.

Exam Tip: Zero Trust is a mindset and strategy. Defender for Cloud is a service. Defense in depth is an architecture principle. If you categorize the answer choices this way, many questions become easier to solve.

A common trap is choosing a product when the question asks for a principle, or choosing a principle when the question asks for a service. Read carefully. Also remember that security on Azure follows the shared responsibility model covered earlier in the course. Microsoft secures the cloud infrastructure, while customers remain responsible for many aspects of identities, configurations, access controls, and data protection depending on the service model.

Section 4.5: Describe database and analytics services: Azure SQL, Cosmos DB, Azure Database services, Synapse, and data tools

Section 4.5: Describe database and analytics services: Azure SQL, Cosmos DB, Azure Database services, Synapse, and data tools

AZ-900 database questions are mostly about selecting the right type of data service. Begin with the most important distinction: relational versus non-relational. Relational databases store structured data in tables with defined relationships and are commonly queried with SQL. Azure SQL is the primary Azure-branded relational option you must recognize. If a scenario mentions transactional business applications, structured records, or SQL-based relational workloads, Azure SQL is a strong candidate.

Azure also offers managed open-source relational database services such as Azure Database for MySQL and Azure Database for PostgreSQL. At the exam level, know that these services provide managed database platforms for organizations that want those database engines without managing the underlying infrastructure. If a business already uses MySQL or PostgreSQL and wants a managed cloud service, these Azure Database services are the likely fit.

Azure Cosmos DB is the core NoSQL service you must know. It is designed for globally distributed, highly scalable applications with low-latency access and flexible data models. If a scenario emphasizes worldwide users, elastic scale, schema flexibility, or NoSQL, Cosmos DB is usually the correct answer. One of the biggest exam traps is picking Azure SQL simply because it is familiar, even when the wording clearly describes a globally distributed NoSQL requirement.

For analytics, know Azure Synapse Analytics at a high level as a service that brings together big data and data warehousing analytics capabilities. If the scenario is less about day-to-day transactions and more about analyzing large volumes of data to generate business insights, Synapse is more likely than Azure SQL alone. Microsoft may also reference broader data tools and services for ingestion, transformation, visualization, and analysis. At AZ-900 depth, the key is understanding that operational databases and analytics platforms solve different problems.

  • Azure SQL: relational data and transactional workloads
  • Azure Database services: managed MySQL and PostgreSQL options
  • Azure Cosmos DB: globally distributed NoSQL applications
  • Azure Synapse Analytics: large-scale analytics and data warehousing

Exam Tip: Ask yourself whether the requirement is to run the application’s operational database or to analyze large datasets for reporting and insights. Operational data points toward Azure SQL or Azure Database services. Analytics points toward Synapse and related data tools.

Common traps include confusing analytics with storage, and confusing NoSQL flexibility with relational consistency. The exam usually gives enough hints if you look for words like “transactional,” “schema,” “global distribution,” “petabyte-scale analysis,” or “data warehouse.”

Section 4.6: Describe Azure architecture and services practice set with detailed explanations

Section 4.6: Describe Azure architecture and services practice set with detailed explanations

This final section is about exam technique: how to evaluate Azure architecture and service-selection scenarios without getting trapped by similar answer choices. In this chapter’s topic area, the exam usually presents a short requirement and expects you to identify the best-fit service. The key is to translate business language into service language. For example, “store backups and media files cheaply” maps to Blob Storage with an appropriate access tier. “Provide a cloud-based shared file system” maps to Azure Files. “Attach persistent storage to virtual machines” maps to Disk Storage.

For identity, listen for the access problem being described. If users must sign in to applications, the core service is Microsoft Entra ID. If the issue is proving who the user is, that is authentication. If the issue is what they are allowed to do after signing in, that is authorization. If the requirement is to restrict access based on conditions such as device compliance or location, that is Conditional Access. This kind of verbal pattern recognition is essential for AZ-900.

For database and analytics scenarios, decide whether the workload is transactional, relational, NoSQL, or analytical. A traditional line-of-business app with structured tables points to Azure SQL or another managed relational database. A globally distributed app with flexible schema and very high scale points to Cosmos DB. A business intelligence or large-scale analytics requirement points to Synapse and data analysis tools rather than an operational database alone.

Exam Tip: Eliminate answers by category first. If the requirement is identity-related, remove storage and database options. If it is file sharing, remove identity and analytics options. This simple elimination strategy is often enough to raise your score on foundational exams.

Another common trap is selecting a technically possible service instead of the most appropriate one. Yes, files can be stored in blobs, but if the scenario is explicitly about a file share, Azure Files is the cleaner answer. Yes, relational systems can scale globally, but if the exam emphasizes NoSQL and worldwide distribution, Cosmos DB is the intended choice. AZ-900 tests Azure fundamentals, so the expected answer usually aligns with the canonical use case taught in Microsoft Learn.

As you prepare, build mental flash cards around requirement keywords: object storage, file shares, VM disks, identity, sign-in, access policy, relational, NoSQL, analytics, archive, redundancy, and cost optimization. When you can instantly associate those words with their matching Azure services, you will be ready for the service-selection questions in this domain.

Chapter milestones
  • Identify Azure storage services and use cases
  • Explain identity, access, and security basics in Azure
  • Compare Azure database and analytics options at a high level
  • Practice service-selection and architecture questions
Chapter quiz

1. A company plans to store millions of image files and backup archives in Azure. The data is unstructured and must be accessed over HTTP or HTTPS. Which Azure service should you recommend?

Show answer
Correct answer: Azure Blob Storage
Azure Blob Storage is the correct choice because it is designed for unstructured data such as images, video, documents, and backup files, and it supports access over HTTP/HTTPS. Azure Files is incorrect because it provides managed file shares for SMB-based shared file access rather than object storage. Azure Disk Storage is incorrect because it is intended for virtual machine disks, not for storing large collections of unstructured objects.

2. A company wants employees to sign in to cloud applications by using a centralized identity provider. Which Azure service provides this capability?

Show answer
Correct answer: Microsoft Entra ID
Microsoft Entra ID is the correct answer because it provides identity and authentication services for users and applications in Azure and Microsoft cloud services. Azure RBAC is incorrect because it controls authorization to Azure resources after identity is established; it does not act as the identity provider itself. Azure Policy is incorrect because it is used to enforce compliance rules and resource configuration standards, not user sign-in.

3. An administrator needs to grant a user permission to manage a specific Azure subscription's resources, but the administrator does not need to verify the user's identity. Which concept should be used?

Show answer
Correct answer: Authorization through Azure RBAC
Authorization through Azure RBAC is correct because the requirement is to grant permissions to Azure resources. In AZ-900, authentication verifies who the user is, while authorization determines what the user can do. Authentication is therefore incorrect because the scenario is about assigning access rights, not verifying identity. Microsoft Defender for Cloud is incorrect because it focuses on security posture and protection recommendations, not resource permission assignment.

4. A startup is building a globally distributed application that requires a non-relational database with low-latency access for users in multiple regions. Which Azure service is the best fit?

Show answer
Correct answer: Azure Cosmos DB
Azure Cosmos DB is the best fit because it is a globally distributed NoSQL database service designed for low-latency access and multi-region scenarios. Azure SQL Database is incorrect because it is a relational database service, which does not match the requirement for non-relational data. Azure Files is incorrect because it is a file share service, not a database platform.

5. A company wants to migrate a legacy application that expects a traditional shared file system. Multiple Azure virtual machines must access the same files by using standard file share protocols. Which Azure storage service should you choose?

Show answer
Correct answer: Azure Files
Azure Files is correct because it provides managed file shares that can be accessed by multiple systems using standard file-sharing protocols, which aligns with applications expecting a traditional shared file system. Azure Blob Storage is incorrect because it is object storage for unstructured data and does not present itself as a standard file share for legacy applications. Azure Archive Storage is incorrect because archive refers to a low-cost access tier for infrequently accessed blob data, not a separate shared file service.

Chapter 5: Describe Azure Management and Governance

This chapter maps directly to one of the highest-value AZ-900 objective areas: describing how Azure helps organizations control costs, enforce standards, assign access, monitor resources, and meet compliance needs. On the exam, this domain is less about deep administration and more about recognizing the right tool for a given business requirement. Expect scenario-based questions that ask which service reduces cost risk, which feature prevents accidental deletion, which tool shows compliance documentation, or which monitoring capability reports outages affecting Azure services.

Azure management and governance sits at the intersection of operations, security, and business control. In practice, an organization wants to know four things: how much it is spending, who can do what, whether resources follow company rules, and whether the environment is healthy and compliant. The AZ-900 exam tests whether you can distinguish between these goals and match them to the correct Azure service. A common trap is choosing a tool that sounds broadly useful instead of the one designed for the exact task. For example, Azure Monitor tracks telemetry and alerts, but it does not replace Azure Policy, which evaluates resources against organizational rules.

The first lesson in this chapter is understanding cost management and SLA-related decision making. Azure uses a consumption-based model, so costs can vary based on resource type, region, performance tier, data transfer, and usage duration. The exam often checks whether you understand that management choices can affect spending just as much as service selection. Moving to a cheaper region, selecting a lower service tier, or stopping unused compute can reduce cost. Choosing a highly available architecture may increase cost but can improve uptime. You should be ready to identify these tradeoffs quickly.

The second lesson is using governance tools to control and standardize Azure resources. Governance in Azure includes Azure Policy, resource locks, tags, and management groups. These tools do different jobs. Policy evaluates and enforces standards. Locks protect resources from changes or deletion. Tags add metadata for organization and billing analysis. Management groups allow governance at scale across multiple subscriptions. Exam Tip: When a question asks about enforcing a rule across many subscriptions, think management groups plus Azure Policy rather than tags or RBAC.

The third lesson focuses on recognizing monitoring, compliance, and deployment-related tools. Azure Monitor collects metrics, logs, and alerts. Azure Service Health communicates service issues affecting your Azure environment. Azure Advisor makes best-practice recommendations around cost, reliability, security, performance, and operational excellence. The Service Trust Portal provides access to compliance documentation and audit reports. The exam may also mention blueprints concepts and landing zones to test your awareness of standardized deployment and governance-ready cloud foundations, even though some implementation details are outside AZ-900 depth.

A strong exam strategy is to classify each question into one of these categories: cost, availability, governance, access control, monitoring, or compliance. Then eliminate answers that operate in a different category. If the requirement is to restrict what can be deployed, Azure Policy is likely correct. If the requirement is to grant permissions, use Azure role-based access control. If the requirement is to prevent deletion, use a resource lock. If the requirement is to review Microsoft compliance evidence, use the Service Trust Portal. Exam Tip: Many wrong answers on AZ-900 are real Azure services, just not the best fit for the stated objective.

Another recurring exam theme is lifecycle and support level. Microsoft differentiates between services in preview and those in general availability. Preview features may have limited support and are generally not recommended for production workloads. General availability means the service is fully released and supported for production use. Likewise, you must recognize that service level agreements describe expected uptime commitments, not absolute guarantees. Questions may test whether you understand that higher availability often requires architectural choices such as multiple instances or zone-redundant design, not simply turning on a single feature.

  • Know which tool manages cost visibility and optimization.
  • Know which services govern standards versus assign access.
  • Know the difference between monitoring platform health and viewing compliance reports.
  • Know how SLAs, previews, and lifecycle stages affect deployment choices.
  • Know that the exam rewards precise tool selection, not broad cloud familiarity.

As you work through this chapter, focus on how to identify the correct answer from business language. The AZ-900 exam is written for candidates who may not be full-time Azure administrators. Therefore, prompts often describe organizational goals in plain terms: reduce waste, enforce naming standards, organize billing, protect production resources, investigate service disruptions, or verify compliance posture. Your job is to translate those goals into Azure terminology. This chapter will help you do exactly that while also reinforcing common traps and decision patterns that frequently appear in practice questions.

Sections in this chapter
Section 5.1: Describe factors that can affect costs and tools for cost management in Azure

Section 5.1: Describe factors that can affect costs and tools for cost management in Azure

Cost management is a core AZ-900 objective because cloud value depends on controlling consumption. Azure pricing is influenced by several variables: resource type, pricing tier, region, usage time, storage capacity, outbound data transfer, licensing model, and whether resources are running continuously or only when needed. Compute services are especially important in exam questions because they can continue generating charges even when underused. For example, a larger virtual machine size costs more than a smaller one, and premium storage costs more than standard storage. A service deployed in one region may also have different pricing than in another region.

Azure Cost Management and Billing helps organizations understand, analyze, and optimize spending. It supports budgeting, cost analysis, forecasting, and identifying spending trends. If a question asks how to track current spending against a planned amount, budget features are the best match. If the prompt asks how to identify which service or department is driving cost, think cost analysis combined with tagging. Tags can label resources by department, project, environment, or owner, which makes chargeback and reporting easier.

The exam also tests awareness of pricing tools. The Azure Pricing Calculator estimates expected costs before deployment. The Total Cost of Ownership calculator compares on-premises infrastructure cost to Azure cost. Exam Tip: If the wording says estimate future Azure spending before migration, use the Pricing Calculator. If it says compare existing datacenter costs with Azure, use TCO Calculator. These tools are related but not interchangeable.

Common traps include confusing cost governance with access governance. RBAC does not control cost directly, and Azure Policy does not replace cost analysis. Policy can restrict expensive resource types or allowed regions, which indirectly reduces cost, but Cost Management is the primary cost visibility tool. Another trap is forgetting that high availability design can increase cost. Multiple instances, availability zones, backup, replication, and premium SKUs often improve resilience but also raise spending. The exam may present this as a business decision between budget and uptime requirements.

To identify the correct answer, ask what the organization is trying to do: estimate, monitor, control, optimize, or allocate costs. Estimate points to calculator tools. Monitor and optimize point to Azure Cost Management. Allocate or report by business unit often points to tags plus cost analysis. Control which services can be deployed often points to Azure Policy. The exam wants you to understand that cost management is not one feature but a combination of pricing awareness, budgeting, visibility, and governance.

Section 5.2: Describe service level agreements, lifecycle considerations, and preview versus general availability

Section 5.2: Describe service level agreements, lifecycle considerations, and preview versus general availability

Service level agreements, or SLAs, describe Microsoft’s commitment to uptime for particular Azure services. On AZ-900, you are not usually required to memorize many exact percentages, but you must understand what an SLA represents and how architecture affects it. An SLA is a financial-backed commitment to a level of availability over a given period. It does not mean a service will never fail. It means there is a documented target for uptime and a remedy structure if that target is not met.

Questions often test the idea that a single instance may provide a lower SLA than a multi-instance design. If you deploy a workload across multiple availability zones or multiple instances behind a load balancer, you can often improve resiliency and potentially the effective availability of the solution. Exam Tip: When a question asks how to improve uptime, think architectural redundancy, not just selecting Azure as the provider. The platform offers tools, but your design choices matter.

Lifecycle considerations also matter. Services and features move through stages such as preview and general availability. Preview means the feature is still being tested or finalized. It may be limited in support, may change, and may not be recommended for production workloads. General availability, or GA, means the feature is fully released and supported for production use. The exam frequently checks whether you know that preview features are appropriate for evaluation and experimentation, while GA features are the safer choice for business-critical systems.

Another exam angle is supportability and business risk. If an organization requires strong support commitments, predictable operation, and production readiness, GA is the better answer. If the goal is to test a new feature before full release, preview may be acceptable. A common trap is assuming preview simply means “new and better.” On the exam, preview usually signals caution. Likewise, do not confuse lifecycle status with compliance status or SLA. A service can be in GA and still require proper architecture to meet business uptime needs.

To answer lifecycle and SLA questions correctly, focus on the key phrase in the scenario: production, mission-critical, pilot, testing, guaranteed availability, or support limitations. Production and support requirements point toward GA. Availability requirements point toward SLA-aware architecture. If the question mentions downtime tolerance, compare the business requirement to the service or design choice rather than guessing based on product popularity.

Section 5.3: Describe governance tools: Azure Policy, resource locks, tags, and management groups

Section 5.3: Describe governance tools: Azure Policy, resource locks, tags, and management groups

Azure governance tools help organizations standardize deployments and reduce operational risk. For AZ-900, you need to clearly separate the purpose of Azure Policy, resource locks, tags, and management groups. Azure Policy evaluates resources for compliance with defined rules. It can enforce conditions such as allowed locations, permitted resource types, required tags, or approved SKUs. Policy is the right answer when the requirement is to make sure resources follow corporate standards automatically.

Resource locks protect resources from accidental change. There are two main lock types commonly tested: delete locks and read-only locks. A delete lock prevents deletion but still allows authorized changes. A read-only lock prevents modifications as well as deletion. Exam Tip: If the scenario says “prevent accidental deletion,” choose a delete lock, not RBAC or Policy. If it says “prevent changes,” a read-only lock is more appropriate.

Tags are metadata labels attached to resources. They do not enforce behavior by themselves, but they are very useful for organization, reporting, automation, and cost analysis. A tag might indicate environment=production, department=finance, or owner=teamA. On the exam, tags are frequently the best choice when the question is about grouping, searching, reporting, or allocating costs by category. A common trap is to think tags restrict deployments. They do not; Azure Policy can require tags, but the tags themselves are descriptive.

Management groups provide a governance hierarchy above subscriptions. They let an organization apply policies and access controls consistently across multiple subscriptions. This is especially useful in large enterprises with separate subscriptions for departments, environments, or business units. If a question asks how to apply governance broadly across many subscriptions, management groups are likely involved. Policies and RBAC assignments can be inherited through this hierarchy.

The exam tests whether you can match need to tool. Enforce standards? Azure Policy. Prevent deletion? Resource lock. Organize for billing and administration? Tags. Apply governance across subscriptions? Management groups. These distinctions are foundational. Incorrect answers often include tools that are technically related but operationally wrong for the stated task. Read carefully for verbs such as enforce, organize, protect, or inherit because they usually point to the correct governance service.

Section 5.4: Describe Azure role-based access control, blueprints concepts, and landing zone awareness

Section 5.4: Describe Azure role-based access control, blueprints concepts, and landing zone awareness

Azure role-based access control, or Azure RBAC, determines who can perform actions on Azure resources. This is an authorization tool, not a monitoring or policy enforcement tool. It works by assigning roles to users, groups, service principals, or managed identities at different scopes such as management group, subscription, resource group, or individual resource. Built-in roles like Owner, Contributor, and Reader are common examples. On AZ-900, the exam usually expects you to know that RBAC grants permissions according to the principle of least privilege.

A classic exam trap is confusing RBAC with Azure Policy. RBAC answers the question “Who can do this?” Azure Policy answers the question “What is allowed?” For example, RBAC can allow a user to create virtual machines, but Azure Policy can still block deployment of unapproved VM sizes or regions. Exam Tip: If the requirement uses words like access, permission, authorize, or assign role, think RBAC. If it uses standard, compliant, allowed, or denied resource configuration, think Policy.

Blueprints concepts may appear in AZ-900 as awareness topics rather than implementation details. Historically, Azure Blueprints helped package governance artifacts such as policies, role assignments, resource templates, and resource groups into repeatable deployment sets. The exam objective is generally conceptual: understand the idea of deploying standardized environments consistently. Even if the exam wording leans more modern, the key takeaway is that organizations want repeatable, governed setups rather than ad hoc deployments.

Landing zone awareness is similarly conceptual. An Azure landing zone is a structured environment designed to support cloud adoption at scale with governance, identity, networking, security, and management foundations in place. You do not need deep architecture detail for AZ-900, but you should recognize that landing zones are about preparing a compliant, scalable cloud foundation before large-scale workload deployment. This aligns with enterprise governance and operational readiness.

When choosing the correct answer, determine whether the scenario is about permissions, repeatable governed deployment, or enterprise-ready cloud setup. Permissions point to RBAC. Standardized packaged environments point to blueprint concepts. Foundational cloud architecture for many workloads points to landing zone awareness. The exam is testing tool recognition and purpose, not advanced implementation.

Section 5.5: Describe monitoring and compliance tools: Azure Monitor, Service Health, Advisor, and Service Trust Portal

Section 5.5: Describe monitoring and compliance tools: Azure Monitor, Service Health, Advisor, and Service Trust Portal

Monitoring and compliance questions are common because they test practical cloud operations knowledge. Azure Monitor is the primary Azure service for collecting, analyzing, and acting on telemetry from Azure and on-premises environments. It works with metrics, logs, alerts, and dashboards. If a scenario asks how to track resource performance, detect issues, or trigger alerts when thresholds are crossed, Azure Monitor is the correct answer. It is broad and operationally focused.

Azure Service Health is more specific. It provides information about Azure service incidents, planned maintenance, and advisories that may affect your subscribed services and regions. This is the best answer when the issue concerns platform events outside your resource configuration. Exam Tip: If the wording says “Microsoft outage,” “service incident,” or “planned maintenance affecting resources,” think Service Health, not Azure Monitor.

Azure Advisor gives personalized best-practice recommendations. It analyzes deployed resources and suggests improvements in categories such as reliability, security, performance, operational excellence, and cost. If the exam asks which tool recommends ways to reduce spending or improve resiliency, Advisor is often correct. A common trap is selecting Cost Management for optimization recommendations when the question is actually asking for best-practice guidance rather than billing analysis.

The Service Trust Portal supports compliance and trust requirements. It gives access to Microsoft compliance documentation, audit reports, privacy information, and security-related materials. This is the correct tool when an organization needs evidence for regulatory review or wants to understand Microsoft’s compliance posture. It is not a runtime monitoring service and not a security configuration engine.

To answer monitoring and compliance questions correctly, identify the source of information needed. Resource telemetry and alerting point to Azure Monitor. Azure platform issues point to Service Health. Improvement recommendations point to Advisor. Audit and compliance documentation point to Service Trust Portal. These services complement one another, and the exam expects you to understand those boundaries clearly.

Section 5.6: Describe Azure management and governance practice set with exam-style explanations

Section 5.6: Describe Azure management and governance practice set with exam-style explanations

When reviewing management and governance practice items, train yourself to extract the exact requirement before looking at answer options. AZ-900 questions are often short, but the wording is precise. If the goal is to control spending, ask whether the organization needs estimation, budgeting, analysis, or optimization recommendations. If the goal is governance, ask whether the organization needs to enforce standards, assign permissions, protect a resource, or organize billing. If the goal is operations, ask whether they need metrics, service incident visibility, recommendations, or compliance documents.

One effective method is keyword mapping. Words such as budget, forecast, and spending trend suggest Azure Cost Management. Allowed, denied, compliant, and required suggest Azure Policy. Permission, role, and least privilege suggest Azure RBAC. Prevent deletion suggests resource lock. Audit report and regulatory documentation suggest Service Trust Portal. Incident, outage, and maintenance suggest Service Health. Recommendation suggests Advisor. Metrics, logs, and alerts suggest Azure Monitor. These associations help you move quickly and accurately through exam items.

Another important strategy is eliminating near-correct distractors. Microsoft exams frequently include answer choices that are all real Azure services. The challenge is choosing the most precise fit. For example, tags can help analyze costs, but they do not create budgets. Azure Policy can require a tag, but it does not itself provide compliance audit documents like the Service Trust Portal. RBAC can stop unauthorized users from deleting a resource, but it is not the same as a lock designed to prevent accidental deletion by otherwise authorized users. Exam Tip: The best answer is usually the one purpose-built for the scenario, not merely a tool that could influence the outcome indirectly.

Finally, remember that AZ-900 is a fundamentals exam. You are not expected to design advanced implementations from scratch. You are expected to recognize service purpose, understand high-level tradeoffs, and make sensible cloud decisions. If you can clearly distinguish cost tools, governance tools, access tools, monitoring tools, and compliance tools, you will be well prepared for this chapter’s objective area. Practice by rephrasing each scenario in your own words: “This is a permissions problem,” “This is a standards enforcement problem,” or “This is a platform incident visibility problem.” That habit is one of the fastest ways to improve accuracy on the management and governance portion of the exam.

Chapter milestones
  • Understand cost management and SLA-related decision making
  • Use governance tools to control and standardize Azure resources
  • Recognize monitoring, compliance, and deployment tools
  • Practice Describe Azure management and governance questions
Chapter quiz

1. A company wants to ensure that only approved Azure regions can be used when new resources are deployed across several subscriptions. Which Azure feature should the company use?

Show answer
Correct answer: Azure Policy
Azure Policy is correct because it can evaluate and enforce rules such as restricting resource deployment locations, and it can be applied at scale across subscriptions. Azure Monitor is used for collecting metrics, logs, and alerts, not for enforcing deployment standards. Resource locks protect existing resources from deletion or modification, but they do not control which regions can be selected during deployment.

2. An organization wants to prevent administrators from accidentally deleting a production virtual machine, while still allowing authorized users to read its configuration. What should be used?

Show answer
Correct answer: A resource lock
A resource lock is correct because a delete lock can protect a resource from accidental deletion. A tag only adds metadata for organization, reporting, or billing analysis and does not prevent administrative actions. Azure Advisor provides recommendations for cost, reliability, security, performance, and operational excellence, but it does not block deletion of resources.

3. A company needs to review Microsoft audit reports and compliance documentation for Azure before migrating regulated workloads. Which Azure resource should they use?

Show answer
Correct answer: Service Trust Portal
Service Trust Portal is correct because it provides access to Microsoft compliance documentation, audit reports, and trust-related information. Azure Service Health shows information about Azure service issues and planned maintenance affecting subscriptions, not compliance evidence. Microsoft Purview is related to data governance and compliance management scenarios, but the AZ-900 objective specifically maps Microsoft compliance documentation and audit reports to the Service Trust Portal.

4. A company wants to receive notifications when an Azure service outage affects resources in its subscription. Which service should the company use?

Show answer
Correct answer: Azure Service Health
Azure Service Health is correct because it provides personalized information about Azure service incidents, planned maintenance, and advisories that affect your environment. Azure Policy is for defining and enforcing standards on resources, not reporting Azure platform outages. Management groups help organize and govern multiple subscriptions, but they do not provide outage notifications.

5. A startup is choosing between a lower-cost single-instance deployment and a more expensive highly available design. Which statement best describes the tradeoff in Azure?

Show answer
Correct answer: Higher availability architectures can increase cost but may improve uptime
Higher availability architectures can increase cost but may improve uptime is correct because AZ-900 expects you to understand the tradeoff between cost and SLA-related design decisions. Lower-cost deployments do not always provide the same SLA as redundant or multi-instance architectures, so that option is incorrect. Azure does not automatically convert lower-cost services into highly available solutions without architectural choices and associated cost, making the third option incorrect.

Chapter 6: Full Mock Exam and Final Review

This chapter is your transition from studying AZ-900 topics one domain at a time to performing under exam conditions across the full blueprint. By this point in the course, you have reviewed cloud concepts, Azure architecture and services, core compute and networking options, storage and identity services, and the management and governance tools that Microsoft expects at the fundamentals level. Now the goal changes. Instead of asking, “Do I recognize this topic?” you must ask, “Can I identify what the exam is really testing, eliminate distractors quickly, and choose the best Azure-aligned answer under time pressure?”

The two mock exam lessons in this chapter should be treated as realistic rehearsals, not casual practice sets. Sit for them in a quiet environment, avoid checking notes, and force yourself to commit to an answer before reviewing explanations. AZ-900 is not a deep configuration exam, but it is full of wording traps. The exam often tests whether you can distinguish related concepts such as scalability versus elasticity, Microsoft Entra ID versus Azure subscription constructs, or high availability versus disaster recovery. It also tests whether you can map a business requirement to the correct Azure service category rather than memorizing a feature list.

The most effective candidates use mock exams to build pattern recognition. For example, if a scenario mentions reducing upfront capital expenses, the exam is usually targeting consumption-based pricing or operational expenditure. If it mentions controlling who can perform actions, think role-based access control. If it mentions enforcing standards across resources, think Azure Policy. If it mentions preventing accidental deletion, think resource locks. These are the signals you should train yourself to see immediately.

Exam Tip: On AZ-900, the correct answer is often the one that best matches the business objective at the highest level. Do not overcomplicate a fundamentals question by imagining deep technical implementation details that the item does not ask for.

Another important purpose of this chapter is final diagnosis. Your score alone is not enough. A candidate who scores 78 percent with weak governance knowledge may still be at risk if the live exam emphasizes those objectives. A candidate who scores 72 percent but misses mainly due to reading too fast may be closer to passing than they think. That is why the weak spot analysis lesson matters as much as the mock exam itself. You need a remediation plan tied to the official outcomes: cloud concepts, cloud benefits, Azure architecture, compute and networking, storage and identity, and management and governance.

In the final sections, you will also prepare for test-day execution. Many AZ-900 misses happen because candidates change correct answers unnecessarily, confuse similar terms, or panic when faced with a case-style description. A clear checklist helps stabilize performance. Review the key Azure services and concepts one last time, but focus on distinctions the exam likes to test. Then go into the exam with a pacing strategy, confidence tactics, and a roadmap for what certification to pursue next after passing. This chapter is your final tuning pass before the real exam.

  • Use Mock Exam Part 1 and Part 2 as full rehearsal sessions.
  • Analyze misses by objective, not just by total score.
  • Reinforce commonly confused Azure concepts and service names.
  • Apply a final review checklist that prioritizes high-yield fundamentals.
  • Enter exam day with a time, confidence, and answer-review strategy.

Approach this chapter like an exam coach would: disciplined, analytical, and practical. The AZ-900 exam is broad but manageable when you understand what each domain is trying to measure. Your task now is not to learn everything about Azure. Your task is to prove, clearly and consistently, that you can identify core Azure concepts and choose the best response among plausible alternatives.

Practice note for Mock Exam Part 1: document your objective, define a measurable success check, and run a small experiment before scaling. Capture what changed, why it changed, and what you would test next. This discipline improves reliability and makes your learning transferable to future projects.

Sections in this chapter
Section 6.1: Full-length mock exam covering Describe cloud concepts

Section 6.1: Full-length mock exam covering Describe cloud concepts

The first half of your final mock exam should emphasize the cloud concepts domain because it sets the tone for how Microsoft frames fundamentals questions. This objective includes shared responsibility, cloud deployment models, and consumption-based pricing, along with the business benefits of cloud computing such as high availability, scalability, elasticity, reliability, and disaster recovery. In a mock setting, your job is not merely to remember definitions. You must identify the signal words that reveal which concept the exam writer wants.

When the scenario focuses on who manages physical servers, networking infrastructure, or the operating system, the exam is usually testing the shared responsibility model. A common trap is assuming that moving to the cloud means Microsoft manages everything. That is incorrect. The exact boundary depends on whether the service is IaaS, PaaS, or SaaS. Fundamentals questions often reward candidates who know this gradient: customers manage more in IaaS, less in PaaS, and least in SaaS. If an answer choice sounds too absolute, treat it with suspicion.

Cloud model questions also appear straightforward until similar terms are placed side by side. Public cloud means services offered over the internet to multiple customers. Private cloud refers to cloud resources used exclusively by one organization. Hybrid cloud combines on-premises or private resources with public cloud. The trap is confusing hybrid with “using multiple Azure services” or confusing private cloud with “resources secured by login.” Security alone does not make something a private cloud.

Consumption-based pricing is another favorite exam area. The test often checks whether you understand that organizations can shift from large capital expenditures to operational expenditures and pay for what they use. Be careful with wording that implies fixed ownership costs. Azure usually aligns with variable usage-based billing, though some services offer reserved or predictable cost options. For AZ-900, stay anchored to the broad principle: cloud spending is typically tied to consumption.

Exam Tip: If a question centers on demand changes over time, distinguish scalability from elasticity. Scalability is the ability to increase capacity to handle growth. Elasticity emphasizes automatic or flexible adjustment up and down as demand changes.

The benefits domain also includes reliability, high availability, and disaster recovery. These are related but not identical. Reliability is the overall ability of a system to perform as expected. High availability focuses on minimizing downtime and keeping services accessible. Disaster recovery is about restoring services and data after a major failure event. The exam may present all three in answer options, so choose the one that matches the business requirement most directly rather than the one that merely sounds positive.

As you complete Mock Exam Part 1, note where you hesitate. Hesitation often signals a weak distinction, not a missing topic. Create quick flash comparisons such as IaaS versus PaaS, CapEx versus OpEx, and scalability versus elasticity. That kind of contrast review is usually more effective than rereading large blocks of theory. The cloud concepts objective is highly passable when you train yourself to spot the business clue and map it to the correct fundamentals term.

Section 6.2: Full-length mock exam covering Describe Azure architecture and services

Section 6.2: Full-length mock exam covering Describe Azure architecture and services

The second major block of the mock exam should test whether you can navigate Azure’s structural building blocks and core service families. This objective includes regions, availability zones, resource groups, subscriptions, and management groups, along with common compute, networking, storage, identity, and database services. The exam does not expect you to design complex architectures, but it does expect you to recognize what each Azure component is for and how it relates to the others.

Start with the hierarchy. Management groups sit above subscriptions and help organize governance at scale. Subscriptions provide a billing and administrative boundary. Resource groups organize related resources for a solution. A classic trap is selecting a resource group when the requirement is about billing separation or selecting a subscription when the requirement is only about grouping resources for lifecycle management. Read for the objective: organization, billing, access, or policy scope.

Regions and availability zones also appear frequently. A region is a geographic area containing one or more datacenters. Availability zones are separate physical locations within an Azure region that provide fault isolation. Candidates often confuse zones with regions. If the requirement is resilience within a single region, availability zones are the better fit. If the requirement is geographic distribution or data residency, regions are the key concept. This distinction appears repeatedly on AZ-900.

Compute and networking questions usually test service selection. Virtual machines support full operating system control. Containers offer lightweight, portable application deployment. Virtual networks provide private networking in Azure. VPN and ExpressRoute both connect on-premises environments to Azure, but ExpressRoute is a private dedicated connection rather than internet-based. The common trap is assuming the more advanced-sounding service is always correct. The right answer is the one that matches the stated requirement, such as private connectivity, speed, control, or simplicity.

Storage and identity questions are similarly practical. Blob Storage is optimized for massive amounts of unstructured object data. Microsoft Entra ID provides identity and access capabilities. Database questions at the AZ-900 level often test whether you can distinguish relational options from non-relational or analytics-oriented choices without going too deep into engine details. Stay at the service-purpose level.

Exam Tip: On fundamentals exams, when multiple Azure services could technically work, choose the one most directly associated with the stated scenario. The exam rewards category knowledge and business fit more than edge-case technical possibilities.

During Mock Exam Part 2, mark every item where two answers both seem plausible. Those are the questions that reveal exam traps. After the mock, write down why the correct answer is better, not just why the wrong answer is wrong. That habit strengthens your ability to identify Azure architecture and services under real exam pressure.

Section 6.3: Full-length mock exam covering Describe Azure management and governance

Section 6.3: Full-length mock exam covering Describe Azure management and governance

Management and governance is one of the highest-value review areas because AZ-900 often uses these services to test whether you understand control, compliance, monitoring, and cost awareness at a practical level. Your mock exam should include scenarios involving cost management, role-based access control, Azure Policy, resource locks, the Service Trust Portal, and monitoring tools. These topics are especially vulnerable to confusion because they all relate to administration, yet each solves a different problem.

Begin with access versus enforcement. Role-based access control, or RBAC, determines who can perform actions on Azure resources. Azure Policy evaluates and enforces standards on resources, such as allowed locations or required tags. A frequent trap is choosing RBAC when the requirement is to ensure resources meet a compliance rule, or choosing Policy when the requirement is simply to grant read-only access. Access and compliance are not the same thing.

Resource locks are another easy-win topic if you remember their purpose. Locks help prevent accidental deletion or modification. They do not replace RBAC, and they do not create compliance rules. If the wording says “prevent accidental deletion,” locks should be top of mind. If it says “ensure only approved SKUs are deployed,” that points toward Azure Policy instead.

Cost management questions typically assess whether you understand visibility and control rather than detailed billing formulas. Azure Cost Management helps analyze spending, track trends, and support budget awareness. The trap here is to overread and assume a technical monitoring service handles financial reporting. Monitoring tools such as Azure Monitor focus on metrics, logs, and operational insights, not billing governance.

The Service Trust Portal is tested as a source for compliance, privacy, security, and audit-related documentation. If the scenario asks where to review Microsoft compliance information or trust-related reports, think Service Trust Portal rather than Azure Monitor or Advisor. These answer choices may all look administrative, but only one aligns with trust documentation.

Exam Tip: Build a one-line trigger for each governance tool: RBAC = who can do it; Policy = what is allowed; Locks = prevent accidental change; Cost Management = spending insight; Monitor = operational health; Service Trust Portal = compliance documentation.

As you review governance items in your mock exam, pay attention to verbs in the prompt. “Assign,” “grant,” and “access” often indicate RBAC. “Enforce,” “audit,” and “compliant” usually indicate Policy. “Delete” and “modify” point to locks. “Spend,” “budget,” and “cost” indicate Cost Management. “Metrics,” “alerts,” and “logs” suggest Azure Monitor. If you train on these patterns, this domain becomes much more predictable and significantly boosts your exam confidence.

Section 6.4: Answer review methodology and weak-domain remediation plan

Section 6.4: Answer review methodology and weak-domain remediation plan

After completing both mock exam parts, resist the urge to focus only on your total score. A good exam coach reviews performance by objective, error type, and decision process. Start by sorting every missed or uncertain item into one of three categories: knowledge gap, confusion between similar concepts, or misread question. This matters because each category requires a different fix. A knowledge gap needs study. A confusion error needs contrast practice. A misread question needs pacing and wording discipline.

Next, map your misses directly to the course outcomes. If you missed items on shared responsibility, cloud models, and consumption-based pricing, your weakness is in cloud concepts. If you struggled with regions, zones, resource groups, and subscriptions, then Azure architecture is the issue. If your misses cluster around RBAC, Policy, locks, and Cost Management, governance needs attention. This objective-based mapping is far more useful than saying, “I’m weak in Azure.” AZ-900 rewards targeted improvement.

Create a remediation plan for the next three to five days. For each weak domain, write a short list of concepts you must be able to distinguish. For example: scalability versus elasticity, region versus availability zone, subscription versus resource group, RBAC versus Policy, VPN versus ExpressRoute, Blob Storage versus relational database services. Then review the official purpose of each concept and explain the distinction aloud in your own words. If you cannot explain it simply, you are not yet exam-ready on that point.

Use answer explanations actively. Do not just read the correct answer and move on. Ask yourself why the distractors were tempting. Most AZ-900 distractors are not random; they are built from nearby concepts in the same domain. Understanding why you were drawn to the wrong option is what prevents repeat mistakes on the real exam.

Exam Tip: Keep a “final traps” page with no more than 15 bullets. Include only concepts you personally confuse. Review that page the night before and the morning of the exam.

Finally, retake selectively. You do not always need a full second mock right away. If your issue is concentrated in two domains, drill those domains first, then take another mixed review set. If your issue is timing or concentration, take another full-length session under realistic conditions. The goal of weak spot analysis is not to prove that you studied. It is to increase the probability that your next answer choice is correct when the wording is subtle and the clock is running.

Section 6.5: Final revision checklist for key Azure services, pricing, identity, and governance

Section 6.5: Final revision checklist for key Azure services, pricing, identity, and governance

Your final review should be concise, high-yield, and focused on distinctions the exam repeatedly tests. Do not attempt to relearn Azure from scratch in the last session. Instead, run through a structured checklist that reinforces business purpose, common traps, and service identity. This approach is especially effective for AZ-900 because the exam is broad and rewards clean concept recognition more than deep implementation detail.

Start with pricing and cloud economics. Be ready to identify consumption-based pricing, the shift from capital expenditure to operational expenditure, and the reason organizations value flexibility. Then review cloud concepts such as shared responsibility, public versus private versus hybrid cloud, and the difference between scalability, elasticity, availability, reliability, and disaster recovery. These are foundational and frequently used in straightforward but easy-to-rush questions.

Move next to key Azure services and architecture. Confirm that you can define regions, availability zones, resource groups, subscriptions, and management groups without hesitation. Review the basic purpose of virtual machines, containers, virtual networks, VPN, ExpressRoute, Blob Storage, Microsoft Entra ID, and core database options. At this stage, do not memorize every feature. Focus on the “best fit” use case for each service family.

Identity and governance deserve one last pass. Know that Microsoft Entra ID is the identity service used for authentication and access-related scenarios. Know that RBAC controls permissions, Azure Policy enforces standards, and resource locks prevent accidental changes. Review Cost Management, Azure Monitor, and the Service Trust Portal so you can identify which one applies to spending analysis, operational insight, or compliance documentation.

  • Can I explain shared responsibility across IaaS, PaaS, and SaaS?
  • Can I distinguish regions from availability zones?
  • Can I distinguish subscriptions from resource groups and management groups?
  • Can I identify when to use VM, container, VNet, VPN, or ExpressRoute?
  • Can I identify Blob Storage, Entra ID, and core database categories by purpose?
  • Can I separate RBAC, Policy, locks, Cost Management, Monitor, and Service Trust Portal?

Exam Tip: If you feel overloaded during final revision, reduce everything to “requirement to service” matching. AZ-900 questions are often solved by identifying the business requirement first and then selecting the Azure concept that most directly satisfies it.

Use this checklist as your last confidence builder. If you can move through these topics smoothly and explain each one in plain language, you are in strong shape for the exam.

Section 6.6: Exam-day time management, confidence tactics, and next-step certification roadmap

Section 6.6: Exam-day time management, confidence tactics, and next-step certification roadmap

On exam day, fundamentals candidates usually do not fail because the content is impossible. They fail because they rush, second-guess, or let one unfamiliar phrase disrupt the rest of the exam. Your strategy should be simple: read carefully, identify the tested concept, eliminate mismatched answers, and move on. Do not spend excessive time trying to force certainty on a single item. AZ-900 is a breadth exam, and preserving momentum matters.

Before you begin, settle your logistics. Confirm identification requirements, testing environment rules, internet stability if remote, and check-in timing. Have a calm start. Once the exam begins, use a two-pass method. On the first pass, answer straightforward items immediately. For any question where two choices seem plausible, choose the best current answer, mark it mentally for review if the platform allows, and continue. This prevents time drain and protects confidence.

Confidence tactics matter more than many candidates realize. If you encounter an unfamiliar service name in an answer choice, do not panic. Ask what the prompt is really testing. On AZ-900, one or more answers can often be rejected because they belong to the wrong category altogether. For example, a governance requirement should not be solved by a storage service, and an identity requirement should not be solved by a networking service. Broad category awareness can rescue you even when recall is imperfect.

Exam Tip: Avoid changing answers unless you can clearly articulate why your new choice better matches the requirement. First instincts are often correct when they are based on concept recognition rather than guesswork.

In your final minutes, review marked items for wording traps such as “best,” “most appropriate,” “prevent,” “enforce,” or “monitor.” These words often determine which of two seemingly valid choices is superior. Stay alert for absolute language in distractors. At the fundamentals level, the best answer is typically the most precisely aligned, not the most technically elaborate.

After passing AZ-900, think strategically about your next step. If you are headed toward administration, AZ-104 is a common next certification. If you are interested in security, identity, or compliance, consider a security-focused path. If your role leans toward data or AI, choose the fundamentals or associate exam that aligns with those tracks. AZ-900 is not the end goal; it is your platform for future specialization. Finish this chapter, complete your final review, and go into the exam ready to demonstrate disciplined fundamentals knowledge with professional confidence.

Chapter milestones
  • Mock Exam Part 1
  • Mock Exam Part 2
  • Weak Spot Analysis
  • Exam Day Checklist
Chapter quiz

1. A company is reviewing a mock AZ-900 exam. One missed question asks for the Azure feature that controls who can create, modify, or delete resources in a subscription. Which Azure feature should the candidate have selected?

Show answer
Correct answer: Role-based access control (RBAC)
RBAC is correct because it controls which users, groups, or identities can perform actions on Azure resources. Azure Policy is used to enforce organizational standards and evaluate compliance, not to grant permissions. Resource locks help prevent accidental deletion or modification, but they do not assign permissions to users. This aligns with the AZ-900 governance domain, which tests the distinction between access control, compliance enforcement, and resource protection.

2. A practice exam scenario states: "A business wants to reduce upfront capital expenses and pay only for the compute resources it uses each month." Which cloud concept is being tested most directly?

Show answer
Correct answer: Operational expenditure (OpEx)
OpEx is correct because cloud services commonly use consumption-based pricing, allowing organizations to avoid large upfront capital purchases. High availability is about minimizing downtime, and geographic redundancy is about replicating data across regions for resilience. Neither of those addresses the cost model described. AZ-900 frequently tests whether candidates can map business language about reducing upfront cost to the cloud financial model.

3. During weak spot analysis, a candidate notices repeated mistakes on questions about enforcing company standards across Azure resources. The company wants to ensure that only specific VM sizes can be deployed. Which Azure service should be used?

Show answer
Correct answer: Azure Policy
Azure Policy is correct because it can enforce rules and standards across resources, such as restricting allowed VM SKUs or required tags. Microsoft Entra ID provides identity and authentication services, not resource standard enforcement. Azure Monitor is used for collecting and analyzing telemetry, metrics, and logs, not for preventing noncompliant deployments. This is a common AZ-900 distinction within management and governance objectives.

4. A candidate reads an exam question too quickly and confuses scalability with elasticity. Which statement correctly describes elasticity in Azure?

Show answer
Correct answer: The ability to automatically add or remove resources in response to demand
Elasticity is correct because it refers to dynamically adjusting resources up or down as demand changes. Increasing resources for long-term growth is more closely associated with scalability. Recovering workloads after a regional outage relates to disaster recovery, not elasticity. AZ-900 often tests these closely related concepts using similar wording, so recognizing the exact business objective is important.

5. A final review checklist includes this reminder: "If the requirement is to prevent accidental deletion of a resource, do not choose the service that manages permissions or compliance." Which Azure feature best meets that requirement?

Show answer
Correct answer: Resource locks
Resource locks are correct because they can prevent deletion or modification of Azure resources, helping protect against accidental changes. RBAC controls who is allowed to perform actions, but a permitted user could still delete a resource unless a lock exists. Azure Policy can enforce standards and audit compliance, but it is not the primary feature for blocking accidental deletion of an existing resource. This reflects a frequent AZ-900 exam pattern: distinguishing protection mechanisms from permission and compliance tools.
More Courses
Edu AI Last
AI Course Assistant
Hi! I'm your AI tutor for this course. Ask me anything — from concept explanations to hands-on examples.