arrow_back Cert

Microsoft AZ-900 Azure Fundamentals

Study & Mastery Mode

🔥 0 streak

Score 0% /70%

timer Real Exam lock Pro menu_book Course description 3-Page download Free

menu_book

AZ-900 Azure Fundamentals

Compressed Course

AZ-900 Microsoft Azure Fundamentals — Compressed Exam-Preparation Course

Alignment: AZ-900 skills measured as of January 14, 2026
Purpose: A fast but complete revision course built from the analyzed 1,100-question AZ-900 practice bank and organized around the current Microsoft blueprint.
Best use: Learn the decision rules first, then use practice questions to test whether you can select the correct Azure concept or service from plausible distractors.

1. Exam Overview

What the exam is testing

AZ-900 tests whether you can recognize foundational cloud concepts and choose the most appropriate Azure concept, service, or management tool for a short scenario.

You are not expected to design complex enterprise systems or configure services from memory. You are expected to answer questions such as:

Is this public, private, or hybrid cloud?
Is the best fit IaaS, PaaS, SaaS, or serverless?
Does the scenario need a virtual machine, a container, a web app, or a function?
Does the network requirement call for VNet peering, VPN Gateway, ExpressRoute, a public endpoint, or a private endpoint?
Is the question about governance, cost, monitoring, security, or deployment?
Which Azure tool solves the stated problem most directly?

The official passing score is 700 or greater. Treat every question as a decision problem: identify the requirement, eliminate unrelated service categories, and select the option that most directly solves the problem.

How to think like the exam

Most AZ-900 questions use a simple pattern:

A company has a requirement.
Several answers are real Azure concepts or services.
Only one answer matches the primary requirement.
The strongest distractor often solves a nearby but different problem.

Use this mental sequence:

Identify the category: cloud concept, architecture, compute, network, storage, identity, cost, governance, deployment, or monitoring.
Highlight the decisive words: private, over the public internet, without managing servers, prevent deletion, estimate cost before deployment, service incident, or application telemetry.
Eliminate services from the wrong category.
Choose the simplest Azure option that directly satisfies the requirement.
Do not add complexity unless the scenario requires it.

How to use this course

Use the guide in four passes:

Pass 1: Learn the maps and comparison tables.
Pass 2: Practice service selection by covering the answer column and choosing from the scenario alone.
Pass 3: Review the traps and explain why the best wrong answer fails.
Pass 4: Use the rapid-review section and exam-day checklist.

2. Exam Domains

Domain list and priorities

Official domain	Official weight	Study priority	Why it matters
Describe cloud concepts	25–30%	High	Establishes the vocabulary used in every other domain
Describe Azure architecture and services	35–40%	Very high	Largest domain; contains the most service-selection questions
Describe Azure management and governance	30–35%	Very high	Frequently tests tools that sound similar but solve different problems

Priority notes

Spend the most time on:

Azure architecture, compute, networking, storage, and identity.
Governance, cost management, deployment tools, and monitoring.
Cloud models, service models, shared responsibility, and cloud benefits.

What matters most

The exam repeatedly rewards accurate mapping:

Requirement signal	Likely answer
Control the guest operating system	Azure Virtual Machines / IaaS
Host a web application without patching the OS	Azure App Service / PaaS
Run event-driven code without managing servers	Azure Functions / serverless
Encrypted connection over the public internet	Azure VPN Gateway
Private connectivity that avoids the public internet	ExpressRoute
Private IP access to an Azure service	Private endpoint
Apply standards across resources	Azure Policy
Prevent accidental deletion	Resource lock
Estimate cost before deployment	Azure pricing calculator
Analyze current spending and set budgets	Microsoft Cost Management
Platform incident or planned maintenance	Azure Service Health
Telemetry, logs, metrics, alerts	Azure Monitor
Application performance and failures	Application Insights
Personalized optimization recommendations	Azure Advisor

3. Start-to-Finish Study Path

Foundation

Learn these first:

Public, private, and hybrid cloud.
Consumption-based pricing, CapEx, and OpEx.
Shared responsibility.
High availability, scalability, elasticity, reliability, predictability, governance, and manageability.
IaaS, PaaS, SaaS, and serverless.

Checkpoint: you should be able to explain why a VM is usually IaaS, why App Service is PaaS, and why Microsoft 365 is SaaS.

Intermediate

Move to Azure architecture and core services:

Regions, datacenters, availability zones, region pairs, and sovereign regions.
Management groups, subscriptions, resource groups, and resources.
Virtual machines, scale sets, availability sets, Azure Virtual Desktop, containers, Functions, and web apps.
VNets, subnets, peering, Azure DNS, VPN Gateway, ExpressRoute, public endpoints, and private endpoints.
Blob, Files, Queue, Table, managed disks, storage tiers, and redundancy.
Microsoft Entra ID, Entra Domain Services, SSO, MFA, passwordless, external identities, Conditional Access, RBAC, Zero Trust, defense in depth, and Defender for Cloud.

Checkpoint: for each scenario, identify the service category before selecting a product.

Advanced

Focus on confusing pairs and multi-constraint questions:

Availability zone versus availability set versus region pair.
VPN Gateway versus ExpressRoute.
Public endpoint versus private endpoint.
Blob versus Files versus Queue versus Table versus managed disks.
Microsoft Entra ID versus Entra Domain Services.
SSO versus MFA versus passwordless versus Conditional Access.
Azure Policy versus resource locks versus tags versus RBAC.
Advisor versus Service Health versus Monitor versus Log Analytics versus Application Insights.
Pricing calculator versus Cost Management.
Portal versus Cloud Shell versus CLI versus PowerShell versus ARM templates.

Checkpoint: explain why the most tempting distractor is wrong.

Final review

Use the last-day method:

Read the quick memory rules.
Review the service-selection tables.
Rehearse the architecture hierarchy.
Revisit storage redundancy and monitoring tools.
Answer a mixed set of questions without notes.
Review only the concepts you missed.

4. Core Concepts by Domain

Domain 1 — Describe Cloud Concepts

4.1 Cloud computing

Cloud computing delivers computing services over the internet or through a cloud environment. Instead of buying and operating every server yourself, you use resources as needed.

Cloud models

Model	Meaning	Best fit	Common trap
Public cloud	Provider-owned cloud resources shared across customers with logical isolation	Fast deployment, broad cloud services, consumption-based usage	“Public” does not mean your data is automatically public
Private cloud	Cloud environment dedicated to one organization	Dedicated control or specialized internal requirements	Private cloud is not the same as a single private endpoint
Hybrid cloud	Combines on-premises or private-cloud resources with public-cloud services	Gradual migration, legacy dependencies, mixed environments	If any required workload remains on-premises while Azure is also used, consider hybrid

Consumption-based model

You use resources when needed and generally pay according to usage. The key advantage is avoiding unnecessary upfront hardware purchases.

Term	Meaning	Exam clue
Capital expenditure (CapEx)	Upfront purchase of assets such as physical servers	“Buy hardware before deployment”
Operational expenditure (OpEx)	Ongoing spending such as a variable cloud bill	“Monthly bill changes with usage”
Consumption-based pricing	Charges align with resource usage	“Stop paying after deleting or stopping resources”

Shared responsibility model

Cloud adoption changes who manages each layer.

Layer	On-premises	IaaS	PaaS	SaaS
Physical datacenter	Customer	Microsoft	Microsoft	Microsoft
Physical network and hosts	Customer	Microsoft	Microsoft	Microsoft
Guest OS	Customer	Customer	Microsoft	Microsoft
Runtime and middleware	Customer	Customer	Microsoft	Microsoft
Application	Customer	Customer	Customer	Mostly Microsoft
Data, identities, and access decisions	Customer	Customer	Customer	Customer

Rule: the more managed the service, the less infrastructure the customer manages. The customer still remains responsible for data governance, identity choices, and access decisions.

Serverless

Serverless computing lets you run code without managing servers. The cloud provider handles infrastructure management and scaling details.

Exam clue: event-driven code, short execution, trigger-based processing, no server management → Azure Functions.

4.2 Benefits of cloud services

Benefit	Meaning	Scenario clue	Do not confuse with
High availability	Keep a service accessible when failures occur	“Remain available if a component fails”	Scalability
Scalability	Adjust capacity to handle demand	“Increase capacity”	High availability
Horizontal scaling	Add or remove instances	“Add more VMs behind a load balancer”	Vertical scaling
Vertical scaling	Increase or decrease capacity of one resource	“Increase CPU and memory on a VM”	Horizontal scaling
Elasticity	Scale dynamically as demand rises and falls	“Seasonal spike; add and remove resources automatically”	Static scaling
Reliability	Recover from failures and continue operating	“Reduce effect of failures; recover”	Cost optimization
Predictability	Improve confidence in cost or performance planning	“Forecast expected usage or cost”	Guaranteed zero variation
Security	Use cloud controls and provider capabilities to protect resources	“Protect workloads and identities”	Governance
Governance	Enforce standards and organizational rules	“Approved regions and required tags”	Monitoring
Manageability	Deploy and operate resources using portals, CLI, APIs, templates, and automation	“Provision through automation”	Manual administration only

4.3 Cloud service types

Service model	Customer manages	Provider manages	Best scenario
IaaS	Guest OS, applications, data, configuration	Physical datacenter, hosts, underlying infrastructure	Lift-and-shift, custom OS control
PaaS	Application code and data	Infrastructure, OS, runtime, middleware	Managed application hosting
SaaS	Users, data usage, access decisions	Complete application and supporting platform	Ready-to-use business application

Fast comparison

Requirement	Choose
Maximum guest OS control	IaaS
Deploy code without patching the OS	PaaS
Use a complete provider-managed application	SaaS
Run triggered code without server management	Serverless

Domain 1 traps

Do not confuse elasticity with scalability. Elasticity emphasizes dynamic adjustment as demand changes.
Do not confuse high availability with horizontal scaling. Scaling may support availability, but the concepts are not identical.
Do not say Microsoft patches the guest OS of an IaaS VM. The customer manages the VM guest OS.
Do not choose SaaS for a lift-and-shift migration. SaaS replaces the application with a complete managed application.
Do not choose PaaS when the requirement explicitly demands guest OS control.

Domain 2 — Describe Azure Architecture and Services

4.4 Core Azure architecture

Physical and geographic concepts

Concept	Meaning	Key exam clue
Azure datacenter	Physical facility containing servers, networking, power, and cooling	“Physical facility”
Azure region	Geographic area containing one or more datacenters connected through a low-latency network	“Deploy in a geographic area”
Availability zone	Physically separate location within a supported region with independent power, cooling, and networking	“Protect from datacenter-level failure in the same region”
Region pair	Relationship between two Azure regions used for certain replication and recovery considerations	“Secondary region” or regional recovery relationship
Sovereign region	Specialized Azure environment for particular government or legal requirements	“Government, legal, or isolated environment”

Management hierarchy

Memorize this order:

Management group → Subscription → Resource group → Resource

Scope	Purpose	Exam clue
Management group	Organize and govern multiple subscriptions	“Apply policy across subscriptions”
Subscription	Billing and access-control boundary	“Separate billing for development and production”
Resource group	Logical container for resources managed together	“Group resources for one application lifecycle”
Resource	Individual Azure item, such as a VM, VNet, or storage account	“The deployed service itself”

Hierarchy traps

A resource group is logical, not physical.
A resource belongs to one resource group at a time.
Resources inside one resource group can often be located in different regions.
A subscription is not an availability or resiliency feature.
A management group does not contain VMs directly; it organizes subscriptions.

4.5 Compute services

Compute selection table

Requirement	Recommended service	Why	Common wrong answer
Full guest OS control	Azure Virtual Machines	VM provides OS-level control	Azure Functions
Identical load-balanced VMs that can scale	Virtual Machine Scale Sets	Manages a scalable VM group	Availability set
Spread VMs across fault and update domains	Availability set	Helps reduce impact of host maintenance or faults	Availability zone
Virtualized desktops and apps for remote users	Azure Virtual Desktop	Delivers desktop and app virtualization	Azure Functions
Portable package with code and dependencies	Containers	Consistent deployment unit	Resource group
Event-driven execution without server management	Azure Functions	Serverless compute	Azure Virtual Machines
Managed hosting for web applications	Azure App Service Web Apps	PaaS-style web hosting	VM unless OS control is required

Azure VM supporting resources

A VM commonly needs:

A network interface (NIC).
A virtual network and subnet.
Storage for the operating-system disk.
Optional data disks.
Optional public IP or private connectivity depending on the design.

Exam rule: a NIC connects a VM to a VNet. Managed disks provide persistent block storage for VM OS and data disks.

Availability set versus availability zone versus scale set

Feature	Primary purpose
Availability set	Distribute VMs across fault and update domains
Availability zone	Separate physical location inside a region
Virtual Machine Scale Set	Deploy and scale a group of similar VMs

Compute traps

Choose Functions for event-driven serverless code, not for OS administration.
Choose App Service for managed web hosting, not if the scenario explicitly requires guest OS control.
Choose containers when portability and packaged dependencies matter.
Choose VM Scale Sets when the question emphasizes a scalable group of similar VMs.
Choose Azure Virtual Desktop for remote user desktops, not ordinary VM autoscaling.

4.6 Networking services

Core networking concepts

Service or concept	Use it for	Key clue
Azure virtual network (VNet)	Private network address space for Azure resources	“Private network in Azure”
Subnet	Segment a VNet into smaller ranges	“Divide a VNet”
VNet peering	Private connectivity between VNets over the Microsoft backbone	“Connect two VNets privately”
Azure DNS	Host DNS zones and resolve names	“Name resolution”
Azure VPN Gateway	Encrypted connection over the public internet	“Encrypted tunnel over internet”
ExpressRoute	Private connectivity from on-premises to Microsoft cloud services	“Avoid the public internet”
Public endpoint	Access through a public address	“Publicly reachable service endpoint”
Private endpoint	Private IP address in a VNet for a supported Azure service	“Reach storage or another service through a private IP”

VPN Gateway versus ExpressRoute

Question clue	Choose
Encrypted connection using the public internet	VPN Gateway
Private circuit that does not send traffic over the public internet	ExpressRoute
Connect two Azure VNets privately	VNet peering
Give an Azure service a private IP inside a VNet	Private endpoint

Networking traps

ExpressRoute is not the answer merely because a connection is secure. It is the answer when private connectivity avoiding the public internet is required.
VPN Gateway uses encrypted traffic over the public internet.
VNet peering connects VNets; it is not a DNS service.
A private endpoint is not the same as a subnet. It places a private IP for a supported service in your VNet.
Azure DNS resolves names. It does not establish network connectivity.

4.7 Storage services

Storage service selection

Service	Purpose	Example
Azure Blob Storage	Unstructured object data	Images, videos, backups, documents
Azure Files	Managed file shares	SMB file share for users or applications
Azure Queue Storage	Asynchronous messages	Decouple application components
Azure Table Storage	NoSQL key-attribute data	Large structured non-relational entity data
Azure managed disks	Persistent block storage for Azure VMs	OS disks and data disks

Storage tiers

Tier	Best for	Access pattern
Hot	Frequently accessed data	Regular reads and writes
Cool	Infrequently accessed but still online data	Occasional reads
Archive	Rarely accessed long-term data	Retrieval delay is acceptable

Storage redundancy

Option	Replication pattern	Choose when
LRS	Multiple copies in one datacenter in the primary region	Lowest-cost local redundancy
ZRS	Copies across availability zones in the primary region	Protect against zone-level failure
GRS	Copies in the primary region and a paired secondary region	Geographic replication
GZRS	Zone redundancy in the primary region plus replication to a secondary region	Combine zone and geographic resiliency

Storage account options

A storage account provides a unique namespace for Azure Storage data. Important exam ideas include:

Standard versus Premium performance.
Storage services available through the account.
Redundancy choice.
Data-access pattern.
Access tier for Blob Storage where relevant.

Data movement and migration

Requirement	Tool
Command-line copying to or from Azure Storage	AzCopy
Graphical desktop management of Azure Storage data	Azure Storage Explorer
Cache an Azure file share on Windows Server and synchronize changes	Azure File Sync
Assess and plan migration of on-premises servers	Azure Migrate
Transfer a very large dataset offline because the network is too slow	Azure Data Box

Storage traps

Blob is object storage; Azure Files is a managed file share.
Queue Storage stores messages, not files.
Table Storage stores non-relational entities, not VM disks.
Managed disks are for VM block storage.
Archive is not for immediate access; retrieval takes time.
ZRS stays in the primary region across zones.
GRS adds a secondary geographic region.
GZRS combines zones in the primary region with geographic replication.
Azure Data Box transfers large offline datasets. It is not a monitoring, governance, or identity tool.
Azure Migrate assesses and plans migrations. It is broader than offline data transfer.

4.8 Identity, access, and security

Identity and directory services

Service	Purpose	Exam clue
Microsoft Entra ID	Cloud identity and access management	“Users, applications, and access in the cloud”
Microsoft Entra Domain Services	Managed domain capabilities such as domain join, LDAP, Kerberos, and NTLM without managing domain controllers	“Legacy domain features without deploying domain controllers”
External identities	Collaboration with users outside the organization	“Partners use their own identities”

Authentication and access controls

Capability	Purpose	Exam clue
Single sign-on (SSO)	Sign in once and access multiple authorized apps	“Avoid repeated sign-ins”
Multifactor authentication (MFA)	Require an additional verification factor	“Beyond a password”
Passwordless authentication	Authenticate without entering a password	“Biometrics or security key”
Conditional Access	Apply access rules based on signals such as location, user, device, risk, or app	“Require MFA from unfamiliar locations”
Azure RBAC	Grant authorized actions at a defined Azure scope	“Allow support team to restart VMs but not manage storage”

Security concepts

Concept	Meaning
Zero Trust	Verify explicitly, use least privilege, and assume breach
Defense in depth	Apply multiple security layers: physical, identity, perimeter, network, compute, application, and data
Microsoft Defender for Cloud	Improve security posture and protect Azure and hybrid workloads

Identity and security traps

Entra ID is cloud identity and access management.
Entra Domain Services provides managed legacy domain capabilities without customer-managed domain controllers.
SSO improves sign-in experience. It does not automatically add a second factor.
MFA adds verification factors. It is not the same as passwordless.
Conditional Access decides when access controls apply.
RBAC decides what an identity can do at a scope.
Defender for Cloud improves workload security posture. It is not the same as Entra ID.

Domain 3 — Describe Azure Management and Governance

4.9 Cost management

Cost tools

Requirement	Tool	Why
Estimate expected price before deployment	Azure pricing calculator	Models planned services and configurations
Analyze spending, create budgets, and review trends	Microsoft Cost Management	Manages actual and forecasted spending
Identify owner, department, or environment	Tags	Adds metadata for organization and reporting
Find cost-optimization recommendations	Azure Advisor	Suggests improvements such as reducing waste

Cost factors

Azure cost can vary with:

Service type.
Resource size or tier.
Usage duration.
Region.
Data transfer patterns.
Storage redundancy and access tier.
Number of deployed resources.

Cost traps

Tags help organize and report on resources. Tags do not automatically reduce charges.
A budget can notify you when spending approaches a threshold. It does not automatically fix every cost issue.
The pricing calculator estimates a future design. Cost Management analyzes spending in an Azure environment.
Azure Advisor recommends improvements. It is not the main budgeting tool.

4.10 Governance and compliance

Governance tools

Requirement	Tool	Why
Require approved regions or tags	Azure Policy	Audit or enforce standards
Prevent accidental deletion but allow changes	CanNotDelete lock	Blocks deletion
Prevent changes and deletion	ReadOnly lock	More restrictive lock
Discover and govern data across an environment	Microsoft Purview	Data governance capability
Apply governance across subscriptions	Management group plus Azure Policy	Parent scope for child subscriptions

Azure Policy versus resource lock versus RBAC versus tags

Tool	Main question it answers
Azure Policy	Is this resource configuration allowed or compliant?
Resource lock	Can this resource be deleted or modified?
Azure RBAC	What actions can this identity perform at this scope?
Tags	How should this resource be classified or reported?

Governance traps

Azure Policy does not replace RBAC.
RBAC controls authorized actions; Policy evaluates allowed configurations.
A CanNotDelete lock still allows authorized changes.
A ReadOnly lock blocks changes and deletion.
Tags are metadata, not security boundaries.
Microsoft Purview is about data governance, not VM monitoring.

4.11 Management and deployment tools

Management interfaces

Tool	Best use
Azure portal	Browser-based graphical resource management
Azure Cloud Shell	Authenticated browser shell with Bash or PowerShell experiences
Azure CLI	Cross-platform `az` commands
Azure PowerShell	PowerShell cmdlets for Azure administration
Azure Arc	Extend Azure management to servers and Kubernetes resources outside Azure
Infrastructure as code (IaC)	Define repeatable deployments in version-controlled files
Azure Resource Manager (ARM)	Azure deployment and management layer
ARM template	Declarative JSON file for repeatable Azure deployments

Deployment decision rules

Scenario	Choose
Beginner wants a graphical browser interface	Azure portal
Administrator wants a browser shell	Cloud Shell
Linux-oriented automation with `az` commands	Azure CLI
PowerShell-based automation	Azure PowerShell
Manage servers outside Azure through Azure capabilities	Azure Arc
Repeatable version-controlled infrastructure deployment	IaC
Declarative JSON deployment	ARM template

Deployment traps

Cloud Shell is a browser-accessible shell; it is not the same as the portal GUI.
CLI and PowerShell are both management tools. Select based on the command style described.
ARM is the management layer; an ARM template is a declarative deployment file.
Azure Arc extends management beyond Azure. It is not a data-transfer appliance.

4.12 Monitoring tools

Monitoring selection

Requirement	Tool
Personalized recommendations for cost, reliability, security, performance, or operations	Azure Advisor
Azure platform incident, planned maintenance, or health advisory	Azure Service Health
Collect, analyze, and act on metrics and logs	Azure Monitor
Query and analyze collected log data	Log Analytics
Notify when a threshold is crossed	Azure Monitor alerts
Monitor application performance, request rates, failures, and dependencies	Application Insights

The monitoring map

Think of the tools as a sequence:

Advisor: “What should I improve?”
Service Health: “Is Azure experiencing a service issue that affects me?”
Monitor: “What telemetry is my environment producing?”
Log Analytics: “What do the collected logs tell me?”
Alerts: “Notify or trigger an action when a condition is met.”
Application Insights: “How is my application behaving?”

Monitoring traps

Azure Service Health is for Azure service issues and maintenance, not application debugging.
Application Insights is for application telemetry, not policy compliance.
Azure Monitor collects and analyzes telemetry; Azure Policy governs configurations.
Advisor provides recommendations, not real-time incident notifications.
Log Analytics is for querying logs; it is part of the monitoring workflow.

5. Service Selection Guide

5.1 Compute quick selection

If the scenario says...	Think...	Avoid choosing...
“Need OS-level control”	Azure Virtual Machines	App Service or Functions
“Group of identical VMs that scales”	VM Scale Sets	Availability set
“Spread VMs across fault and update domains”	Availability set	VM Scale Sets
“Remote Windows desktops and apps”	Azure Virtual Desktop	Ordinary VM scaling
“Portable app package and dependencies”	Containers	Resource groups
“Triggered code; no server management”	Azure Functions	Full VMs
“Managed hosting for a web app”	Azure App Service	VMs unless OS control is required

5.2 Networking quick selection

If the scenario says...	Think...
“Private network address space in Azure”	VNet
“Divide the VNet”	Subnet
“Connect VNets privately”	VNet peering
“Resolve names”	Azure DNS
“Encrypted tunnel over the internet”	VPN Gateway
“Private circuit; avoid public internet”	ExpressRoute
“Use a private IP to reach a supported Azure service”	Private endpoint
“Reach service through public address”	Public endpoint

5.3 Storage quick selection

If the scenario says...	Think...
“Images, video, backups, unstructured objects”	Blob Storage
“SMB file share”	Azure Files
“Asynchronous messages”	Queue Storage
“NoSQL key-attribute entities”	Table Storage
“VM operating-system or data disk”	Managed disks
“Frequent access”	Hot tier
“Infrequent but online access”	Cool tier
“Rare access; retrieval delay acceptable”	Archive tier
“Copies within one datacenter”	LRS
“Copies across zones in the primary region”	ZRS
“Replication to a secondary region”	GRS
“Zones plus secondary region”	GZRS

5.4 Identity and security quick selection

If the scenario says...	Think...
“Cloud identity and access management”	Microsoft Entra ID
“Managed LDAP, Kerberos, or domain join”	Entra Domain Services
“Partners use their own identity”	External identities
“Sign in once”	SSO
“Require an extra verification factor”	MFA
“Biometrics or security keys without passwords”	Passwordless
“Require MFA for location, device, user, or app conditions”	Conditional Access
“Allow team to restart VMs only”	Azure RBAC
“Verify explicitly; assume breach”	Zero Trust
“Layered controls”	Defense in depth
“Security posture recommendations and workload protection”	Defender for Cloud

5.5 Governance and operations quick selection

If the scenario says...	Think...
“Approved region or mandatory tag”	Azure Policy
“Prevent deletion”	CanNotDelete lock
“Prevent changes and deletion”	ReadOnly lock
“Classify by owner, environment, department”	Tags
“Govern data estate”	Microsoft Purview
“Estimate cost before deploying”	Pricing calculator
“Budgets and spending trends”	Cost Management
“Optimization recommendations”	Azure Advisor
“Azure incident or maintenance”	Azure Service Health
“Metrics, logs, and alerts”	Azure Monitor
“Query logs”	Log Analytics
“Application request rates and failures”	Application Insights

6. Architecture Patterns

Pattern 1: Lift-and-shift legacy workload

Scenario: A company wants to migrate a legacy server application with minimal code change and retain guest OS control.

Recommended solution: Azure Virtual Machines, usually aligned with IaaS.

Why alternatives fail:

App Service is a managed web-hosting platform and may require application compatibility changes.
Functions is for event-driven serverless code.
SaaS replaces the application with a complete provider-managed application.

Pattern 2: Managed web application

Scenario: Developers want to deploy a web app without patching operating systems.

Recommended solution: Azure App Service Web Apps.

Why alternatives fail:

A VM can host the app, but it adds OS management.
Functions may be appropriate for event-driven components but not automatically for a conventional web application.

Pattern 3: Event-driven processing

Scenario: Run code when a message arrives, without managing servers.

Recommended solution: Azure Functions.

Why alternatives fail:

VMs add unnecessary infrastructure administration.
Queue Storage may store the message, but it does not execute the code.

Pattern 4: Same-region datacenter-failure protection

Scenario: Keep an application resilient to a datacenter-level failure while staying in one region.

Recommended solution: Availability zones.

Why alternatives fail:

Availability sets address fault and update domains but are not the same as separate datacenter locations.
Region pairs involve a separate region.

Pattern 5: On-premises-to-Azure network connection

Scenario A: Secure encrypted connection over the public internet.

Recommended solution: VPN Gateway.

Scenario B: Private connection that avoids the public internet.

Recommended solution: ExpressRoute.

Why alternatives fail:

VNet peering connects VNets, not an on-premises site by itself.
Azure DNS resolves names and does not create the connection.

Pattern 6: Private access to Azure Storage

Scenario: The storage account should be reachable using a private IP in a VNet.

Recommended solution: Private endpoint.

Why alternatives fail:

A public endpoint does not meet the private-IP requirement.
A subnet is a network segment but does not by itself create private access to the storage service.

Pattern 7: Storage choice by data shape

Scenario: Choose storage for a specific data type.

Data shape	Choose
Objects such as images or backups	Blob
Shared folders over SMB	Files
Messages between components	Queue
Non-relational key-attribute entities	Table
VM disks	Managed disks

Pattern 8: Governance at scale

Scenario: Enforce approved regions across multiple subscriptions.

Recommended solution: Assign Azure Policy at a management-group scope.

Why alternatives fail:

A resource lock protects a resource from deletion or changes but does not enforce deployment rules.
Tags classify resources but do not enforce all configuration standards.
RBAC controls user actions, not resource configuration compliance.

Pattern 9: Monitoring a slowdown

Scenario A: Determine whether Azure has an incident affecting your resource.

Recommended solution: Azure Service Health.

Scenario B: Investigate application request rates, failures, or performance.

Recommended solution: Application Insights.

Scenario C: Query logs collected from the environment.

Recommended solution: Log Analytics.

Pattern 10: Repeatable deployments

Scenario: Create consistent environments using version-controlled files.

Recommended solution: Infrastructure as code. For a declarative JSON Azure deployment, use an ARM template.

Why alternatives fail:

Manual portal deployment is less repeatable.
Cloud Shell is an interface for commands, not a deployment definition.

7. Exam Traps

7.1 Misleading wording

Watch for these decisive words:

Word or phrase	Meaning
“Over the public internet”	VPN Gateway
“Avoid the public internet”	ExpressRoute
“Private IP inside a VNet”	Private endpoint
“Datacenter-level failure within a region”	Availability zone
“Fault domains and update domains”	Availability set
“Scale a group of identical VMs”	VM Scale Sets
“Without managing servers”	Functions or serverless
“Without patching the OS”	PaaS-style service such as App Service
“Guest OS control”	VM / IaaS
“Prevent deletion”	CanNotDelete lock
“Prevent modification and deletion”	ReadOnly lock
“Standards and compliance”	Azure Policy
“What can the user do?”	RBAC
“Service incident or maintenance”	Service Health
“Recommendations”	Advisor
“Application requests and failures”	Application Insights

7.2 Wrong-but-plausible answers

Many distractors are valid Azure services but belong to the wrong category.

Examples:

Azure DNS is valid, but it does not connect networks.
Azure Data Box is valid, but it does not monitor resources.
Azure Policy is valid, but it does not copy files.
Azure Files is valid, but it does not store asynchronous messages.
Azure Monitor is valid, but it does not enforce allowed regions.
Resource locks are valid, but they do not assign user permissions.
Tags are valid, but they do not automatically lower costs.
VNet peering is valid, but it is not an identity or authentication service.

7.3 Common distractor categories

When eliminating answers, ask whether the option belongs to the correct category:

Category	Examples
Compute	VMs, Scale Sets, Functions, App Service, containers, Virtual Desktop
Networking	VNet, subnet, peering, DNS, VPN Gateway, ExpressRoute, endpoints
Storage	Blob, Files, Queue, Table, disks, tiers, redundancy
Identity	Entra ID, Domain Services, SSO, MFA, Conditional Access, RBAC
Governance	Policy, locks, tags, Purview, management groups
Deployment	Portal, Cloud Shell, CLI, PowerShell, ARM, templates, Arc
Monitoring	Advisor, Service Health, Monitor, Log Analytics, alerts, Application Insights
Cost	Pricing calculator, Cost Management, budgets

If three answers are from unrelated categories and one matches the scenario category, the correct choice is usually clear.

7.4 Elimination strategy

Use this five-step method:

Name the category.
Example: “This is a networking question.”
Extract the hard constraint.
Example: “The connection must avoid the public internet.”
Remove wrong-category options.
Azure Policy, Blob Storage, and Application Insights cannot create the connection.
Compare the remaining near-matches.
VPN Gateway is encrypted but uses the public internet. ExpressRoute meets the private-connectivity requirement.
Choose the most direct answer.
Do not add services that the question does not require.

7.5 Common candidate mistakes

Reading only the service names and ignoring decisive wording.
Choosing the most powerful option instead of the simplest correct option.
Confusing management hierarchy with physical architecture.
Treating Policy, locks, RBAC, and tags as interchangeable.
Treating Advisor, Service Health, and Monitor as interchangeable.
Selecting ExpressRoute whenever security is mentioned, even when VPN Gateway is sufficient.
Forgetting that IaaS VM guest OS patching is the customer's responsibility.
Confusing a storage access tier with a redundancy option.
Confusing Queue Storage with file storage.
Confusing SSO with MFA.
Forgetting that Conditional Access applies rules based on signals.

8. Quick Memory Rules

8.1 Rules of thumb

Own the OS? Choose VM / IaaS.
Own the code, not the OS? Choose PaaS.
Use the complete application? Choose SaaS.
Triggered code, no server management? Choose Functions.
Private network in Azure? Choose VNet.
Split a VNet? Choose subnets.
Connect VNets? Choose peering.
Secure tunnel over internet? Choose VPN Gateway.
Private circuit avoiding internet? Choose ExpressRoute.
Private IP for a service? Choose private endpoint.
Objects? Blob. Shares? Files. Messages? Queue. Entities? Table. VM blocks? Managed disks.
Frequent access? Hot. Occasional access? Cool. Rare access? Archive.
One datacenter? LRS. Zones? ZRS. Geography? GRS. Zones plus geography? GZRS.
Cloud identity? Entra ID. Managed legacy domain features? Entra Domain Services.
One sign-in? SSO. Extra factor? MFA. No password? Passwordless. Conditional rule? Conditional Access.
Permissions? RBAC. Standards? Policy. Protection from changes? Lock. Classification? Tags.
Estimate future price? Pricing calculator. Analyze spending? Cost Management.
Recommendations? Advisor. Platform incident? Service Health. Telemetry? Monitor. Logs? Log Analytics. Application behavior? Application Insights.
GUI? Portal. Browser shell? Cloud Shell. az commands? CLI. Cmdlets? PowerShell. Declarative JSON? ARM template. Outside Azure? Arc.

8.2 Architecture hierarchy memory aid

Use: M → S → RG → R

Management group
Subscription
Resource Group
Resource

Think: Manage subscriptions, group resources, deploy resources.

8.3 Storage redundancy memory aid

Use: L → Z → G → GZ

LRS: local datacenter.
ZRS: zones in one region.
GRS: geographic secondary region.
GZRS: zones plus geographic secondary region.

8.4 Monitoring memory aid

Use: Recommend → Health → Monitor → Logs → Alert → App

Advisor recommends.
Service Health reports Azure service issues.
Monitor gathers telemetry.
Log Analytics queries logs.
Alerts notify.
Application Insights explains application behavior.

9. Final Revision Notes

9.1 Highest-yield review points

Before the exam, make sure you can answer these without hesitation:

Public versus private versus hybrid cloud.
CapEx versus OpEx and consumption-based pricing.
Shared responsibility in IaaS, PaaS, and SaaS.
High availability, scalability, elasticity, reliability, predictability, governance, and manageability.
IaaS versus PaaS versus SaaS versus serverless.
Region versus datacenter versus zone versus region pair.
Management group versus subscription versus resource group versus resource.
VM versus Scale Set versus availability set versus Virtual Desktop.
Functions versus containers versus App Service versus VMs.
VNet, subnet, peering, DNS, VPN Gateway, ExpressRoute, public endpoints, and private endpoints.
Blob, Files, Queue, Table, managed disks, tiers, and redundancy.
AzCopy, Storage Explorer, File Sync, Azure Migrate, and Data Box.
Entra ID, Entra Domain Services, external identities, SSO, MFA, passwordless, Conditional Access, and RBAC.
Zero Trust, defense in depth, and Defender for Cloud.
Pricing calculator, Cost Management, tags, and Advisor.
Policy, locks, Purview, and management groups.
Portal, Cloud Shell, CLI, PowerShell, Arc, IaC, ARM, and templates.
Advisor, Service Health, Monitor, Log Analytics, alerts, and Application Insights.

9.2 Last-day revision list

Do these in order:

Recite the architecture hierarchy.
Recite storage service mappings.
Recite storage redundancy mappings.
Compare VPN Gateway and ExpressRoute.
Compare Policy, locks, RBAC, and tags.
Compare Advisor, Service Health, Monitor, Log Analytics, alerts, and Application Insights.
Compare Entra ID and Entra Domain Services.
Compare SSO, MFA, passwordless, and Conditional Access.
Compare VMs, App Service, containers, and Functions.
Review every question you previously answered incorrectly.

9.3 One-minute rapid review

Guest OS control → VM.
Managed web app → App Service.
Triggered code → Functions.
Two VNets → peering.
Internet tunnel → VPN Gateway.
Private circuit → ExpressRoute.
Private service IP → private endpoint.
Objects → Blob.
SMB → Files.
Messages → Queue.
NoSQL entities → Table.
VM disks → managed disks.
Standards → Policy.
Prevent deletion → CanNotDelete lock.
Prevent all changes → ReadOnly lock.
Permissions → RBAC.
Estimate cost → pricing calculator.
Spending trends and budgets → Cost Management.
Recommendations → Advisor.
Azure incident → Service Health.
Telemetry → Monitor.
Query logs → Log Analytics.
Application telemetry → Application Insights.

10. Exam-Day Checklist

Must-know topics

Cloud concepts

I can distinguish public, private, and hybrid cloud.
I can explain CapEx, OpEx, and consumption-based pricing.
I understand shared responsibility across IaaS, PaaS, and SaaS.
I can distinguish scalability, elasticity, high availability, and reliability.
I can select IaaS, PaaS, SaaS, or serverless for a scenario.

Architecture and services

I know region, datacenter, availability zone, region pair, and sovereign region.
I know the hierarchy: management group → subscription → resource group → resource.
I can select VM, Scale Set, availability set, Virtual Desktop, container, Function, or App Service.
I know that a NIC connects a VM to a VNet and managed disks store VM OS and data disks.
I can select VNet, subnet, peering, DNS, VPN Gateway, ExpressRoute, public endpoint, or private endpoint.
I can select Blob, Files, Queue, Table, or managed disks.
I can select Hot, Cool, or Archive tiers.
I can distinguish LRS, ZRS, GRS, and GZRS.
I know AzCopy, Storage Explorer, File Sync, Azure Migrate, and Data Box.
I can distinguish Entra ID and Entra Domain Services.
I can distinguish SSO, MFA, passwordless, Conditional Access, and RBAC.
I understand Zero Trust, defense in depth, and Defender for Cloud.

Management and governance

I can select the pricing calculator, Cost Management, tags, or Advisor.
I can distinguish Policy, locks, RBAC, and tags.
I know the difference between CanNotDelete and ReadOnly locks.
I know Microsoft Purview is a data-governance capability.
I can select portal, Cloud Shell, CLI, PowerShell, Arc, IaC, ARM, or ARM templates.
I can distinguish Advisor, Service Health, Monitor, Log Analytics, alerts, and Application Insights.

Final confidence checklist

I read the entire question and identify the primary requirement before looking at the options.
I eliminate answers from the wrong service category.
I choose the simplest service that directly meets the requirement.
I explain why the strongest distractor is wrong.
I do not confuse a management tool with a network, storage, compute, or identity service.
I do not confuse a storage tier with a redundancy option.
I do not confuse an Azure platform incident with an application-performance issue.
I do not assume a more expensive or complex option is automatically better.
I am ready to use the practice bank for mixed review.

Appendix A — Confusing-Service Master Table

Confusing services	Correct distinction
IaaS vs PaaS vs SaaS	OS control vs managed app platform vs complete application
VM vs Functions	OS-level compute vs serverless event-driven code
VM Scale Sets vs availability sets	Scaling similar VMs vs distributing VMs across fault and update domains
Availability set vs availability zone	Host-domain distribution vs physically separate location within a region
Availability zone vs region pair	Same-region datacenter isolation vs cross-region relationship
VNet peering vs VPN Gateway vs ExpressRoute	VNet-to-VNet private connection vs encrypted internet tunnel vs private circuit
Public endpoint vs private endpoint	Public address vs private IP in a VNet
Blob vs Files	Object storage vs managed file shares
Queue vs Table	Messages vs non-relational entities
Hot vs Cool vs Archive	Frequent vs infrequent online vs rare delayed access
LRS vs ZRS vs GRS vs GZRS	Local vs zones vs geography vs zones plus geography
Entra ID vs Entra Domain Services	Cloud identity vs managed legacy domain capabilities
SSO vs MFA vs passwordless vs Conditional Access	One login vs extra factor vs no password vs rule-based access enforcement
RBAC vs Policy vs locks vs tags	Permissions vs standards vs protection from changes vs metadata
Pricing calculator vs Cost Management	Estimate proposed design vs analyze spending and budgets
Advisor vs Service Health vs Monitor	Recommendations vs Azure platform issues vs telemetry platform
Monitor vs Log Analytics vs Application Insights	Telemetry platform vs log queries vs app performance monitoring
Portal vs Cloud Shell vs CLI vs PowerShell	Browser GUI vs browser shell vs `az` commands vs cmdlets
Azure Migrate vs Azure Data Box	Migration assessment and planning vs offline bulk data transfer
ARM vs ARM template	Azure management layer vs declarative JSON deployment file

Appendix B — Source Alignment Note

This course was synthesized from the analyzed AZ-900 practice-question bank and aligned with the Microsoft Learn AZ-900 study guide for skills measured as of January 14, 2026. The guide intentionally consolidates repeated questions into original explanations, decision frameworks, and service-selection rules. It is a revision course, not a reproduction of live exam content.

lock_open

Unlock the full course

All 51 modules with detailed explanations, code examples, and exam tips.

upgrade Get Full Access auto_stories View Full Course description 3-Page Summary

list_alt

Revision Queue

Wrong Only

Unanswered Only

Needs Attention

3 topics

Question 10 of 1100

Describe cloud concepts · 28%

An administrator is comparing introductory Azure options. Relecloud runs an application on Azure virtual machines. Who is responsible for patching the guest operating system? The team is documenting why the strongest distractor does not satisfy the requirement.

The customer

The hardware vendor only

Microsoft only

The internet service provider

arrow_back Prev

0 correct

0 wrong

1100 left

1% done

grid_view

Questions

10/1100

Correct Wrong Current Unseen Flagged Locked

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

35 free · 1065 locked

Keyboard Shortcuts

1-5 Select option

↵ Check answer

←→ Prev / Next

F Flag for review

track_changes

Plan Progress

Quick Stats

Answered 0/1100

Correct 0

Wrong 0

Remaining 1100