AZ-900 — Exam Readiness & Final Review

1 of 5 sections visited

Exam at a glance

Passing score

700 out of 1000 points (70%)

Question types

Multiple choice, multiple select, hotspot (click image), drag-and-drop matching, scenario-based. No coding, no hands-on labs.

What you need

Define and describe Azure services. Know which service fits a scenario. Know how services compare. Understand when NOT to use something.

Domain weights

Domain 1: Describe cloud concepts

25–30%

Domain 2: Azure architecture and services

35–40%

Domain 3: Azure management and governance

30–35%

Domain 1 topics — Cloud Concepts (25–30%)

Cloud computing

Definition, three resource types (compute/network/storage), third-party data centers.

Cloud models

Private / Public / Hybrid — control, cost, use cases, analogies.

CapEx vs OpEx

Cloud = OpEx. Consumption-based model. No idle hardware cost.

8 cloud benefits

High availability, Scalability, Elasticity, Reliability, Predictability, Security, Governance, Manageability.

IaaS / PaaS / SaaS

Shared responsibility model. Data + devices + user accounts are ALWAYS yours.

Domain 2 topics — Architecture and Services (35–40%)

Azure architecture

Regions (60+), availability zones (3 per region), region pairs (300+ miles), sovereign regions.

Management hierarchy

Management groups → subscriptions → resource groups → resources. Policies inherit downward. Tags do NOT inherit.

Compute

VMs, Scale Sets, Availability Sets, Virtual Desktop, App Service, Functions, ACI, Container Apps, AKS.

Networking

VNets, NSGs, VNet peering (non-transitive), VPN Gateway (encrypted over internet), ExpressRoute (private, never touches internet).

Storage

Blob, Files, Queue, Table, Disk. Redundancy: LRS/ZRS/GRS/GZRS. Access tiers: Hot/Cool/Cold/Archive.

Identity

Entra ID, authentication vs authorization, MFA, SSO, Conditional Access, B2B vs B2C, RBAC 4 roles.

Security

Defense in depth (7 layers), Zero Trust (3 principles), Defender for Cloud.

Domain 3 topics — Management and Governance (30–35%)

Cost factors

Resource type, consumption, geography, network traffic, billing zones, subscription type. Reserved Capacity = up to 72% savings.

Cost tools

Pricing Calculator (before), Cost Management (after), TCO Calculator (migration decision). Tags for cost tracking — NOT inherited.

Governance

Azure Policy (enforce config, inherited, deny is absolute), Resource Locks (Delete or Read-only, override RBAC, Contributor cannot remove), Microsoft Purview, Service Trust Portal.

Deployment

Azure Portal, Cloud Shell, PowerShell, CLI, Azure Arc (extend to non-Azure), ARM (single control plane), ARM templates (JSON, IaC), Bicep (simpler, recommended).

Monitoring

Azure Advisor (5 categories, proactive), Azure Status (global public), Service Health (personalized), Resource Health (individual), Azure Monitor (metrics, logs, alerts, action groups).

11 concepts that trip up most candidates

Study these carefully — the exam regularly tests these exact distinctions.

TRAP 1 Scalability vs Elasticity

Scalability = the ability to adjust resources (can be manual). Vertical = resize one resource. Horizontal = add/remove instances. Elasticity = automatic scaling with no manual action. All elastic systems are scalable; not all scalable systems are elastic.

TRAP 2 Availability Zones vs Availability Sets vs Region Pairs

Availability Sets: rack-level failure protection within one data center (update + fault domains). Availability Zones: entire data center outage protection (3 separate buildings, same region). Region Pairs: region-wide disaster protection (two regions 300+ miles apart). Three completely different levels of protection.

TRAP 3 Authentication vs Authorization

Authentication (AuthN) = proving WHO you are (passport check). Authorization (AuthZ) = determining WHAT you can do (boarding pass check). Entra ID handles authentication. RBAC handles authorization. You always authenticate first.

TRAP 4 Azure Policy vs Resource Locks

Azure Policy: controls what resources CAN BE CREATED and how they must be configured. Resource Locks: prevent modification or deletion of EXISTING resources. Policy = configuration governance. Locks = deletion/modification protection. Both are inherited downward.

TRAP 5 Tags are NOT inherited

Unlike policies, RBAC, and resource locks — tags do NOT flow down the hierarchy. A tag on a resource group does NOT appear on resources inside it. Must be applied explicitly at each level, or Azure Policy must enforce auto-tagging.

TRAP 6 Pricing Calculator vs Cost Management vs TCO Calculator

Pricing Calculator: estimate BEFORE deployment (planning). Cost Management: monitor and control AFTER deployment (ongoing). TCO Calculator: compare on-premises vs Azure costs (migration decision). Three different tools for three different stages.

TRAP 7 VPN Gateway vs ExpressRoute

VPN Gateway: encrypted connection over the PUBLIC internet. Variable latency. Lower cost. ExpressRoute: PRIVATE dedicated circuit — never touches the public internet. Predictable low latency. Higher cost. "Never traverse the public internet" = ExpressRoute.

TRAP 8 Azure Status vs Service Health vs Resource Health

Azure Status: global, public, ALL Azure services/regions, no auth required. Service Health: authenticated, only YOUR services/regions, personalized, configurable alerts. Resource Health: health of YOUR specific individual resource instance. These are three scopes within Azure Service Health.

TRAP 9 IaaS vs PaaS vs SaaS responsibility

IaaS: provider manages physical hardware only. PaaS: provider manages hardware AND OS/middleware. SaaS: provider manages everything. Data + user accounts + devices are ALWAYS the customer's regardless of model — this never transfers to the provider.

TRAP 10 Contributor cannot manage resource locks

Contributor can create and manage all Azure resources but does NOT have the Microsoft.Authorization/locks/* permission. A Contributor cannot create or remove resource locks — only Owner and User Access Administrator can. A Contributor cannot delete a locked resource even if they have delete permission on it.

TRAP 11 LRS vs ZRS vs GRS vs GZRS

LRS: 3 copies in 1 data center — survives hardware failure only. ZRS: 3 copies across 3 zones — survives data center outage, not region failure. GRS: LRS primary + secondary region — survives region failure, not zone failure in primary. GZRS: ZRS primary + secondary region — survives BOTH zone and region failure (Microsoft recommended).

Cloud models comparison

Factor	Private	Public	Hybrid
Owned by	The organization	Third-party provider	Both
Cost model	High CapEx	Pay-as-you-go OpEx	Mix
Control	Maximum	Limited	Mixed
Scalability	Limited (buy hardware)	Near-instant	Flexible
Analogy	Own a car	Take the bus	Drive to station, take the train

Shared responsibility — IaaS vs PaaS vs SaaS

Layer	On-premises	IaaS	PaaS	SaaS
Physical infrastructure	You	Provider	Provider	Provider
Operating system	You	You	Provider	Provider
Applications	You	You	You	Provider
Data	You	You	You	You — always
User accounts	You	You	You	You — always
Devices	You	You	You	You — always

Storage redundancy — choose the right option

Scenario	Best choice	Why
Lowest cost, basic hardware protection only	LRS	3 copies in 1 data center, cheapest
Survive a data center outage, stay in one region	ZRS	3 copies across 3 availability zones
Survive a complete region failure	GRS	Secondary region copy (LRS in primary)
Maximum: survive both zone AND region failure	GZRS	ZRS primary + secondary region — Microsoft recommended

Compute options — choose the right service

Service	Model	Choose when
Virtual Machines	IaaS	Full OS control, lift-and-shift, custom software
VM Scale Sets	IaaS	Auto-scaling identical VMs under load, up to 1,000
App Service	PaaS	Web apps / REST APIs — focus on code, not servers
Azure Functions	PaaS (serverless)	Short event-driven tasks, pay per execution
ACI	PaaS	Simplest container deployment, no orchestration
Container Apps	PaaS (serverless)	Microservices, scale-to-zero containers
AKS	PaaS	Production Kubernetes, team has K8s expertise

Governance tools comparison

Tool	Purpose	Inherited?	Can Contributor bypass?
Azure Policy	Enforce resource configuration standards	Yes	No — deny is absolute
Delete lock	Prevent deletion of existing resources	Yes	No — cannot manage locks
Read-only lock	Prevent modification AND deletion	Yes	No — cannot manage locks
RBAC roles	Control what actions identities can perform	Yes	Overridden by locks
Resource tags	Metadata for cost tracking and organization	No	N/A — not a security control

Monitoring tools comparison

Tool	Use it when	Personalized?	Requires login?
Azure Advisor	Want proactive optimization recommendations	Yes — your resources	Yes
Azure Status	Check for widespread global Azure outage	No — all Azure	No (public)
Service Health	Check if YOUR services/regions are affected	Yes — your services	Yes
Resource Health	Check if a SPECIFIC resource is healthy	Yes — individual resource	Yes
Azure Monitor	Collect metrics/logs, set alerts, automate responses	Yes — configurable	Yes

Study checklist — click each item when you feel confident

I can define cloud computing and explain why organizations move to cloud

I can distinguish Private, Public, and Hybrid cloud and give a use case for each

I can explain CapEx vs OpEx and why cloud = OpEx (consumption-based)

I know all 8 cloud benefits and can distinguish scalability from elasticity

I understand IaaS / PaaS / SaaS and the shared responsibility model

I can explain Azure regions, availability zones, region pairs, and sovereign regions

I know the 4-level hierarchy and how policies/permissions inherit downward

I can choose the right compute service for a given scenario

I know VM Scale Sets vs Availability Sets and when to use each

I understand VNets, NSGs, VNet peering, and can explain VPN Gateway vs ExpressRoute

I know all 5 Azure storage services and when to use each

I can choose the right redundancy option (LRS / ZRS / GRS / GZRS) for a scenario

I know the 4 blob access tiers, their tradeoffs, and what Archive rehydration means

I can explain Azure Migrate, Data Box, AzCopy, Storage Explorer, and File Sync

I understand Entra ID, authentication vs authorization, MFA, SSO, Conditional Access

I know the 4 RBAC roles and their exact distinctions (especially Contributor limitations)

I can explain defense in depth (7 layers), Zero Trust (3 principles), Defender for Cloud

I know the 6 Azure cost factors and savings strategies including Reserved Capacity

I can distinguish Pricing Calculator, Cost Management, and TCO Calculator

I understand resource tags and know that tags are NOT inherited

I can explain Azure Policy (enforce config, inherited, initiatives, deny effect)

I know resource locks (Delete vs Read-only, inherited, Contributor cannot remove)

I understand Azure Arc (extends Azure management to non-Azure environments)

I know ARM (single control plane), ARM templates (JSON IaC), and Bicep (simpler DSL)

I can distinguish Azure Advisor, Azure Status, Service Health, Resource Health, and Azure Monitor

I have completed the Microsoft Learn AZ-900 learning path (aka.ms/learn)

I have scored 70%+ on the official Microsoft free practice assessment

Progress: 0 / 27 topics confident

Exam essentials before you book

Passing score

700 out of 1000 (70%). Scaled scoring — not all questions carry equal weight.

Question types

Multiple choice, multiple select, hotspot (click on image/diagram), drag-and-drop, case study scenarios. No coding required.

Retake policy

If you fail: retake 24 hours after first attempt. Subsequent retakes require longer wait periods. No penalty for attempting — better to book and try than wait for "perfect."

Registration tip

Register with a personal Microsoft Account (MSA), not a work/school Azure AD account. If you leave your organization, certification records tied to an organizational account may become inaccessible.

Recommended study sequence

Step 1

Review all 6 study guides. Pay extra attention to the Review Q&A tabs and Common Traps. Aim to explain every concept aloud without notes.

Step 2

Complete the Microsoft Learn AZ-900 learning path at aka.ms/learn — free and structured around the same exam objectives. Knowledge checks align with exam question style.

Step 3

Take the official free Microsoft practice assessment at learn.microsoft.com — shows actual question style, difficulty, and identifies gaps.

Step 4

Practice on ExamTopics (examtopics.com/exams/microsoft/az-900) — community-verified questions. Read discussions on each question even when you get it right.

Step 5

Review the Common Traps tab the night before. These are the distinctions most candidates miss. Fresh in memory = fewer mistakes on test day.

Step 6

Book your exam at learn.microsoft.com. Available online proctored or testing center. Arrive rested. You've got this.

After AZ-900 — what to study next

AZ-104

Azure Administrator — deep dive into managing Azure subscriptions, resources, networking, storage, compute, and identities. Next step for IT professionals managing Azure environments.

AZ-204

Azure Developer — building cloud solutions, implementing APIs, managing Azure Functions, containers, and AI/cognitive services. For developers building on Azure.

AI-900

Azure AI Fundamentals — foundational AI and ML concepts on Azure. Pairs well with AZ-900 as another fundamentals certification.

SC-900

Security, Compliance and Identity Fundamentals — deeper focus on Microsoft security services. Builds on AZ-900 security topics.

Key URLs to bookmark

Microsoft Learn

aka.ms/learn — free self-paced learning paths

Practice assessment

learn.microsoft.com/credentials/certifications/exams/az-900/practice/assessment

Azure infrastructure map

datacenters.microsoft.com — interactive 3D globe of all Azure regions

Pricing Calculator

azure.microsoft.com/pricing/calculator

Service Trust Portal

servicetrust.microsoft.com — compliance documentation and audit reports

ExamTopics

examtopics.com/exams/microsoft/az-900