Use this for last‑mile review. Pair it with the Syllabus for coverage and Practice to validate speed/accuracy.
AZ-900 at a glance (what Microsoft tests)
AZ-900 is concept + vocabulary: what a service does, when you’d use it, and the basics of identity/governance and cost/SLA.
Domain weighting (official ranges)
| Domain |
Weight |
Visual (relative) |
| Cloud concepts |
25–30% |
███████ |
| Azure architecture & services |
35–40% |
██████████ |
| Azure management & governance |
30–35% |
█████████ |
1) Cloud concepts (must-know contrasts)
IaaS vs PaaS vs SaaS (responsibility + examples)
| Model |
You manage |
Provider manages |
Azure examples |
Exam cue |
| IaaS |
OS, runtime, apps, data |
Physical hosts, network, datacenter |
Virtual Machines, VNets |
“Need OS control / lift-and-shift” |
| PaaS |
Apps + data (sometimes config) |
OS, runtime, patching, platform |
App Service, Azure SQL Database, Functions |
“Minimize ops / managed service” |
| SaaS |
Data you put in + access |
Everything else |
Microsoft 365, Dynamics 365 |
“Use the product, not the platform” |
Shared responsibility (rule of thumb): move from IaaS → PaaS → SaaS and you manage less, but also have less low-level control.
Public vs private vs hybrid vs multicloud
| Model |
What it means |
Typical use |
| Public cloud |
Services hosted by provider (Azure) |
Most modern workloads |
| Private cloud |
Cloud-like environment dedicated to one org |
Strict control / legacy constraints |
| Hybrid |
Connect on‑prem + cloud |
Gradual migration, data residency |
| Multicloud |
Use multiple public clouds |
Risk reduction, best-of-breed |
Core “cloud benefits” vocabulary
| Term |
Quick definition |
What it implies |
| High availability |
Stay up during failures |
Redundancy (zones/regions), health probes |
| Scalability |
Handle growth |
Scale up (bigger) or out (more instances) |
| Elasticity |
Scale automatically with demand |
Scale out/in quickly; pay for what you use |
| Reliability |
Consistent operation |
Fewer outages, predictable performance |
| Resiliency |
Recover quickly from failures |
DR, backups, automated failover |
| Fault tolerance |
Continue operating despite component failure |
No single point of failure |
CapEx vs OpEx (classic exam concept)
| CapEx |
OpEx |
| Upfront purchase (servers, datacenter) |
Pay-as-you-go consumption |
| Fixed capacity, depreciation |
Flexible capacity, variable spend |
| Slower to change |
Faster to scale/change |
2) Azure global infrastructure (regions, zones, pairs)
| Concept |
Meaning |
AZ-900-level take |
| Geography |
Large area (country/region group) |
Helps with data residency/compliance framing |
| Region |
One or more datacenters in an area |
You choose region for latency/residency |
| Availability Zone |
Separate datacenter(s) inside a region |
Higher availability inside one region |
| Region pair |
Two linked regions for DR planning |
Cross-region resiliency patterns |
flowchart TD
GEO["Geography"] --> R1["Region A"]
GEO --> R2["Region B"]
R1 --> Z1["Zone 1"]
R1 --> Z2["Zone 2"]
R1 --> Z3["Zone 3"]
R1 --- RP["Paired region"]
RP --- R2
High-yield picks
- “Protect from a datacenter failure” → Availability Zones (when supported).
- “Protect from a regional failure” → multi-region strategy (often using a region pair).
- “Keep data in-country” → choose the right region/geography + the service’s data residency rules.
3) Azure hierarchy + resource organization (the mental model)
Scope and grouping
Scope order: Management Group → Subscription → Resource Group → Resource
| Layer |
What it is |
Why it exists |
| Tenant (Entra ID) |
Identity boundary (directory) |
Users, groups, app registrations |
| Management group |
Group subscriptions |
Apply governance (Policy/RBAC) at scale |
| Subscription |
Billing + quota boundary |
Separate environments, departments, projects |
| Resource group |
Logical container |
Manage lifecycle together (deploy/lock/delete) |
| Resource |
The actual service |
VM, VNet, storage account, etc. |
Rule of thumb: Organize by blast radius and billing (subscriptions), then by lifecycle (resource groups).
Azure Resource Manager (ARM)
- ARM is Azure’s control plane for creating/updating/deleting resources.
- Infrastructure as code options: ARM templates (JSON) and Bicep (simpler syntax).
4) Core Azure services (concept-level service picker)
Compute
| Need |
Best fit |
Why |
| Full OS control / lift-and-shift |
Virtual Machines |
You manage OS patches and configuration |
| Auto-scale VMs as a group |
VM Scale Sets |
Scale out/in based on rules |
| Host a web app/API without server management |
App Service |
Managed platform, scaling, deployment slots |
| Run event-driven code |
Azure Functions |
Trigger-based, pay per execution (plan-dependent) |
| Run containers without managing servers |
Container Instances |
Simple “run a container” |
| Orchestrate many containers |
AKS |
Kubernetes management layer |
Networking
| Service |
What it does |
Exam cue |
| Virtual Network (VNet) |
Private network in Azure |
“Isolated network, subnets, peering” |
| Network Security Group (NSG) |
Allow/deny network traffic |
“Firewall-like rules at subnet/NIC” |
| VPN Gateway |
Encrypted tunnel over internet |
“Site-to-site or point-to-site VPN” |
| ExpressRoute |
Private dedicated connection |
“Low latency, private, enterprise connectivity” |
| Load Balancer |
Layer 4 traffic distribution |
“TCP/UDP load balancing” |
| Application Gateway |
Layer 7 routing + WAF option |
“HTTP routing, TLS offload, WAF” |
| Front Door |
Global layer 7 entry + WAF/CDN |
“Global users, edge routing” |
| Private Endpoint |
Private IP to a PaaS service |
“Access PaaS privately from VNet” |
Storage
| Type |
What it’s for |
Example |
| Blob |
Object storage |
Images, backups, logs |
| Files |
Managed SMB file shares |
Lift-and-shift shared folders |
| Queue |
Simple messaging queue |
Background processing buffer |
| Table |
NoSQL key-value (legacy style) |
Simple structured data |
| Disks |
Block storage for VMs |
OS/data disks |
Databases (fundamentals)
| Category |
Best-known Azure services |
When to pick |
| Relational |
Azure SQL Database, SQL Managed Instance |
Structured data, SQL queries, ACID |
| NoSQL |
Cosmos DB |
Global distribution, flexible schema, low latency |
| Open-source managed |
Azure Database for PostgreSQL/MySQL |
Managed engines without VM ops |
5) Storage redundancy + access tiers (high-yield tables)
Redundancy options (durability vs resiliency)
| Redundancy |
Protects against |
Cross-region |
Zone-aware |
Notes |
| LRS |
Disk/server/rack failures |
✖ |
✖ |
Cheapest; single datacenter |
| ZRS |
Datacenter (zone) failure |
✖ |
✔ |
Replicates across zones |
| GRS |
Regional outage (async copy) |
✔ |
✖ |
Replicates to paired region |
| GZRS |
Zone + regional outage patterns |
✔ |
✔ |
Zones + paired region copy |
| RA-GRS / RA-GZRS |
Adds readable secondary |
✔ |
— |
Read from secondary endpoint |
Blob access tiers
| Tier |
Optimized for |
Typical use |
| Hot |
Frequent access |
Active data |
| Cool |
Infrequent access |
Backups, older logs |
| Archive |
Rare access, long retention |
Compliance, long-term storage |
6) Identity, security, and governance (who vs guardrails)
Authentication vs authorization
- Authentication: prove who you are (sign-in)
- Authorization: what you can do after sign-in (permissions)
Microsoft Entra ID (Azure AD)
- Identity service for users, groups, app registrations, and sign-in policies.
- Common concepts: tenant, users/groups, MFA, SSO.
RBAC vs Policy vs Locks (classic AZ-900 table)
| Control |
What it answers |
Example use |
Think “…” |
| RBAC |
“Who can do what?” |
Grant read access to a resource group |
Permissions |
| Azure Policy |
“What’s allowed?” |
Require tags; restrict regions/SKUs |
Compliance |
| Resource locks |
“Can it be deleted/changed?” |
Prevent deleting a production VNet |
Protection |
Key security services (concept-level)
| Service |
What it does |
Exam cue |
| Key Vault |
Store secrets/keys/certs securely |
“Store connection strings / rotate secrets” |
| Defender for Cloud |
Security posture + recommendations |
“Improve security score / harden resources” |
| DDoS Protection |
Protect from DDoS attacks |
“Public endpoints under attack” |
7) Monitoring and service health (what to use when)
| Need |
Best-known tool/service |
What you get |
| Resource metrics + alerts |
Azure Monitor |
Metrics, alerts, dashboards |
| Central log search |
Log Analytics |
KQL queries over logs |
| App performance monitoring |
Application Insights |
Tracing, failures, dependencies |
| Best-practice recommendations |
Azure Advisor |
Cost, reliability, security suggestions |
| Azure incidents + advisories |
Service Health |
Outage notifications, RCA, planned maintenance |
8) Pricing + cost management (what moves the bill)
Common cost drivers
- Compute: VM size, hours, autoscale, reserved vs on-demand
- Storage: GB stored, redundancy choice, access tier, operations
- Networking: data egress (outbound), gateways, load balancing
- Licensing: OS/SQL licenses (look for Azure Hybrid Benefit)
- Pricing calculator: estimate Azure spend for a design
- TCO calculator: compare on‑prem vs Azure cost
- Cost Management: budgets, alerts, and cost analysis reporting
“Discounting” vocabulary (concept-level)
| Option |
What it trades |
When it fits |
| Reservations |
Commitment for lower price |
Steady, predictable usage |
| Savings plan for compute |
Commit spend/hour for compute discounts |
Flexible compute usage |
| Spot |
Interruptible capacity |
Fault-tolerant batch jobs |
9) SLA math + service lifecycle (fast rules)
Downtime allowances (quick table)
| SLA |
Downtime / month (30d) |
Downtime / year |
| 99% |
~7h 18m |
~3d 15h |
| 99.9% |
~43m |
~8h 46m |
| 99.95% |
~22m |
~4h 23m |
| 99.99% |
~4m |
~52m |
Formula: downtime = (1 − SLA) × total time
Composite SLA (two components)
If services are in series (both must work), multiply availabilities:
- Example: 99.9% × 99.9% = 99.8001% overall
Preview vs GA (fundamentals view)
| Stage |
What it implies |
Exam note |
| Preview |
Feature still maturing |
SLAs/support may be limited |
| GA |
Generally available |
Full SLA/support expectations |
10) Fast scenario pickers (most-tested patterns)
- “Grant a user access to manage resources” → RBAC (at the right scope).
- “Require all resources to have tags / restrict regions” → Azure Policy.
- “Prevent deletion of a critical resource” → Resource lock.
- “Store secrets/keys/certs” → Key Vault.
- “Private access to a PaaS service” → Private Endpoint (+ correct DNS).
- “Connect on-prem to Azure privately” → ExpressRoute (vs VPN over internet).
- “Estimate cost” → Pricing calculator; “compare on-prem vs cloud” → TCO calculator.
- “Find outages and planned maintenance” → Service Health.
Mini-glossary (quick recall)
Tenant (identity boundary) • Subscription (billing/quota) • Resource group (lifecycle container) • RBAC (permissions) • Policy (compliance) • Availability Zone (datacenter separation) • Region pair (cross-region DR planning) • Private Endpoint (private IP to PaaS).