AZ-900 Practice Test Bank: 200+ Questions with Detailed Answers

Section 1.1: What AZ-900 validates and who it’s for

AZ-900 validates foundational literacy: cloud computing concepts, core Azure services, basic security/identity, and management/governance. It is intentionally broad and shallow. You are not expected to memorize every SKU or implement production-ready solutions, but you are expected to identify the correct service category and the correct principle (for example, “shared responsibility,” “consumption-based pricing,” or “least privilege”).

This exam is a fit for non-technical roles (project managers, sales, procurement), early-career IT staff, and technical professionals who need a common vocabulary for Azure. For candidates with deep Azure experience, AZ-900 can still be valuable as a credential and as a foundation for role-based paths (Administrator, Developer, Security, Data, AI). The exam typically rewards clear thinking over hands-on depth, but you should still understand how services are positioned and why you would choose one option over another.

Exam Tip: Treat the exam as “decision-making with definitions.” When a question describes a scenario, your job is to identify what category it belongs to (compute, networking, storage, identity, governance) and then choose the option that best matches that category’s purpose. Avoid overengineering: the “most advanced” service is not always the right answer for a fundamentals question.

Common trap: confusing what a service is with what it does. For example, students mix up Azure Advisor (recommendations) with Azure Policy (enforcement) or RBAC (authorization) with authentication (sign-in). On AZ-900, those distinctions matter more than configuration details.

Section 1.2: Exam domains overview: cloud concepts; architecture and services; management and governance

The AZ-900 objective map clusters into three big buckets you should constantly reference while practicing: (1) Cloud concepts, (2) Azure architecture and services, and (3) Azure management and governance. A winning strategy is to tag every practice question you miss to one of these domains, then drill that domain until the mistake stops repeating.

Cloud concepts includes cloud computing models (public/private/hybrid), shared responsibility, and service models (IaaS/PaaS/SaaS). The exam frequently checks whether you can identify what you manage vs what Microsoft manages. Example thinking pattern: if you choose IaaS, you manage more (OS, runtime, patching); if you choose SaaS, Microsoft manages more (application). Benefits like high availability, scalability, elasticity, and agility are also tested—but often via “which benefit explains this scenario?” prompts.

Azure architecture and services focuses on core components and common services. Expect basics of regions/region pairs, availability zones, subscriptions/resource groups/resources, plus service families: compute (VMs, App Service, containers), networking (VNets, VPN gateways, peering, load balancing concepts), and storage (Blob vs Files vs Queues vs Disks, plus redundancy options at a high level). The exam likes “choose the most appropriate service” questions that require you to match requirements (e.g., object storage vs file share vs messaging).

Management and governance emphasizes cost management (pricing factors, calculators, budgets), support plans, and governance tools: RBAC, Azure Policy, resource locks, and compliance concepts. Many candidates underestimate this domain and lose easy points. Learn the intent: RBAC controls who can do what; Policy controls what can be deployed; Locks prevent accidental deletion/modification; Blueprints (if referenced) package governance settings.

Exam Tip: When two answers look plausible, ask: “Is this about identity and permissions (RBAC) or about enforcing standards (Policy)?” That single fork eliminates a large percentage of distractors in fundamentals questions.

Section 1.3: How to register and schedule with Microsoft and Pearson VUE

Registration begins in your Microsoft Certification profile. From the exam page for AZ-900, you’ll schedule through Pearson VUE, selecting either an online proctored exam or a test center appointment. Ensure your legal name matches your identification; mismatches are a preventable test-day failure that has nothing to do with your Azure knowledge.

For online proctoring, plan for a strict check-in process: you may be asked to show your ID, take photos of your testing area, and remain on camera throughout the exam. Your desk must be clear, and you should not use additional monitors or reference materials. For test centers, you’ll follow their security procedures (lockers, check-in, photo). In both modes, you are agreeing to exam integrity rules—violations can result in termination and invalidation of results.

Exam Tip: If you choose online delivery, run Pearson VUE’s system test days in advance on the exact device and network you’ll use. Most “technical issues” on exam day are avoidable: unstable Wi‑Fi, corporate VPNs, and restrictive firewalls are common causes of check-in failures.

Scheduling strategy: choose a time when you are reliably alert, not “squeezing it in.” For many candidates, mornings reduce fatigue-based errors. Also leave buffer time: don’t schedule immediately before work meetings or travel. Exam stress spikes when you feel rushed, and rushed candidates misread key qualifiers such as “most cost-effective,” “highest availability,” or “minimize administrative effort.”

Section 1.4: Question formats: MCQ, multi-select, matching, caselets, and “choose all that apply”

AZ-900 uses several question formats, and your approach should adapt to each. Traditional multiple-choice (single answer) is straightforward, but many misses come from not reading the last line of the prompt (for example, “What should you use?” vs “What benefit does this describe?”). Build a habit: read the question stem first, then the scenario, then return to the stem before selecting.

Multi-select and “choose all that apply” require a different mindset: you’re not hunting for one best answer; you’re validating each option against the requirement. The trap is assuming there must be a fixed number of correct answers. Instead, treat each option as true/false relative to the scenario. Matching questions test whether you can map terms to definitions (e.g., service model to responsibility, storage type to use case). These are high ROI: precise memorization pays off.

Caselets (short scenarios with several questions) reward consistency. The same facts apply across multiple prompts, so take a moment to identify the core constraints (identity requirements, availability needs, cost constraints, governance needs). If you misinterpret one key detail, you can miss several questions in a row.

Exam Tip: Watch for qualifiers: “minimize cost,” “minimize management,” “high availability,” “global users,” “data residency.” These words map directly to exam objectives (pricing concepts, shared responsibility, regions/availability zones, governance). Underline them mentally and use them to eliminate choices.

Time management: do not overinvest in a single tricky item. Fundamentals exams often include questions that are intended to be quick if you know the definition. If you’re stuck, pick the best remaining option, flag mentally, and keep moving—momentum matters. Many candidates run out of time not because the exam is long, but because they debate a few items for too long.

Section 1.5: Scoring, passing, retakes, and accommodation basics

Microsoft exams are scored on a scaled score (commonly reported on a 1–1000 scale), with a published passing threshold for many fundamentals exams. The key takeaway is that not all questions necessarily contribute equally, and the exam may include unscored items used for future validation. Your job is to aim for consistent competency across domains rather than trying to predict the scoring mechanics.

After the exam, you typically receive a score report with performance by objective area. Use it diagnostically: if you underperform in management and governance, you should adjust your practice routine to include more questions on RBAC vs Policy vs locks, pricing factors, and support plans. This is a common blind spot because candidates over-focus on “cool services” and under-study governance and cost.

Retake policies can change over time, but generally there are waiting periods and limits. Plan as if you will pass on the first attempt: schedule when your practice results are stable, not when you have “seen all the content once.” Stability means you can explain why an answer is correct and why the distractors are wrong.

Accommodations: if you need exam accommodations (for example, extra time), you must request them in advance and follow the official process. Do not wait until the week of the exam. Accommodation approval timelines vary, and last-minute requests can force a reschedule.

Exam Tip: A strong readiness indicator is not just high practice scores—it’s low variance. If one day you score 90% and the next day 65%, you’re relying on familiarity instead of understanding. AZ-900 punishes shallow pattern matching when wording changes.

Section 1.6: Study workflow: notes, labs (optional), and how to use this test bank

Your 14-day plan should be a loop: learn → practice → review → refine. Use short daily sessions to prevent burnout and to encourage retention. A practical structure is: (1) 20–30 minutes reading/learning the objective, (2) 25–40 minutes of targeted practice questions, (3) 15 minutes reviewing explanations and updating notes. Repeat daily, and take a longer mixed-domain practice set every few days to simulate exam switching costs.

Notes should be decision notes, not encyclopedia notes. For each objective, capture: definition, when to use it, and the common confusion pair. Example entries: “RBAC = who can do what (authorization) at scope; Policy = what can be deployed (enforcement).” Or “Blob = object storage; Files = SMB/NFS shares; Queues = messaging.” These are the exact comparisons AZ-900 likes to test.

Labs are optional for AZ-900, but light hands-on can make abstract terms concrete. If you do labs, keep them small: create a resource group, explore the portal, view Cost Management, inspect IAM (RBAC) roles, and observe where Policy and locks appear. The exam won’t ask you to click through the portal, but hands-on experience reduces confusion and improves recall.

How to use this 200+ question test bank: don’t “grind for score.” Do two passes. Pass 1 is diagnostic: take sets by domain and tag every miss to an objective. Pass 2 is mastery: redo only missed and “guessed” questions until you can explain each choice. For every explanation, force yourself to articulate the objective mapping: cloud concepts vs architecture/services vs management/governance. That mapping skill is what transfers to new questions you haven’t seen.

Exam Tip: Treat every incorrect answer as a pattern to eliminate. Write down the trap you fell for (e.g., “confused Advisor with Policy,” “picked availability zone when question wanted region pair,” “assumed PaaS means zero responsibility”). The exam repeats these traps with new wording, and your notes should inoculate you against them.

Finally, build test-day habits during practice: timebox your sets, minimize distractions, and practice reading the stem first. Your knowledge and your process both determine your score—and AZ-900 is the ideal exam to prove you can do both.

AZ-900 commonly frames cloud benefits as business outcomes. Agility is your ability to provision resources quickly (minutes instead of weeks), experiment safely, and iterate faster. In exam scenarios, look for phrases like “rapidly deploy,” “short time-to-market,” or “dev/test environments” to signal agility. Global reach refers to using a provider’s worldwide regions to place apps near users, reduce latency, and meet data residency needs. When you see “customers worldwide,” “low latency,” or “expand to new geographies,” think regions and global scale.

Cost benefits are not just “cheaper.” Cloud shifts spend from up-front purchases to pay-as-you-go, and enables right-sizing (pay for what you need) and scaling down during off-hours. Exam Tip: If the scenario mentions “unpredictable demand” or “seasonal spikes,” the best benefit is often elasticity (a cost and performance benefit), not simply “lower cost.”

Security considerations are a frequent trap. The cloud can improve security by offering built-in security tooling, standardized controls, and dedicated security operations, but it does not eliminate customer responsibility. The exam tests whether you can separate “the cloud is secure” from “you must configure security.” If the scenario says “we want Microsoft to manage more security tasks,” the likely correct direction is moving toward PaaS/SaaS (and using native security services), not assuming security is automatic.

• Agility: rapid provisioning, faster experimentation
• Global reach: deploy near users via regions; improve performance and compliance options
• Security: shared responsibility; cloud provides tools and controls, you configure and govern

Availability and resiliency appear here as “business continuity.” High availability minimizes downtime (often via redundancy across zones/regions), and resiliency emphasizes recovery and continued operation after failures. A common distractor is selecting “scalability” when the question is really about “staying online during failures.” Watch for words like “fault tolerant,” “disaster recovery,” “failover,” and “service interruption.”

CapEx (capital expenditure) is up-front spending on physical infrastructure: servers, storage arrays, networking gear, and datacenter space. OpEx (operational expenditure) is ongoing spending as you consume services: monthly cloud bills, support subscriptions, and operational costs. The exam expects you to associate cloud with OpEx and on-premises buildouts with CapEx, while recognizing there can be hybrid mixes. If the scenario emphasizes “avoid large up-front investment” or “shift to monthly spending,” the answer is typically OpEx and consumption-based pricing.

Consumption-based models mean you pay for what you use (for example, compute hours, storage GB-months, egress bandwidth). This supports cost optimization through right-sizing, autoscaling, and turning off non-production resources. Exam Tip: When you see “pay only when it runs” or “scale down at night,” the exam is pointing you toward consumption and elasticity; do not pick “fixed cost” or “reserved capacity” unless the scenario explicitly mentions steady, predictable workload and long-term commitment.

Common traps include confusing “reserved instances” (discount for commitment) with “consumption-based” (metered usage). Both exist in Azure. Another trap is assuming OpEx automatically lowers total cost. The cloud can reduce waste, but poor governance can increase spend (overprovisioning, leaving resources running, data egress surprises). The exam may include a requirement like “minimize cost fluctuations” or “predictable monthly spend,” which can hint at reservations or budgeting controls rather than pure pay-as-you-go.

• CapEx: buy hardware up front; depreciate over time
• OpEx: pay as you go; operational monthly/usage-based costs
• Consumption: metered billing; optimize by scaling and shutdown

Link economics to operational behavior: elasticity and autoscaling help align cost to demand, while governance (budgets, alerts, tagging) helps control OpEx variability. Even though governance tools are a later domain, AZ-900 questions often blend them with pricing concepts to test holistic reasoning.

The exam’s most reliable pattern is: the more you move from IaaS to PaaS to SaaS, the more the provider manages, and the less you manage. In IaaS (Infrastructure as a Service), you rent compute, storage, and networking, but you still manage the operating system, patches, and most configuration. In PaaS (Platform as a Service), you deploy applications without managing the underlying OS and runtime infrastructure. In SaaS (Software as a Service), you use a complete application delivered over the internet; your focus is configuration, users, and data governance.

To identify the correct model, look for management keywords. “Need full control of OS,” “custom drivers,” or “lift-and-shift VM” suggests IaaS. “Developer wants to deploy code, no server patching” suggests PaaS. “Use email/CRM without managing infrastructure” suggests SaaS. Exam Tip: If a question says “the team wants to avoid maintaining servers,” do not pick IaaS just because it’s in the cloud—VMs still require OS patching and configuration.

• IaaS examples: Azure Virtual Machines; virtual networks; managed disks
• PaaS examples: Azure App Service; Azure SQL Database; Azure Functions
• SaaS examples: Microsoft 365; Dynamics 365

Elasticity and scalability show up differently across models. IaaS can scale, but you often configure scaling mechanisms yourself. PaaS typically offers simpler scaling controls and more built-in resiliency options. SaaS generally abstracts scaling from you entirely. A common distractor is picking PaaS when the scenario requires installing legacy software that only runs on a specific OS configuration—this is an IaaS signal.

Remember: service models are about “who manages what,” not about where the service runs. You can run IaaS in public cloud, private cloud, or as part of a hybrid approach, but the responsibility boundary remains the defining characteristic.

The shared responsibility model is a core AZ-900 concept and a frequent source of wrong answers. The provider (Microsoft) is always responsible for security “of” the cloud: physical datacenters, physical network, physical hosts, and the foundational services. The customer is always responsible for security “in” the cloud: data, identities, access, and configuration. Where the line sits depends on the service model.

In IaaS, customers manage the OS, patches, network controls (like NSGs), and application security. In PaaS, Microsoft manages more of the platform (OS, runtime, and often patching), while customers still manage application logic, data classification, and access. In SaaS, Microsoft manages the application and platform, but customers still manage user access, data governance, and tenant configuration. Exam Tip: “Microsoft is responsible for all security” is almost never correct. Even in SaaS, you must manage identity, MFA/conditional access choices, and data sharing controls.

• Always Microsoft: physical security, datacenter facilities, core infrastructure
• Always customer: data, identities, access permissions, endpoint/user behavior
• Varies by model: OS patching, runtime, middleware, application hosting stack

Common exam traps include confusing encryption features with responsibility. Microsoft may provide encryption capabilities (at rest/in transit), but you may be responsible for enabling them, managing keys (depending on the offering), and ensuring correct access policies. Another trap is mistaking “managed service” for “no responsibilities.” Managed does not mean “hands-off”; it means fewer tasks, not zero tasks.

When answering shared responsibility questions, force yourself to classify the service as IaaS/PaaS/SaaS first, then ask: “Is this physical infrastructure, platform layer, or customer-controlled configuration/data?” That simple two-step method prevents most mistakes.

Deployment models answer “where does it run and who owns the infrastructure?” Public cloud means services are delivered over the internet on shared provider infrastructure (with strong logical isolation). Private cloud means cloud-like principles on infrastructure dedicated to one organization, often on-premises or hosted. Hybrid cloud combines public and private, enabling data and workloads to move between them based on needs like latency, regulations, or legacy dependencies. Multicloud means using multiple cloud providers (for example, Azure plus AWS), typically for risk management, best-of-breed services, or contractual reasons.

Hybrid scenarios are common in AZ-900 questions: “keep sensitive data on-prem,” “migrate gradually,” “connect on-prem datacenter to Azure,” or “run some workloads locally for latency.” Those phrases point to hybrid. Exam Tip: Do not confuse hybrid with multicloud. Hybrid is about combining private/on-prem with public cloud; multicloud is about multiple public clouds.

• Public cloud: fastest global reach and agility; shared infrastructure model
• Private cloud: dedicated environment; more control, often more CapEx/management
• Hybrid cloud: mix of on-prem/private and public; common for compliance/legacy
• Multicloud: multiple providers; increases complexity and governance needs

Elasticity, availability, and resiliency differ by model. Public cloud generally offers the widest set of managed resiliency features (regions/zones) and rapid elasticity. Private cloud can be resilient, but you must build and pay for redundancy. Hybrid can improve resiliency (for example, failover to cloud), but can also introduce new dependency points (connectivity, identity integration) that must be managed.

Look for distractors that overstate guarantees. A public cloud deployment does not automatically meet every compliance requirement; it provides tooling and certifications, but you must choose the right configurations, regions, and controls.

In the practice bank for this domain, your goal is not only to select the right option but to explain why each wrong option is wrong. AZ-900 distractors are typically “near misses”: they are true statements about the cloud, but they do not match the scenario’s key constraint. Train yourself to underline the constraint (cost model, management level, location requirement, or reliability need) and map it to the right concept.

Expect scenario cues to cluster around these decision points: (1) unpredictable demand implies elasticity and consumption; (2) “no OS patching” implies PaaS/SaaS; (3) “must keep data on-prem” implies hybrid/private; (4) “stay online during failures” implies availability/resiliency rather than scaling. Exam Tip: If two answers seem plausible, choose the one that addresses the requirement with the least customer management—AZ-900 frequently rewards recognizing managed responsibility reductions.

• Trap 1: Mixing up scalability vs elasticity. Scalability can be planned growth; elasticity is dynamic, often automatic.
• Trap 2: Assuming public cloud equals “less secure.” The exam emphasizes shared responsibility and configurable security, not blanket insecurity.
• Trap 3: Choosing IaaS for “in the cloud” needs. Many scenarios are actually testing “managed platform” benefits.
• Trap 4: Confusing hybrid with multicloud. Hybrid includes on-prem/private; multicloud is multiple public providers.

When reviewing explanations, look for “tell words” that define the model. For service types, management scope is the tell: OS control (IaaS), deploy code without servers (PaaS), consume app (SaaS). For deployment models, location/ownership is the tell: provider-owned shared (public), dedicated (private), mix with on-prem (hybrid), multiple providers (multicloud). For economics, commitment and predictability are tells: up-front purchase (CapEx), pay-as-you-go (OpEx/consumption), stable workloads (reservations/commitments as a cost optimization strategy).

Finally, practice explaining availability and resiliency succinctly. Availability focuses on uptime targets and redundancy; resiliency focuses on recovery and continuity after failure. In explanations, tie them to outcomes: “minimize downtime” (availability) versus “recover quickly and keep operating” (resiliency). That phrasing mirrors how the exam writers often describe the same concepts in different words.

Section 3.1: Azure global infrastructure: geographies, regions, and data residency basics

On AZ-900, “global infrastructure” questions are usually asking you to distinguish where workloads run and what Microsoft means by a region versus broader groupings. A region is a specific set of datacenters deployed within a latency-defined perimeter and connected via a dedicated regional low-latency network. Azure services are offered per region, and you typically choose a region when you create a resource (for example, a VM, storage account, or Azure SQL database).

Geographies are broader areas (for example, Europe, United States, Asia Pacific) that contain multiple regions. In exam scenarios, geographies matter most for data residency, compliance, and regulatory requirements—questions that say “data must remain in country/region” are testing whether you understand that you must select an appropriate region and sometimes an appropriate geography for replication.

Microsoft also uses regional groupings like “paired regions” (covered more in Section 3.2) that influence how platform-managed recovery and updates work. The exam may imply a requirement like “minimize latency for users in Japan” (choose a nearby region) versus “meet residency rules” (choose an allowed region/geography) versus “reduce risk of a single regional outage” (use multiple regions or zone redundancy).

Exam Tip: When the question mentions “data residency,” “compliance,” or “must remain within,” prioritize region/geography choices over performance. Latency optimization is a secondary requirement unless explicitly stated as the primary constraint.

• Region = deployment location boundary for many resources.
• Geography = compliance/residency grouping containing multiple regions.
• Global services (e.g., some identity and management features) may be logically global, but resources you create still typically live in a specific region.

Common trap: selecting “availability zone” to satisfy “country-level data residency.” Zones are inside a region; residency questions are about region/geography selection, not intra-region datacenter separation.

Section 3.2: High availability concepts: availability zones, region pairs, and fault domains (conceptual)

AZ-900 tests high availability at a conceptual level: identify which option protects you from which type of failure. Availability zones are physically separate locations within a single Azure region, each with independent power, cooling, and networking. If a requirement says “within the same region” and “datacenter failure,” you are in availability zone territory. If the requirement says “regional outage,” you need a multi-region approach.

Region pairs are Microsoft-defined pairings of two regions within the same geography. Pairing supports strategies like prioritized recovery and coordinated platform updates designed to reduce simultaneous downtime. On the exam, region pairs often appear as a rationale for why you would select two specific regions for a disaster recovery design, especially when the prompt emphasizes “within the same geography” or “data residency.”

Fault domains are used most often in the context of VM availability sets (and related constructs) to describe groups of hardware that share a common power source and network switch. For AZ-900, you don’t need to design fault domain layouts, but you do need to know that fault domains are about hardware failure isolation within a datacenter, whereas availability zones are about datacenter-level isolation within a region.

Exam Tip: Map the outage described to the smallest boundary that solves it: hardware rack issue → fault domain; datacenter issue → availability zone; entire region issue → multi-region/paired region approach.

• Availability zones: intra-region resiliency (datacenter separation).
• Region pairs: inter-region resiliency (geography-aligned).
• Fault domains: intra-datacenter hardware isolation (commonly via availability sets).

Common trap: assuming “zone redundant” always means “disaster recovery.” Zone redundancy improves availability inside one region; disaster recovery implies surviving a regional outage, which generally requires a second region and a replication/failover strategy.

Section 3.3: Azure subscriptions and billing boundaries; management groups overview

Subscriptions are a core exam topic because they define a practical boundary: billing, quota/limits, and often a boundary for management and access. In many AZ-900 scenarios, the “right” answer is the object that cleanly separates costs or enforces limits across teams. If a prompt says “separate billing for two departments,” a separate subscription is frequently the best fit.

Management groups sit above subscriptions and allow you to organize multiple subscriptions into a hierarchy for consistent governance. You can apply policies and role-based access control at the management group level so they inherit to subscriptions below. This is tested as a conceptual “scope” question: where do you apply something so it affects many subscriptions? The exam likes to contrast management groups with resource groups; resource groups can’t contain subscriptions, and subscriptions can’t be placed inside resource groups.

Exam Tip: When you see “multiple subscriptions” plus “standardize governance,” your default should be “management groups.” When you see “separate billing,” your default should be “subscriptions.”

• Subscription: billing boundary; also a boundary for some service limits and administrative delegation.
• Management group: governance hierarchy above subscriptions; policy/RBAC inheritance across many subscriptions.

Common trap: choosing “resource group” to separate billing. Resource groups help organize resources, but charges roll up at the subscription level. Another trap is thinking management groups are required for all tenants; they’re optional, but they are the correct construct when you need governance at scale.

Section 3.4: Resources and resource groups: lifecycle, tagging, and organization patterns

A resource is an individual service instance (VM, storage account, VNet, database). A resource group (RG) is a logical container for resources that share a common lifecycle, permissions model, or management intent. The “lifecycle” point is exam-relevant: deleting a resource group deletes the resources within it. Therefore, group together items that should be deployed, updated, and retired together—don’t group everything “by department” if the lifecycles differ dramatically.

Tags are key-value metadata you can apply to resources (and often to resource groups) to support organization, cost management, and operations. The exam commonly uses tags as the solution to “track costs by project,” “identify environment,” or “report by owner.” This is a classic “don’t over-engineer” topic: you may not need multiple subscriptions just to report costs; tags can be the simplest answer.

Exam Tip: If the requirement is “organize” or “report,” think “tags.” If the requirement is “delete together” or “manage together,” think “resource group.” If it’s “separate billing/limits,” think “subscription.”

• Organization patterns: by application (app + dependencies), by environment (dev/test/prod), or a hybrid using tags.
• Scope reminders: RGs live inside subscriptions; resources live inside RGs.

Common trap: assuming a resource group must be in the same region as its resources. The resource group has a location (for metadata), but resources can be in different regions; the exam may test that the RG is a logical construct, not a physical boundary like a region.

Section 3.5: Azure Resource Manager (ARM): control plane vs data plane and deployment concepts

Azure Resource Manager (ARM) is the management layer for Azure. AZ-900 often frames ARM as “the service you use to create, update, and delete resources,” and it’s where templates and consistent governance are applied. The most important exam concept here is control plane vs data plane. The control plane is management operations (deploy a VM, configure a setting, assign a role, apply a policy). The data plane is using the service itself (connect to a database, read blobs, publish to a queue). Many security and access questions are really “which plane are we talking about?”

ARM templates (JSON) and newer Bicep templates represent “infrastructure as code.” The exam doesn’t require syntax, but it does test the concept: templates enable repeatable, consistent deployments, and they are idempotent—deploying the same template multiple times should converge to the same desired state.

Exam Tip: If the prompt is about “deploy the same environment repeatedly,” “standardize deployments,” or “reduce configuration drift,” your reasoning should lead to ARM templates/Bicep and the control plane. If it’s about reading/writing actual business data, you’re in the data plane.

• ARM scope: management group, subscription, resource group, resource.
• Consistent management: RBAC, policies, tags, and locks are applied through the control plane.

Common trap: treating “access to Azure” as one permission. A user might have control-plane rights to manage a storage account but still lack data-plane rights to read blobs (or vice versa), depending on roles and how access is granted.

Section 3.6: Architecture practice bank: scenario cues, keyword mapping, and detailed rationales

This course includes extensive practice, and the fastest way to improve is to “keyword map” each scenario to the correct Azure construct. AZ-900 questions often provide only two or three meaningful cues; your job is to spot them and match them to the correct boundary. Build a reflex table in your head: billing/limits → subscription; inherit governance across subscriptions → management groups; deploy/manage together → resource groups; metadata for reporting → tags; regional outage → multi-region; datacenter outage in same region → availability zones.

When reviewing explanations, practice writing the rationale in one sentence: “The requirement is X; the boundary that solves X is Y; therefore choose Z.” This prevents a common exam mistake: selecting an answer that is factually correct but does not directly satisfy the requirement. For example, “resource groups can organize resources” is true, but it does not satisfy “separate billing” as cleanly as “subscriptions.”

Exam Tip: Eliminate options by boundary mismatch. If the problem is resiliency and an option is a governance feature (tags, locks), it’s almost certainly a distractor. If the problem is cost separation and an option is a resiliency feature (zones), it’s also likely a distractor.

• Cue: “apply to all subscriptions” → Management group scope.
• Cue: “chargeback/showback by project” → Tags and cost management reporting.
• Cue: “recover from regional failure” → Second region (often within a region pair).
• Cue: “repeatable deployment” → ARM templates/Bicep (control plane).

Finally, watch for mixed-requirement prompts that include both governance and architecture. The exam typically wants the primary requirement met first. If the prompt says “meet data residency requirements and enable high availability,” ensure your region choice satisfies residency first, then add zones or a paired region strategy depending on the failure type described.

Section 4.1: Compute services: Azure Virtual Machines, VM Scale Sets, and Azure Virtual Desktop (conceptual)

Azure Virtual Machines (VMs) are the classic IaaS compute option: you provision a VM size, choose an image, attach disks, and you (the customer) are responsible for the guest OS configuration, patching choices, and installed software. On AZ-900, VMs appear when the scenario mentions specific OS-level requirements (custom agents, legacy apps, admin access, or full control). The exam also likes to test the shared responsibility boundary: Microsoft manages the physical hardware and hypervisor, but you manage what runs inside the VM.

VM Scale Sets (VMSS) extend VMs to a scalable set of identical instances. The key exam idea is “autoscale for many similar VMs.” If the prompt hints at variable demand, horizontal scaling, or needing multiple instances behind a load balancer, VMSS becomes the likely choice. You do not need to know detailed autoscale rules; you need to know that VMSS is about elasticity at the VM layer.

Azure Virtual Desktop (AVD) is a desktop and app virtualization service. Conceptually, AVD is about delivering Windows desktops/apps to end users, centrally managed, often to support remote work or bring-your-own-device access. AZ-900 typically tests recognition: if the need is “virtual desktops” or “remote apps,” pick AVD rather than spinning up a fleet of general VMs.

Exam Tip: Watch the word “lift-and-shift.” That usually points to VMs (or VMSS) because the app is moved with minimal refactoring. If the scenario instead says “avoid managing servers,” look for PaaS compute.

Common trap: Confusing VMSS with containers or Functions. VMSS still means you manage the OS image and patching strategy; it’s not serverless and not a container orchestrator.

Section 4.2: PaaS compute: App Service, Azure Functions, and container options (AKS vs ACI basics)

Azure App Service is a PaaS platform for hosting web apps, REST APIs, and mobile back ends. On the exam, App Service is the “deploy code and run a web app” answer. It reduces operational burden compared to VMs: you don’t manage the OS; you manage the application and configuration. App Service also commonly pairs with CI/CD and scaling features, but for AZ-900 the key is identifying it as managed web hosting.

Azure Functions is serverless compute for event-driven workloads. The scenario often contains triggers: HTTP requests, timers, queue messages, or blob events. The exam expects you to associate Functions with “run code when something happens,” short-lived tasks, and pay-per-execution patterns (conceptually). If you see “process when a file arrives” or “run on a schedule,” Functions is a strong match.

Containers show up as a middle ground: you package an app with dependencies into an image. Two services are frequently contrasted at a high level. Azure Kubernetes Service (AKS) is for orchestrating many containers with advanced requirements (scaling, rolling upgrades, service discovery). Azure Container Instances (ACI) is for running containers quickly without managing servers or clusters—often described as “serverless containers.” For AZ-900, pick AKS when the scenario mentions cluster management, microservices at scale, or Kubernetes; pick ACI when it’s a single container (or a small set) needing fast start and minimal orchestration.

Exam Tip: If the question mentions “Kubernetes,” don’t overthink it—AKS is the exam’s expected mapping. If it mentions “run a container without managing infrastructure,” ACI is usually the better fit.

Common trap: Choosing App Service for any application. App Service is great for web apps/APIs, but event-driven background processing tends to be Functions, and container portability requirements often point to AKS/ACI.

Section 4.3: Networking services: VNet, subnets, NSG basics, and Azure DNS overview

Azure Virtual Network (VNet) is the foundational private network in Azure. AZ-900 typically tests that VNets provide isolation and segmentation, and that resources (like VMs) can be deployed into a VNet to communicate privately. A VNet is divided into subnets, which are logical segments used to separate tiers (web, app, data) and apply different controls.

Network Security Groups (NSGs) are the exam’s go-to concept for controlling traffic at the network level. Think of NSGs as rule sets that allow/deny inbound and outbound traffic to a subnet or a network interface. You don’t need to memorize every port; you need to know that NSGs are the standard way to filter traffic within Azure networking.

Azure DNS is a hosting service for DNS domains. On AZ-900, the key is recognizing that Azure DNS hosts DNS records and helps direct clients to resources using domain names. It is not a CDN, not a load balancer, and not a VPN. If the prompt is about managing DNS zones/records with Azure, Azure DNS is your pick.

Exam Tip: When the scenario includes “private IPs,” “isolation,” or “segmentation,” start with VNet/subnets. When it includes “allow only these ports” or “restrict inbound,” think NSG.

Common trap: Confusing NSGs with firewalls or DDoS protection. NSGs are basic packet filtering rules; Azure Firewall is a separate managed firewall service (often a distractor). Also, don’t confuse Azure DNS (hosting DNS) with “DNS resolution inside a VNet” wording; the question may simply want the Azure DNS service for zones.

Section 4.4: Connectivity and traffic distribution: VPN Gateway, ExpressRoute, Load Balancer, and Application Gateway

AZ-900 often frames hybrid connectivity as a decision between VPN Gateway and ExpressRoute. VPN Gateway provides encrypted tunnels over the public internet to connect on-premises networks to Azure VNets (site-to-site) or individual clients (point-to-site). ExpressRoute provides private connectivity between on-premises and Microsoft’s network via a connectivity provider, typically offering more consistent performance and not traversing the public internet.

Traffic distribution is another common exam theme. Azure Load Balancer is a Layer 4 (TCP/UDP) load balancer. It’s about distributing network traffic across VMs and improving availability for services that don’t need application-aware routing decisions. Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer designed for web traffic and can make decisions based on URL paths or host headers. On AZ-900, the big test is recognizing L4 vs L7 intent.

Exam Tip: Look for clues: “private dedicated connection” and “more reliable than internet” usually indicate ExpressRoute. “Encrypted tunnel over the internet” indicates VPN Gateway. For load balancing, “web app routing,” “HTTP,” or “path-based routing” indicates Application Gateway; “TCP distribution” indicates Load Balancer.

Common trap: Selecting ExpressRoute because it “sounds more enterprise.” The exam will typically include cost/complexity hints; if the requirement can be met over the internet with encryption, VPN Gateway is the expected answer. Another trap is choosing Application Gateway for any load balancing; if the question is not about HTTP/HTTPS behavior, Load Balancer is often the intended service.

Section 4.5: Storage services: Blob/Files/Queues/Tables, managed disks, and storage tiers

Azure Storage is tested heavily because it maps cleanly to different data patterns. Blob Storage is for object storage: unstructured data such as images, video, backups, and log files. Azure Files is managed file shares, often used when applications need SMB-accessible shared storage without running a file server VM. Queues provide simple message storage to decouple components (store-and-forward). Tables (in the classic storage sense) provide a NoSQL key-value style store for semi-structured data; on AZ-900, it’s enough to recognize it as non-relational storage within Azure Storage.

Managed disks are storage volumes used by Azure VMs. If the scenario mentions OS disks, data disks, or VM durability, managed disks are the correct concept. The exam may test that disks are for VMs (block storage), while blobs/files are general storage services for apps and users.

Storage tiers show up as a cost/performance trade-off. Common tiers include Hot (frequent access), Cool (infrequent access with lower storage cost), and Archive (rare access with retrieval considerations). You’re not expected to know exact pricing—only the intent: colder tiers reduce cost for infrequently accessed data.

Exam Tip: Match the “shape” of data: objects → Blob, shared file system → Files, asynchronous processing/decoupling → Queues, VM volumes → Disks. Then apply tiers when the scenario emphasizes “rarely accessed” vs “frequently accessed.”

Common trap: Picking Azure Files for general storage because it “sounds like files.” If the scenario is about storing app blobs (images, backups) accessed via HTTP/SDK, Blob Storage is typically the best fit. Another trap is assuming Archive is good for any large data; it is best when access is rare and retrieval latency/cost trade-offs are acceptable.

Section 4.6: Services practice bank: “best fit” questions with trade-offs and elimination strategy

This chapter’s practice mindset is “best fit,” not “possible.” Many Azure services can solve the same problem, but AZ-900 rewards the most direct mapping to the requirement with the fewest extra assumptions. Train yourself to underline requirement keywords: management preference (manage OS vs managed platform), protocol layer (TCP vs HTTP), connectivity type (internet VPN vs private circuit), and data pattern (object vs file share vs message queue).

A reliable elimination strategy is to classify each answer option by category first. If the scenario describes hosting a web API without server management, options that are clearly IaaS (VMs) become less likely. If the scenario emphasizes event triggers and short executions, eliminate long-running hosted app services in favor of Functions. If the prompt calls for private hybrid connectivity with predictable performance, eliminate VPN-only answers and favor ExpressRoute.

Exam Tip: When stuck between two compute answers, ask: “Do I need OS-level control?” If yes, VMs/VMSS. If no, App Service/Functions/ACI/AKS. Then ask: “Is it web-hosting, event-driven, or container orchestration?” and narrow to the most specific fit.

Common trap: Over-selecting advanced services. For example, choosing AKS when ACI meets the requirement, or choosing Application Gateway when basic Load Balancer is sufficient. The exam frequently includes distractors that are “more powerful,” but not “most appropriate.”

Finally, remember that the exam often embeds governance and responsibility hints even in core services questions. If the scenario mentions patching, OS hardening, or antivirus inside the guest, it’s signaling IaaS responsibility. If it emphasizes rapid scaling with minimal administration, it’s signaling PaaS/serverless. Build the habit of explaining your choice in one sentence tied directly to the requirement; that skill transfers immediately to exam-day reasoning.

AZ-900 frequently checks whether you can select the correct management surface for a given task. The Azure Portal is the browser-based GUI used to create, configure, and manage most Azure resources. The Azure mobile app is a lightweight companion for quick status checks and basic actions (think: view dashboards, restart a VM, respond to alerts), not for heavy configuration workflows.

Azure Cloud Shell is an in-portal (and standalone) shell environment that gives you an authenticated command line without installing tools locally. It supports both Bash (Azure CLI) and PowerShell. Cloud Shell uses an Azure Storage account for persistence, which is a subtle but testable detail: it’s “ready-to-run,” but it isn’t “no dependencies at all.”

Azure CLI and Azure PowerShell are the two primary scripting interfaces. CLI is cross-platform and uses a consistent command style; PowerShell integrates naturally with PowerShell object piping and is often preferred by admins in Windows-heavy environments. On the exam, either can be a correct “automation” answer—unless the question hints at a specific environment or scripting preference.

Finally, understand ARM templates and Bicep conceptually. ARM is Azure’s native infrastructure-as-code deployment engine; templates are JSON. Bicep is a higher-level, more readable language that compiles to ARM template JSON. The exam tests the idea of repeatable, declarative deployments (idempotent, consistent) rather than the exact syntax.

• Exam Tip: If the scenario says “deploy the same resources consistently across environments,” choose ARM/Bicep (declarative IaC), not Portal click-ops.
• Common trap: “Cloud Shell” is not the same as “Azure CLI.” Cloud Shell is the hosted environment; CLI is the tool you run inside it (or locally).

Monitoring questions often hinge on distinguishing “what happened inside my resource” from “what’s happening to Azure itself.” Azure Monitor is the umbrella service for collecting and analyzing telemetry: metrics (near real-time numerical data) and logs (richer event data). If you see performance counters, CPU percentage, or requests per second, that points to metrics. If you see queries, investigations, or “search across events,” that points to logs.

Log Analytics is the log data store and query experience, typically via a Log Analytics workspace. While AZ-900 does not test KQL mastery, it does test that logs are queried and correlated there. Alerts are the action layer: trigger notifications or automation when a metric crosses a threshold or a log query matches a condition. If the scenario mentions “email when CPU > 80% for 5 minutes,” think metric alert; if it mentions “alert when failed sign-ins exceed X,” think log-based alert.

Service Health is about Azure platform status: outages, planned maintenance, and health advisories that may affect your subscriptions and regions. This is not the same as resource-level monitoring. Service Health helps answer: “Is Azure having an incident that impacts my service?” not “Is my VM misconfigured?”

• Exam Tip: “Planned maintenance” and “service incident” language usually maps to Service Health. “Resource performance” language maps to Azure Monitor.
• Common trap: Choosing Service Health for a VM CPU spike. CPU spike is your workload telemetry (Azure Monitor), not a platform outage.

To identify correct answers quickly, underline the data type (metric vs log) and the scope (your resource vs Azure platform). That single step eliminates many distractors.

Identity is a core AZ-900 theme because management and governance are impossible without controlling who can sign in and what they can do. Microsoft Entra ID (formerly Azure Active Directory) is Azure’s cloud identity provider used for users, groups, app registrations, and sign-in policies. Many Azure services rely on Entra ID for sign-in, including the Azure Portal.

The exam repeatedly tests the difference between authentication and authorization. Authentication answers “who are you?” (verifying identity via password, certificate, token). Authorization answers “what are you allowed to do?” (permissions like Reader, Contributor). If a scenario says “validate the user’s identity,” it’s authentication. If it says “allow the user to delete resources,” it’s authorization (and typically RBAC).

Multi-Factor Authentication (MFA) strengthens authentication by requiring two or more verification methods (something you know, have, or are). AZ-900 expects you to understand MFA as a security control that reduces account compromise risk, especially for privileged roles. MFA is not an authorization mechanism; it doesn’t grant permissions, it strengthens the sign-in process.

• Exam Tip: If the question mentions “sign-in,” “credentials,” “verify,” or “second factor,” think authentication/MFA. If it mentions “permissions,” “access to resources,” or “least privilege,” think authorization/RBAC.
• Common trap: Picking MFA to “restrict access to a resource.” MFA can restrict sign-ins, but it does not define what actions are permitted once signed in.

In scenario reasoning, separate identity provider (Entra ID) from access control (RBAC). The exam often places both in the options to see whether you can choose the right layer.

Governance is the set of guardrails that keeps teams compliant and consistent. In AZ-900, you must distinguish between controls that grant permissions and controls that enforce standards. Azure Role-Based Access Control (RBAC) is the authorization system used to assign built-in or custom roles to users, groups, and service principals at a scope (management group, subscription, resource group, resource). RBAC answers: “Who can do what at which scope?”

Azure Policy enforces rules on resources. It can deny creation of noncompliant resources, audit existing resources, or append/modify settings depending on the policy effect. If a scenario says “ensure only specific VM sizes can be deployed” or “deny public IPs,” that’s Policy, not RBAC. RBAC can’t prevent a permitted user from deploying a nonstandard configuration; Policy can.

Resource locks protect resources from accidental deletion or modification. Locks come in two conceptual levels: “CanNotDelete” (delete blocked) and “ReadOnly” (changes blocked). Locks are governance safety nets and override many accidental operations—even by users with high permissions—unless the lock is removed first. This is frequently tested in “prevent deletion” scenarios.

Tags are metadata key-value pairs used for organization, chargeback, reporting, and automation. Tags do not enforce security by themselves, but they are critical for cost allocation and governance reporting. A strong tagging strategy (e.g., CostCenter, Environment, Owner, DataClassification) helps answer “who pays” and “who owns” questions in enterprise scenarios.

• Exam Tip: “Enforce/deny/audit configuration” => Azure Policy. “Grant least privilege access” => RBAC. “Prevent accidental deletion” => Resource lock. “Group costs/ownership” => Tags.
• Common trap: Confusing Policy with RBAC. Policy is about resource properties; RBAC is about user actions.

Blueprints may appear conceptually as a way to package governance artifacts (policies, role assignments, templates) for repeatable environment setup. Even if not heavily emphasized in newer guidance, understand the idea: “a predefined set of governance and deployment settings for consistent environments.”

Cost questions on AZ-900 focus on what drives price and which tools help you estimate and control it. Pricing is influenced by resource type (VM vs database), usage/consumption (hours, transactions, GB stored), region (prices vary), service tier (Standard vs Premium), and billing model (pay-as-you-go vs commitment options). The exam also likes “hidden” cost drivers: outbound data transfer, premium storage performance tiers, and running resources continuously.

For estimation, recognize the difference between the Pricing Calculator (estimate cost for specific Azure resources you plan to deploy) and the Total Cost of Ownership (TCO) Calculator (compare on-premises costs vs running in Azure). If the scenario is “we want to predict monthly spend for a new workload,” use Pricing Calculator. If it’s “should we migrate, and what would it cost compared to data center?” use TCO.

For ongoing control, Azure Cost Management provides cost analysis, chargeback views, and optimization recommendations. Budgets allow you to set thresholds and alerts (e.g., notify at 80% spend). Budgets do not automatically stop services by default; they primarily inform and trigger alerts/actions. This is a classic exam trap.

Know support plans at a high level (Basic vs paid tiers). Basic includes billing and subscription support; paid support adds technical support with faster response times and broader coverage. On AZ-900, you typically select a paid plan when the requirement mentions “technical support” or “architecture guidance” with response SLAs.

• Exam Tip: “Estimate deployment cost” => Pricing Calculator. “Compare with on-prem” => TCO. “Set spend alerts” => Budgets/Cost Management.
• Common trap: Budgets are not the same as “hard spending caps” that automatically shut down resources.

This section trains the exam skill of spotting cues and mapping them to the correct governance or cost control. AZ-900 items are often short, but they’re dense with keywords. When you read a scenario, ask three rapid questions: (1) Is this about who can act? (RBAC/Entra ID) (2) Is this about what configurations are allowed? (Policy/Blueprints concept) (3) Is this about preventing accidents or controlling spend? (Locks/Tags/Budgets/Cost Management)

Compliance cues include phrases like “must meet a standard,” “only approved regions,” “require encryption,” or “no public access.” These almost always map to Azure Policy because policy can audit or deny deployments that violate rules. If the scenario emphasizes reporting rather than enforcement, “audit” effects are commonly the right direction conceptually.

Least privilege cues include “developers should deploy but not manage access,” “auditors need read-only,” or “helpdesk can restart VMs but not delete them.” These map to RBAC role selection and scope choice. A typical trap is to grant permissions at subscription scope when resource group scope would satisfy the requirement with less risk.

Accidental change cues include “prevent deletion,” “protect production,” or “stop changes during a freeze.” These point to resource locks. The trap is choosing Policy for “prevent delete”—Policy governs resource properties, but locks are the direct deletion protection mechanism.

Cost-optimization cues include “track spend by department,” “notify when approaching monthly limit,” or “identify top cost drivers.” These map to tagging (allocation), budgets (threshold alerts), and cost analysis (visibility). If the scenario says “estimate before purchase,” that shifts back to calculators.

• Exam Tip: When multiple answers seem plausible, pick the one that matches the required outcome: enforce (Policy), authorize (RBAC), protect (Locks), allocate (Tags), notify (Budgets/Alerts), estimate (Calculators).
• Common trap: Using tags as if they enforce compliance. Tags help reporting and organization, but they don’t inherently stop a noncompliant deployment unless combined with Policy.

Mastering these cues is how you convert “memorized definitions” into reliable exam decisions. In practice, most correct answers are chosen by matching the key verb—deny, allow, prevent, track, estimate, alert—to the Azure feature designed for that verb.

Section 6.1: Mock exam instructions: timing, rules, and how to simulate the real test

Simulate the AZ-900 environment so your score reflects readiness, not comfort. Set a single uninterrupted session and use a countdown timer. Disable notifications, close extra tabs, and keep only your exam interface (or this mock) visible. Do not pause the clock for “quick lookups.” The exam tests recall and recognition under time pressure, so training with interruptions builds the wrong habit.

Use a two-pass approach. Pass 1: answer quickly, flag anything that requires more than 45–60 seconds of reasoning, and move on. Pass 2: return to flags, reread the stem, identify the objective area (cloud concepts, core services, security/identity/management, or governance/cost/support), then eliminate options that violate the requirement (e.g., “needs to control access” but the option is a compliance tool). Exam Tip: Most AZ-900 errors come from misreading the requirement: “authorization” vs “authentication,” “cost management” vs “billing,” “governance” vs “security.”

Rules for review: change an answer only if you can articulate a specific mismatch between the requirement and your original choice. Random switching typically reduces score. When you finish, record your time, your confidence level, and the top three terms you hesitated on—those become your remediation targets in Sections 6.4 and 6.5.

Section 6.2: Full mock exam Part 1 (mixed domains) with detailed answer rationales

Part 1 should feel like the real exam: mixed topics and short scenarios. Your job is to identify the tested concept quickly and match it to the correct Azure service or principle. Focus on the “why” behind correct answers—AZ-900 rewards conceptual clarity more than memorizing feature lists.

Rationale patterns you must be able to apply: (1) Shared responsibility boundaries (Microsoft handles physical security and hypervisor; you handle identity, data, and configuration), (2) Cloud models (IaaS gives you most control; SaaS gives you least), and (3) Core service families (compute, networking, storage, identity, governance). Exam Tip: If the requirement says “manage access,” think RBAC; if it says “enforce rules across resources,” think Azure Policy; if it says “prevent deletion,” think resource locks.

Common traps in Part 1: confusing Azure Advisor with Azure Policy. Advisor recommends best practices (cost, performance, reliability, security); it does not enforce. Another trap is conflating “availability” with “disaster recovery.” Availability Zones improve resiliency within a region; paired regions and replication strategies address regional failures. Also watch for mixing identity terms: Azure AD (Microsoft Entra ID) is for authentication and identity; RBAC is for authorization to Azure resources.

How to identify the best answer: underline constraints mentally—“needs encryption at rest,” “needs private connectivity,” “needs to estimate costs,” “needs to control who can start/stop VMs.” Then map: encryption at rest points to platform features like Storage Service Encryption; private connectivity points to VPN Gateway/ExpressRoute/Private Link (with Private Endpoints); cost estimation points to the Azure Pricing Calculator and TCO Calculator; resource actions point to RBAC roles. If two answers look viable, pick the one that directly satisfies the constraint with the least assumptions. For AZ-900, “native Azure governance/control” usually beats “build a custom process.”

Section 6.3: Full mock exam Part 2 (mixed domains) with detailed answer rationales

Part 2 continues the mixed-domain approach but typically exposes fatigue-based mistakes: rushing, skipping a keyword, or defaulting to a familiar service. The exam frequently tests “management plane” thinking—how you organize, monitor, and govern—rather than how you deploy. Treat each scenario as a classification problem: is it identity/security, governance, cost/support, or core architecture?

Rationales to master here include subscriptions vs resource groups: subscriptions are billing and access boundaries; resource groups are logical containers for lifecycle management. Another repeated objective is management tools: Azure Portal (GUI), Azure PowerShell and Azure CLI (automation), ARM templates/Bicep (infrastructure as code), and Azure Arc (manage hybrid/multi-cloud resources). Exam Tip: If the question emphasizes “consistent management across on-prem and cloud,” Arc is a top candidate; if it emphasizes “deploy the same environment repeatedly,” think ARM/Bicep.

Security and compliance traps show up often in late questions. “Who can sign in?” is identity; “what can they do?” is authorization/RBAC; “must meet regulatory requirements” often maps to Azure compliance offerings and Microsoft Trust Center documentation, not to a specific enforcement tool. “Protect against DDoS” points to Azure DDoS Protection (Basic/Standard), whereas “secure inbound/outbound traffic rules” maps to NSGs and Azure Firewall. Don’t confuse Key Vault (secrets/keys/certs) with Storage accounts (data) or with Defender for Cloud (security posture management and recommendations).

When uncertain, apply elimination: remove answers that are a different layer (e.g., using a monitoring tool to solve an access control requirement). Then choose the answer aligned to the exact verb: “estimate” (calculator), “monitor” (Azure Monitor), “recommend” (Advisor/Defender for Cloud), “enforce” (Policy), “assign permissions” (RBAC), “prevent deletion” (locks). This verb-matching strategy is one of the highest-yield exam behaviors.

Section 6.4: Score report review: domain-by-domain diagnostics and remediation plan

After both parts, build a domain-by-domain diagnostic. Do not only look at overall percentage—AZ-900 readiness is about consistent performance across objectives. Create four buckets aligned to the course outcomes: (1) Cloud concepts and shared responsibility, (2) Core Azure architecture/services (compute, networking, storage), (3) Identity/security/management tools, and (4) Governance/cost/support. For each missed item, write the “miss reason”: misunderstood definition, confused similar services, or misread requirement.

Then create a remediation plan with tight loops. For “definition gaps,” rewrite the term in your own words and produce one example and one non-example. For “confusable pairs,” build a comparison table (see Section 6.5) and practice identifying which keyword selects which service. For “misread requirement,” practice slowing down: reread the last line of the stem and restate the goal in one sentence before looking at options. Exam Tip: If your misses cluster around governance, you’re probably mixing RBAC, Policy, and locks; if they cluster around cost, you’re probably mixing Pricing Calculator, TCO, and Cost Management + Billing.

Prioritize fixes by frequency and exam weight. If you miss many identity/governance items, you can often gain points quickly because these topics are conceptually crisp once the boundaries are clear. Schedule a final retest: 30–40 mixed questions under timed conditions, but only after you’ve rewritten your weak concepts. Retesting without remediation just rehearses mistakes.

Section 6.5: Final cram sheet: definitions, comparisons, and “most confused” AZ-900 topics

Use this cram sheet for rapid recall the night before and the morning of the exam. Keep it conceptual and comparison-based—AZ-900 is a recognition exam.

• CapEx vs OpEx: CapEx = upfront purchase (datacenter). OpEx = pay-as-you-go consumption (cloud).
• Public vs Private vs Hybrid cloud: Public = shared provider infrastructure; Private = dedicated to one org; Hybrid = mix with connectivity and consistent management.
• IaaS vs PaaS vs SaaS: IaaS = you manage OS/runtime; PaaS = provider manages OS/runtime, you manage app/data; SaaS = provider manages app/platform, you just use/configure.
• Regions vs Availability Zones: Region = geographic area with one or more datacenters; Zones = physically separate datacenters within a region for higher availability.
• Azure AD (Entra ID) vs RBAC: AD = identity/authentication; RBAC = authorization to Azure resources via role assignments.
• Azure Policy vs RBAC vs Locks: Policy enforces rules/standards; RBAC grants permissions; Locks prevent delete/modify regardless of RBAC (unless removed).
• Advisor vs Defender for Cloud vs Monitor: Advisor = recommendations; Defender = security posture + threat protection; Monitor = metrics/logs/alerts.
• Pricing Calculator vs TCO Calculator vs Cost Management: Pricing = estimate Azure services; TCO = compare on-prem vs Azure; Cost Management = track/allocate/optimize actual spend.

Exam Tip: Watch for “enforce” (Policy) vs “recommend” (Advisor). The exam loves this distinction. Another frequent confusion: NSG (subnet/NIC traffic filtering) vs Azure Firewall (centralized, stateful firewall service) vs DDoS Protection (volumetric attack protection).

Finally, memorize the “shared responsibility” core: Microsoft is responsible for physical datacenter, network, and host; you are responsible for identities, access, and data governance—especially in IaaS. As you move to SaaS, Microsoft takes more responsibility, but you never stop owning your data and account hygiene.

Section 6.6: Exam day checklist: readiness, pacing, and last-minute strategy

Go into exam day with a plan. First, readiness: sleep and hydration matter because AZ-900 is rapid reading and classification. Ensure you know your testing app setup, identification requirements, and that your exam space is compliant. If you’re taking it online, run the system check early and reboot before check-in to avoid update popups.

Pacing strategy: aim for steady progress with time reserved for flagged questions. Use the two-pass method you practiced. Do not “camp” on a single question; AZ-900 questions are designed to be answerable quickly once you identify the objective. Exam Tip: When you feel stuck, stop searching for extra details and instead ask: “Which domain is this testing?” Then pick the service/control that directly matches the verb: estimate, monitor, enforce, assign, secure, replicate.

Last-minute strategy: review only your cram sheet comparisons, not new content. Before you click submit, do a quick scan of flagged items and confirm you didn’t confuse identity vs access (Entra ID vs RBAC) or governance vs security (Policy/locks vs Defender). Common final trap: choosing a tool because it is “popular” rather than because it matches the requirement. The best answer is the one that satisfies the stated goal with the correct Azure concept—no extra assumptions.

After the exam, regardless of outcome, write down the topics that felt uncertain. That reflection is valuable if you need a retake or if you’re moving on to role-based certifications where these fundamentals become prerequisites.