Cert-Pass
Log in Sign up
calendar_todayJun 03, 2026 schedule21 min read

AZ-900 Common Mistakes and Exam Traps for 2026

AZ-900 common mistakes and exam traps explained with service comparisons, category clues, and a practical review method.

az-900 azure fundamentals tips exam-traps
Share
Microsoft

AZ-900 Azure Fundamentals

Practice Now
AZ-900 Common Mistakes and Exam Traps for 2026

AZ-900 common mistakes and exam traps for 2026

AZ-900 common mistakes are usually not caused by missing every fact. They are usually caused by choosing the right Azure service family for the wrong reason. This matters because the exam often gives several valid Azure products in the same answer set. Only one option matches the exact requirement. A candidate who learns the most common traps can often recover points simply by reading more carefully and eliminating the wrong category first.

If the goal is to build a stronger pass strategy, start with the main exam hub here: /exams/azure-az-900-azure-fundamentals. If a broader review is needed before the final exam attempt, use this study guide alongside the trap list: /blog/az-900-azure-fundamentals-study-guide-2026. For the latest official wording, keep the Microsoft Learn page open as the source of truth: Microsoft Azure Fundamentals.

Official exam facts

Detail What to confirm
Exam AZ-900 Azure Fundamentals
Vendor Microsoft
Best use of this page Identify and avoid the most common exam traps
Study style Category recognition, elimination, and scenario reading
Official source Microsoft Learn Azure Fundamentals page
Cert Pass hub /exams/azure-az-900-azure-fundamentals

The purpose of this article is not to repeat the whole exam guide. The purpose is to show where candidates usually lose easy points. In many cases, the right answer is available if the candidate asks a better question: Is this a cloud concept, a compute question, a networking question, a storage question, an identity question, a governance question, a cost question, or a monitoring question? That single habit changes a lot of outcomes.

Mistake 1: confusing the category with the product

One of the biggest AZ-900 mistakes is jumping straight to a product name before the requirement has been classified. A candidate may see words such as security, monitoring, networking, storage, or cost and then grab a familiar service without checking whether it actually solves the scenario.

Why this mistake happens

Many Azure services sound relevant because they are all part of the same platform. But the exam is not asking whether a service is real. It is asking whether it is the best fit. A real Azure service can still be the wrong answer if it solves a nearby problem instead of the exact one.

How to avoid it

Use this sequence:

  1. Name the category.
  2. Find the hard requirement.
  3. Remove answers from the wrong category.
  4. Compare only the remaining near matches.
  5. Choose the simplest answer that meets the need.

Example

If a question asks for an encrypted connection over the internet, the category is networking. If a question asks who can restart a virtual machine, the category is identity and permissions. If a question asks how to stop accidental deletion, the category is governance or resource protection. Those are different categories, even though they may all appear in the same Azure environment.

Mistake 2: confusing public internet security with private connectivity

Candidates often confuse VPN Gateway and ExpressRoute because both are used for connectivity and security. But the question wording usually tells you which one is correct.

Wording in the question Better fit
Encrypted connection over the public internet VPN Gateway
Private connection that avoids the public internet ExpressRoute
Private IP access to a supported Azure service Private endpoint

Why this mistake hurts

If the question only asks for encryption over the internet, ExpressRoute is usually too much. If the question asks to avoid the public internet, VPN Gateway is not enough. The exam uses that contrast to see whether the candidate understands the difference between secure internet tunneling and dedicated private connectivity.

How to avoid it

Read for the phrase that matters most:

  • If the phrase says over the internet, think VPN Gateway.
  • If the phrase says avoid the internet, think ExpressRoute.
  • If the phrase says use a private IP in a virtual network, think private endpoint.

Mistake 3: confusing IaaS, PaaS, SaaS, and serverless

Another common mistake is treating service model words like product names. They are not. They describe how much of the stack the provider manages.

Service model What it means
IaaS Customer still manages the guest operating system and the application
PaaS Provider manages the operating system and platform layers
SaaS Provider manages the complete application
Serverless Provider manages infrastructure and scaling while the customer focuses on code

Typical trap

A question may mention a web app and an operating system. If the customer wants full OS control, the answer is usually IaaS. If the customer does not want to patch or manage the OS, App Service or another PaaS-style answer is usually better. If the workload is triggered by events and should run without server management, serverless is usually the best fit.

How to avoid it

Use the management clue:

  • Need full OS control -> IaaS.
  • Need managed platform and less OS work -> PaaS.
  • Need a complete provider-managed application -> SaaS.
  • Need code to run without server management -> serverless.

Mistake 4: choosing the most powerful service instead of the simplest valid one

AZ-900 often rewards simplicity. The candidate does not need to pick the most advanced service. The candidate needs to pick the service that directly satisfies the requirement.

Why this matters

A question may involve security, performance, or scaling, and several answers may be technically possible. But the exam usually wants the least complex service that still satisfies the requirement. Over-engineering is a classic trap.

Examples

  • A small hosted app may not need a virtual machine if App Service is enough.
  • A single stateless service may not need Kubernetes if Cloud Run or App Service is enough.
  • A simple internet tunnel may not need ExpressRoute if VPN Gateway is enough.
  • A straightforward database may not need a globally distributed database if Cloud SQL is enough.

How to avoid it

Ask: What is the minimal correct solution? If two answers could work, the simpler one is often the better choice unless the question adds an explicit requirement for scale, control, or global reach.

Mistake 5: confusing Azure Policy, RBAC, locks, and tags

Governance questions are very common because they test whether the candidate knows what problem each tool solves.

Tool Main purpose
Azure Policy Enforce standards and compliance
Azure RBAC Control what actions a user or group can perform
Resource locks Prevent deletion or modification
Tags Add metadata for classification and reporting

Why this mistake happens

These tools are often discussed together, so they feel interchangeable. They are not. A question about allowed regions or mandatory naming standards is a policy question. A question about who can restart a VM is an RBAC question. A question about preventing accidental deletion is a lock question. A question about owner, department, or environment is a tags question.

How to avoid it

Remember the short rule:

  • Policy asks: Is this configuration allowed?
  • RBAC asks: What can this identity do?
  • Lock asks: Can this resource be changed or deleted?
  • Tag asks: How should this resource be labeled?

Mistake 6: confusing Azure Monitor, Service Health, Advisor, and Application Insights

This is one of the most frequent monitoring traps on AZ-900.

Tool Main question it answers
Azure Monitor What telemetry is the environment producing?
Azure Service Health Is Azure itself having an issue or maintenance event?
Azure Advisor What recommendations should I consider?
Application Insights How is the application behaving?

Why this mistake happens

All four tools are related to visibility or improvement, so they sound close enough to confuse. But each one has a different job. Service Health is about Azure platform issues. Application Insights is about application behavior. Monitor is the general telemetry platform. Advisor gives recommendations.

How to avoid it

Use the question words:

  • “incident” or “maintenance” -> Service Health.
  • “recommendation” -> Advisor.
  • “metrics, logs, alerts” -> Monitor.
  • “request rate, failure rate, app response” -> Application Insights.

Mistake 7: confusing storage service types with storage access patterns

Storage questions often look simple, but they can still be misleading if the data shape is not identified first.

Data shape or need Better fit
Unstructured objects such as images, backups, or media Blob Storage
Shared file share over SMB Azure Files
Messages between components Queue Storage
Simple NoSQL entities Table Storage
VM disks Managed disks

Why this mistake hurts

A candidate may know all the storage products but still miss the answer because the question describes usage rather than type. For example, a shared Windows file share is not the same as object storage. Messages in a queue are not the same as files. VM disks are not the same as blob objects.

How to avoid it

Ask what the data is doing:

  • Is it being shared like a folder? -> Azure Files.
  • Is it being stored as objects? -> Blob Storage.
  • Is it being sent between components? -> Queue Storage.
  • Is it a simple entity store? -> Table Storage.
  • Is it attached to a VM? -> Managed disks.

Mistake 8: confusing storage tiers and redundancy options

Candidates sometimes mix up hot, cool, archive, LRS, ZRS, GRS, and GZRS.

Concept What it means
Hot, cool, archive How often data is accessed
LRS, ZRS, GRS, GZRS How copies are distributed for resilience

Why this matters

Access tier and redundancy answer two different questions. Hot, cool, and archive describe access frequency and cost tradeoffs. Redundancy describes durability and fault tolerance. A question about infrequent access is not asking about zone replication. A question about protection across zones is not asking about archive storage.

How to avoid it

If the question mentions frequency of access, think tier. If it mentions copies, regions, or zones, think redundancy.

Mistake 9: confusing identity, authentication, and authorization

Identity questions can be tricky because they often involve multiple related concepts.

Concept What it does
Microsoft Entra ID Cloud identity and access management
MFA Adds another verification factor
Passwordless Sign in without a password
Conditional Access Applies rules based on signals such as user, device, or location
RBAC Grants permissions to perform actions at a scope

Why this mistake happens

The exam often combines several identity words in one scenario. A candidate may see sign in, password, additional factor, conditional rule, or access to a resource and choose too quickly. But each word points to a different part of the identity stack.

How to avoid it

Use the following logic:

  • Need the identity system itself -> Entra ID.
  • Need an extra verification step -> MFA.
  • Need to sign in without typing a password -> passwordless.
  • Need a rule based on device, location, or user signals -> Conditional Access.
  • Need permission to do an action -> RBAC.

Mistake 10: confusing cost planning with cost analysis

AZ-900 often includes cost questions that look similar but are not the same.

Need Better fit
Estimate the cost of a future design Azure pricing calculator
Analyze actual spending and budgets Microsoft Cost Management

Why this mistake happens

Both tools are about cost, so the exam uses wording to separate planning from reporting. If the question says “before deployment,” the answer usually points to the pricing calculator. If the question says “review spending,” the answer usually points to Cost Management.

How to avoid it

Ask whether the environment exists yet. If it does not exist yet, think estimate. If it already exists, think analysis and budgeting.

Mistake 11: confusing compute control with deployment convenience

Compute questions often tempt candidates to choose a service simply because it is popular. That can lead to a mismatch.

Scenario clue Better fit
Need guest OS control Virtual Machines
Need a managed web app platform App Service
Need event driven code without managing servers Functions
Need portable packaged app workloads Containers

Why this mistake matters

A question can mention a web application, but that does not automatically mean a virtual machine is best. If the question explicitly says the team does not want to manage the OS, a platform service is likely the better answer. If the question says the workload should run when triggered, serverless is likely the right direction.

How to avoid it

Read the management clue first, not the product clue.

Mistake 12: confusing monitoring of Azure with monitoring of the application

The exam often distinguishes between platform health and application health.

Platform health

Use Azure Service Health when the question is about Azure incidents, maintenance, or advisories.

Application health

Use Application Insights when the question is about request rates, failure rates, dependencies, and response times.

General telemetry

Use Azure Monitor when the question is about metrics, logs, and alerts across the environment.

Why this matters

A candidate may choose a general monitoring tool when the question is really about a customer application or about Azure itself. That can be enough to miss an otherwise easy point.

Mistake 13: confusing private networking with access control

Network access and identity access are not the same.

Topic Example
Network path VNet, subnet, peering, VPN Gateway, ExpressRoute, private endpoint
Identity permissions Entra ID, RBAC, MFA, Conditional Access

Why this matters

A question about the route a packet takes is a networking question. A question about who can open a resource is an identity question. Mixing the two leads to wrong answers even when the candidate knows both subject areas.

How to avoid it

Ask whether the question is about traffic flow or user permissions. If it is traffic flow, stay in networking. If it is user action, stay in identity and permissions.

Mistake 14: confusing Azure portal, Cloud Shell, CLI, and PowerShell

Management interface questions are usually straightforward if the phrasing is read carefully.

Phrase Better fit
Browser graphical interface Azure portal
Browser shell Cloud Shell
Command line interface Azure CLI
PowerShell cmdlets Azure PowerShell

Why this happens

These tools are all used to manage Azure, so they can feel interchangeable. But the exam often includes a clue about the interface itself. A shell is not the same as a GUI. Command line is not the same as PowerShell. The wording matters.

How to avoid it

Match the interface to the wording, not to the service being managed.

Mistake 15: confusing Azure Policy with resource locks

This is a governance trap that deserves its own reminder.

Need Better fit
Enforce allowed settings or locations Azure Policy
Prevent deletion CanNotDelete lock
Prevent changes and deletion ReadOnly lock

Why this mistake happens

Both tools can help protect environments, but they protect in different ways. Policy is about standards. Locks are about protecting specific resources from unwanted changes. If the question mentions allowed regions, tag requirements, or configuration standards, Policy is the answer. If the question mentions accidental deletion, a lock is the answer.

A fast AZ-900 trap checklist

Before answering any question, ask these five questions:

  1. What category is this?
  2. What is the exact requirement phrase?
  3. Is the question about planning, analysis, or enforcement?
  4. Is the question about traffic, identity, storage, compute, or monitoring?
  5. Which answer solves the exact problem with the least complexity?

If the candidate runs this checklist, many of the common traps become much easier to avoid.

Table of high-value comparisons

Comparison Key difference
VPN Gateway vs ExpressRoute Internet tunnel vs private circuit
Policy vs RBAC Standards vs permissions
Policy vs locks Standards vs resource protection
Monitor vs Service Health Telemetry vs Azure platform incidents
Monitor vs Application Insights General telemetry vs app behavior
Pricing calculator vs Cost Management Estimate vs analyze
Blob vs Files Object storage vs SMB file share
Queue vs Table Messages vs entities
Hot vs Cool vs Archive Access frequency
LRS vs ZRS vs GRS vs GZRS Resilience placement

Practical study routine to avoid these mistakes

A candidate can reduce error rates by reviewing the exam in a targeted way rather than rereading every topic equally.

Step 1: review the trap categories

Read the high mistake categories first: networking, governance, identity, monitoring, storage, and cost.

Step 2: build a comparison habit

Do not study services in isolation. Study them in pairs:

  • VPN Gateway and ExpressRoute
  • Policy and RBAC
  • Monitor and Service Health
  • Pricing calculator and Cost Management
  • Blob and Files
  • Entra ID and Entra Domain Services

Step 3: practice scenario reading

Read one practice question at a time and explain the answer out loud. The act of explaining helps reveal whether the reasoning is truly understood.

Step 4: review only the wrong answers

Most improvement comes from reviewing missed questions. The goal is to identify why the wrong choice looked attractive and what word should have changed the decision.

Example trap scenarios

Scenario A

A company wants to control what resources can be deployed in a region and requires an approved tag on every resource.

Best fit: Azure Policy.

Trap: choosing RBAC or tags alone.

Scenario B

A company wants to stop accidental deletion of a specific resource but still allow authorized edits.

Best fit: CanNotDelete lock.

Trap: choosing Azure Policy.

Scenario C

A team wants to know whether Azure is having a service outage that affects its storage service.

Best fit: Azure Service Health.

Trap: choosing Application Insights or Azure Monitor.

Scenario D

A team wants to see request latency and failure rate inside its web application.

Best fit: Application Insights.

Trap: choosing Service Health.

FAQ

What is the biggest AZ-900 trap?

The biggest trap is choosing a familiar Azure service too early. The scenario wording is what decides the answer, not whether the service is commonly used.

Should the exam be studied by service or by scenario?

Both, but scenario practice matters more. Service knowledge gives the vocabulary. Scenario practice teaches when to use the vocabulary.

What should be reviewed first before the exam?

Review the category pairs that are easiest to confuse: VPN Gateway and ExpressRoute, Policy and RBAC, Monitor and Service Health, Pricing calculator and Cost Management, Blob and Files.

Is the official Microsoft page still important?

Yes. The Microsoft Learn page is the source of truth for exam wording and official certification information.

Where should practice begin?

Start from the exam hub here: /exams/azure-az-900-azure-fundamentals. Then move to the study guide and practice questions pages for more targeted review.

How can a candidate avoid panic on scenario questions?

Read the requirement slowly, identify the category, and eliminate wrong-category answers before comparing the remaining options. That routine reduces noise and makes the question feel more manageable.

Why are the nearby wrong answers so believable?

Because they are often valid Azure services that solve related problems. The exam is designed to check whether the candidate can distinguish the exact problem from a nearby but different one.

Related resources

Final note

AZ-900 is much easier when the candidate learns to spot the trap before looking at the answer choices. The exam is rarely trying to hide the correct idea completely. It is usually testing whether the candidate can tell the difference between two or three neighboring Azure services that sound similar but solve different problems. If the candidate can classify the question correctly, the answer often becomes obvious.

Turning mistakes into points

A useful way to study this exam is to treat every missed question as a pattern, not as a failure. If the missed answer came from confusing Policy and RBAC, that is a governance comparison problem. If the missed answer came from choosing Service Health instead of Application Insights, that is a monitoring distinction problem. If the missed answer came from picking Azure Files instead of Blob Storage, that is a storage-shape problem. When a mistake is categorized correctly, the same mistake is less likely to happen again.

A practical review loop looks like this:

  1. Read the question again without the answer choices.
  2. Write down the category in one word.
  3. Write down the exact phrase that should have guided the answer.
  4. State why the wrong answer looked tempting.
  5. Restate the rule in a short sentence.
  6. Re-answer the question after a short pause.

This loop works because AZ-900 rewards repeated recognition more than deep engineering detail. The exam is often about seeing a clue quickly and applying the right category rule before distraction sets in.

One more quick review table

Mistake type What to look for on the next attempt
Networking confusion Over the internet vs avoid the internet vs private IP
Governance confusion Standards vs permissions vs deletion protection
Monitoring confusion Azure incident vs application telemetry vs general logs
Storage confusion Objects vs files vs messages vs entities
Identity confusion Sign in, additional factor, access rule, permission
Cost confusion Estimate future cost vs analyze existing spend
Compute confusion OS control vs managed platform vs trigger-based execution

Final study reminder

The best AZ-900 answers usually come from careful wording, not from guessing the most popular service. Read the requirement, name the category, and then choose the service that solves the exact problem. That approach is the fastest way to avoid the common traps listed in this article.

A final benefit of this habit is confidence. When the candidate knows the rule behind each service pair, the answer choices stop feeling random. The question becomes a simple comparison instead of a guessing game, and that makes the exam much easier to manage under time pressure.

That is the real value of the trap list: fewer surprises, faster elimination, and better use of exam time on questions that still need careful reading.

The next review step is simple: return to the study guide, then return to the practice questions, and use this article to confirm which service pairs still feel weak.

That short loop is usually enough to turn a confusing topic into a repeatable rule.

Once the rule is clear, the exam is less about memory and more about recognizing the pattern quickly.

That is the main advantage of a trap-focused review.

It makes the next answer feel like a rule, not a guess.

That is exactly the kind of clarity AZ-900 rewards.

Under time.

Quick recovery checklist after a low practice score

A poor practice score usually means one of three things: the candidate is mixing service names, reading the question too quickly, or applying a feature that belongs to a different service. The fastest recovery is not to restart the whole course. It is to isolate the failure pattern.

  1. Revisit the last 10 missed questions and group them by topic.
  2. Compare each missed answer to the official Azure service or feature it refers to.
  3. Rewrite the rule in plain language.
  4. Retake a short set of focused questions on that same topic.
  5. Keep a small notes page for services that are often confused.

Mini self check

  • Can the candidate explain the difference between RBAC and Azure Policy?
  • Can the candidate choose between Blob, File, and Queue Storage?
  • Can the candidate tell when Monitor, Advisor, and Service Health are the right answer?
  • Can the candidate explain identity versus authorization without using vague language?

That routine turns a weak area into a specific fix.

How to review the trap list without overstudying

The goal of this article is not to memorize every sentence. The goal is to make the recurring confusions smaller and easier to spot. That works best when the candidate uses the trap list as a short review loop instead of a long reading session.

A simple loop is enough:

  1. Read one mistake category.
  2. Name the correct Azure service family.
  3. Explain why the tempting answer is wrong.
  4. Answer a few practice questions on the same topic.
  5. Move on only after the difference feels clear.

Signs the topic is becoming easier

  • The candidate can explain the difference in one sentence.
  • The answer choices start to look more obvious.
  • The same mistake stops repeating in practice.
  • The candidate can eliminate two options quickly.

That is usually the point where the topic is ready for the exam.

One last memory trick

When two services seem similar, ask what kind of problem the question is describing. If it is about control, policy, or governance, start with RBAC, Policy, or Locks. If it is about visibility, start with Monitor, Advisor, or Service Health. If it is about storage, ask about the access pattern first, then the redundancy or tier. That sequence often removes the wrong options quickly.

The goal is not to memorize every Azure term separately. The goal is to learn the question pattern that points to the right family of services.

school

Cert-Pass Editorial Team

Cloud certification experts helping IT professionals pass their exams with confidence.

Share
Expert-Crafted Study Guide

Everything You Need to Pass AZ-900 Azure Fundamentals: Visualized

AZ-900 Azure Fundamentals certification preparation infographic

Put your knowledge to the test

Practice with exam-style questions, track your progress, and pass with confidence.

quiz Start Practicing Free