AZ-900 Syllabus — Objectives by Domain (Fundamentals)

Use this syllabus as your source of truth for AZ-900. Work through each domain in order and drill targeted sets after every section.

What’s covered

• Domain 1: Describe cloud concepts (27%)
• Domain 2: Describe Azure architecture and services (37%)
• Domain 3: Describe Azure management and governance (36%)

Domain 1: Describe cloud concepts (27%)

Practice this topic →

Task 1.1 - Describe cloud computing and deployment models

• Define cloud computing as on-demand access to shared computing resources over a network.
• Identify common characteristics of cloud computing such as elasticity, self-service, and measured usage.
• Differentiate between public, private, and hybrid cloud deployment models at a conceptual level.
• Identify scenarios where a public cloud deployment model is typically appropriate.
• Identify scenarios where a private cloud deployment model may be preferred.
• Identify scenarios where a hybrid cloud deployment model is appropriate.
• Recognize that Microsoft Azure is an example of a global public cloud platform.
• Compare traditional on-premises IT with cloud-based approaches in terms of flexibility and provisioning speed.
• Recognize that virtualization and resource abstraction are key enablers of cloud computing.
• Select the most appropriate cloud deployment model for a simple described business requirement.

Task 1.2 - Understand the shared responsibility model in Azure

• Describe the concept of the shared responsibility model for security and compliance in Azure.
• Identify examples of responsibilities that Microsoft manages, such as physical datacenter security and host infrastructure.
• Identify examples of responsibilities that customers manage, such as identity, data classification, and application security.
• Differentiate between security of the cloud and security in the cloud in Azure context.
• Explain how responsibilities shift between IaaS, PaaS, and SaaS models in Azure.
• Identify who is responsible for updating the guest operating system on an Azure virtual machine.
• Identify who is responsible for configuring access controls and encryption on customer data stored in Azure services.
• Select the correct party responsible for specific tasks in short Azure security scenarios.
• Recognize common misconceptions about the shared responsibility model that could create security gaps.
• Explain why understanding shared responsibility is critical for secure and compliant Azure adoption.

Task 1.3 - Understand cloud economics and consumption-based pricing

• Describe the consumption-based pricing model used by Azure.
• Differentiate between capital expenditure (CapEx) and operational expenditure (OpEx) in the context of cloud adoption.
• Recognize common on-premises IT costs, such as hardware and facilities, that can be reduced by using Azure.
• Explain that Azure services are typically billed based on resource types, usage duration, and data volume.
• Recognize that running resources continuously versus only when needed affects overall Azure costs.
• Identify that different Azure pricing options, such as pay-as-you-go and reserved capacity, support different usage patterns.
• Explain how elasticity and automatic scaling can reduce over-provisioning and improve cost efficiency.
• Recognize that deleting or deallocating unused resources helps avoid unnecessary Azure charges.
• Select the most cost-appropriate pricing approach for a basic workload description.
• Explain how Azure’s consumption-based model supports experimentation with limited financial risk.

Task 1.4 - Describe the benefits of using cloud services

• Describe how using Azure can improve high availability for applications and data.
• Explain scalability and elasticity as benefits of running workloads in Azure.
• Describe reliability and predictability benefits provided by Azure service SLAs and redundancy options.
• Explain how Azure can improve security posture through built-in controls and centralized identity management.
• Describe how Azure governance features help organizations meet compliance requirements.
• Explain manageability benefits of Azure, such as centralized portals, APIs, and automation tools.
• Recognize how Azure’s global reach can reduce latency and support worldwide users.
• Identify cloud benefits such as faster time to market and increased business agility.
• Map short business scenarios to the primary cloud benefit they illustrate, such as scalability or cost optimization.
• Recognize that cloud adoption can support sustainability goals through shared infrastructure and efficiency.

Task 1.5 - Describe cloud service types and serverless computing

• Define Infrastructure as a Service (IaaS) and give a simple Azure example.
• Define Platform as a Service (PaaS) and give a simple Azure example.
• Define Software as a Service (SaaS) and recognize Microsoft cloud SaaS offerings.
• Compare IaaS, PaaS, and SaaS in terms of customer management responsibilities.
• Identify an appropriate use case for an IaaS-based solution in Azure.
• Identify an appropriate use case for a PaaS-based solution in Azure.
• Identify an appropriate use case for a SaaS-based solution provided by Microsoft or partners.
• Define serverless computing and its key attributes such as event-driven execution and automatic scaling.
• Identify Azure services that support serverless computing, such as Azure Functions and Azure Logic Apps.
• Select the most appropriate cloud service model or serverless option for a basic scenario description.

Domain 2: Describe Azure architecture and services (37%)

Practice this topic →

Task 2.1 - Describe Azure core architectural components

• Describe what an Azure region is and how it relates to underlying datacenters.
• Explain the concept and benefits of Azure region pairs.
• Recognize sovereign regions, such as Azure Government or China regions, and their purpose.
• Describe Azure availability zones and how they improve resiliency within a region.
• Differentiate between regional redundancy and availability zone redundancy at a conceptual level.
• Define an Azure resource and recognize that resources are deployed into resource groups within subscriptions.
• Describe the purpose of resource groups for organizing and managing Azure resources.
• Explain what an Azure subscription is and how it relates to billing and access control.
• Describe Azure management groups and how they help organize multiple subscriptions.
• Identify the correct hierarchy from management groups through subscriptions and resource groups down to resources.

Task 2.2 - Describe Azure compute options and virtual machines

• Identify Azure Virtual Machines as an IaaS service for running Windows and Linux workloads.
• Recognize Azure Virtual Machine Scale Sets as a way to automatically scale a group of VMs.
• Describe Azure availability sets and how they improve VM availability within a single region.
• Identify Azure Virtual Desktop as a service for delivering virtualized Windows desktops and apps from Azure.
• Compare virtual machines, containers, and Azure Functions as different compute types in Azure.
• Identify key resources needed when deploying a VM, such as a virtual network, storage, and network security group.
• Recognize that VM images and sizes determine operating system and hardware characteristics of an Azure VM.
• Identify scenarios where Azure Virtual Machines are an appropriate compute choice.
• Differentiate between using availability sets and scale sets for improving resiliency and scalability of VM workloads.
• Select the most appropriate Azure compute option for a simple workload description based on control and scaling needs.

Task 2.3 - Describe Azure application hosting options

• Identify Azure App Service as a PaaS offering for hosting web apps, REST APIs, and mobile back ends.
• Explain that App Service plans define the compute resources and scale characteristics for web apps.
• Identify Azure Container Instances as a simple way to run containers without managing virtual machines.
• Recognize Azure Kubernetes Service (AKS) as a managed Kubernetes platform for orchestrating containerized applications.
• Identify Azure Static Web Apps as a service for hosting static front-end web applications with integrated APIs.
• Compare hosting an application on Azure Virtual Machines versus Azure App Service at a high level.
• Identify when to choose a container-based hosting solution over traditional VM or App Service hosting.
• Recognize that App Service provides built-in capabilities like deployment slots and autoscaling at a conceptual level.
• Explain that PaaS hosting in Azure offloads OS patching and much of the platform management from customers.
• Select the most appropriate Azure application hosting option for a given simple scenario.

Task 2.4 - Describe Azure networking services and connectivity

• Define an Azure Virtual Network (VNet) and its purpose in isolating and connecting Azure resources.
• Describe how subnets divide a VNet into logical segments for organization and security.
• Recognize network security groups (NSGs) as a way to control inbound and outbound traffic for resources in a VNet.
• Describe VNet peering and when it is used to connect VNets within Azure.
• Identify Azure DNS as the service that provides DNS hosting and name resolution for Azure resources.
• Describe Azure VPN Gateway as a way to establish secure connectivity between on-premises networks and Azure over the internet.
• Recognize Azure ExpressRoute as a dedicated private connection between on-premises networks and Azure.
• Define public endpoints and private endpoints for accessing Azure services.
• Identify scenarios where private endpoints are required to meet security or compliance needs.
• Select appropriate Azure connectivity options for simple scenarios involving on-premises integration or secure access.

Task 2.5 - Describe Azure storage services and redundancy

• Identify Azure Blob Storage as an object storage service for unstructured data such as images and backups.
• Identify Azure Files as a managed file share service accessible over SMB or NFS protocols.
• Recognize Azure Disk Storage as block storage used with Azure Virtual Machines.
• Identify other Azure storage services such as Queue storage and Table storage at a high level.
• Describe Azure storage access tiers such as hot, cool, and archive and when each is appropriate.
• Describe redundancy options like LRS, ZRS, and GRS for Azure Storage at a conceptual level.
• Recognize that higher redundancy options generally improve resiliency but may increase cost.
• Identify basic Azure storage account types and when they are used conceptually.
• Select an appropriate Azure storage service and redundancy option for a simple data scenario.
• Recognize that Azure Storage includes built-in encryption at rest and options for secure access.

Task 2.6 - Describe options for migrating and moving data to Azure

• Identify AzCopy as a command-line tool for moving data to and from Azure Storage.
• Identify Azure Storage Explorer as a graphical tool for managing and transferring data in storage accounts.
• Recognize Azure File Sync as a service that synchronizes on-premises file servers with Azure Files.
• Describe Azure Migrate as a central hub for discovering, assessing, and migrating on-premises servers to Azure.
• Identify Azure Data Box as a physical device used to transfer large amounts of data to Azure offline.
• Recognize scenarios where Azure Data Box is preferred over network-based data transfer.
• Differentiate between using AzCopy and Azure Storage Explorer for data movement based on user preference and automation needs.
• Recognize that Azure Migrate supports assessment and migration of VMware, Hyper-V, and physical servers at a high level.
• Identify that other Azure services like Azure Data Factory can be used for ongoing data movement and integration.
• Select appropriate Azure tools for migrating or moving data in simple scenarios.

Task 2.7 - Describe Azure identity, access, and security concepts

• Identify Microsoft Entra ID as Azure’s cloud-based identity and access management service.
• Differentiate between a Microsoft Entra ID tenant and an Azure subscription at a high level.
• Identify Microsoft Entra Domain Services as a managed domain service supporting features such as domain join and group policy.
• Describe authentication methods supported in Azure, including single sign-on, multifactor authentication, and passwordless options.
• Recognize external identity scenarios such as business-to-business (B2B) and business-to-customer (B2C) access.
• Describe Microsoft Entra Conditional Access and when it is used to enforce access policies based on conditions.
• Explain the purpose of Azure role-based access control (RBAC) and built-in roles such as Owner, Contributor, and Reader.
• Describe the Zero Trust security model and how it applies to Azure environments.
• Describe the defense-in-depth concept and typical layers such as identity, network, and data in Azure solutions.
• Identify Microsoft Defender for Cloud as a service that provides cloud security posture management and threat protection.

Domain 3: Describe Azure management and governance (36%)

Practice this topic →

Task 3.1 - Describe factors that affect costs and Azure pricing

• Identify that the number and type of resources deployed directly influence Azure costs.
• Recognize that resource location, such as Azure region, can affect service pricing.
• Explain how usage patterns, such as running resources 24x7 versus on a schedule, change monthly costs.
• Recognize that outbound data transfer from Azure can generate additional charges.
• Identify that different service tiers or SKUs, such as standard versus premium, have different prices.
• Explain that using reserved capacity or savings options can lower costs for predictable workloads.
• Recognize that bringing existing software licenses, where allowed, can affect virtual machine costs.
• Explain how choosing appropriate storage access tiers influences storage costs over time.
• Recognize that over-provisioning compute or storage resources can lead to unnecessary spending in Azure.
• Select the factor that most likely explains a simple change in Azure costs in a described scenario.

Task 3.2 - Use Azure tools for estimating and monitoring cost

• Identify the Azure Pricing calculator as a tool for estimating the cost of Azure solutions before deployment.
• Recognize Azure Cost Management and Billing as the central place to review and analyze Azure spending.
• Describe cost analysis views in Azure Cost Management for understanding historical and current costs.
• Identify Azure budgets and alerts as tools for proactively controlling spending.
• Recognize that cost data can be broken down by subscription, resource group, or tag for reporting purposes.
• Explain the difference between forecasted costs and actual costs in Azure billing tools.
• Recognize that invoices and billing profiles are managed within Azure Cost Management and Billing.
• Identify Azure tools that support cost optimization recommendations, such as Azure Advisor.
• Select the most appropriate Azure tool to use for estimating, tracking, or alerting on costs in a simple scenario.
• Recognize that different stakeholders, such as finance and IT operations, may use Azure cost tools differently.

Task 3.3 - Describe resource organization, tagging, and governance constructs

• Describe the purpose of tags for organizing Azure resources by attributes such as cost center or environment.
• Recognize that tags can be applied to many Azure resources and later used in cost and management reports.
• Identify common tagging strategies, such as tagging by application, owner, or lifecycle stage.
• Explain how tags can be used in Azure Cost Management to filter and group cost data.
• Distinguish between resource groups, subscriptions, and management groups from a governance perspective.
• Explain that management groups allow applying governance controls such as policies and RBAC across multiple subscriptions.
• Recognize that resource groups should contain resources that share a common lifecycle and management boundary.
• Identify that subscriptions are billing and security boundaries that can separate environments or business units.
• Recognize that tags do not enforce security isolation, whereas subscriptions and resource groups contribute to access boundaries.
• Select an appropriate combination of resource groups, subscriptions, and tags to meet a simple management or reporting requirement.

Task 3.4 - Describe tools for managing and deploying Azure resources

• Identify the Azure portal as a web-based interface for creating, configuring, and monitoring resources.
• Recognize Azure Cloud Shell as a browser-based command-line environment integrated with the Azure portal.
• Differentiate between Azure CLI and Azure PowerShell for scripting and automation at a high level.
• Recognize that Azure resources can also be managed through REST APIs and SDKs for various programming languages.
• Describe the concept of infrastructure as code (IaC) and its benefits for consistency and repeatability.
• Identify Azure Resource Manager (ARM) as the deployment and management service for Azure resources.
• Recognize ARM templates as JSON files that declaratively define Azure resources for deployment.
• Describe Azure Arc as a service that extends Azure management to servers, Kubernetes clusters, and data services outside Azure.
• Recognize that DevOps pipelines and automation tools can use ARM templates and CLI/PowerShell to deploy Azure resources.
• Select the most appropriate Azure management or deployment method for a given scenario and scale.

Task 3.5 - Describe governance and compliance tools in Azure

• Identify Microsoft Purview as a unified data governance solution for discovering and classifying data across the data estate.
• Recognize common use cases for Microsoft Purview, such as tracking sensitive information and meeting regulatory requirements.
• Describe Azure Policy as a service for creating and assigning policies to enforce organizational rules on Azure resources.
• Explain that Azure Policy can audit, deny, or modify resource configurations based on defined rules.
• Recognize the concept of policy initiatives for grouping related Azure Policy definitions.
• Describe resource locks and their types, such as CanNotDelete and ReadOnly, for protecting critical Azure resources.
• Recognize that resource locks operate alongside RBAC and Azure Policy to strengthen protection of important assets.
• Explain how governance tools such as Azure Policy and Microsoft Purview support internal and external compliance efforts.
• Select the appropriate governance tool, such as Azure Policy, RBAC, locks, or Purview, for a described requirement.
• Recognize that governance and compliance in Azure are ongoing processes that involve monitoring and regular review of policies and controls.

Task 3.6 - Describe monitoring and service health tools in Azure

• Identify Azure Monitor as the central service for collecting metrics and logs from Azure resources and applications.
• Recognize Log Analytics as a feature of Azure Monitor for querying and analyzing log data.
• Identify Application Insights as an Azure Monitor capability for application performance monitoring and diagnostics.
• Describe Azure Monitor alerts as a way to notify teams about important conditions or threshold breaches.
• Identify Azure Advisor as a service that provides recommendations across cost, security, reliability, and performance.
• Recognize Azure Service Health as a service that provides information about Azure service issues and planned maintenance affecting a customer.
• Differentiate between the public Azure status page and Azure Service Health in terms of scope and personalization.
• Explain how logging, metrics, and alerts contribute to the reliability, performance, and security of Azure workloads.
• Select the most appropriate Azure monitoring or advisory tool for a simple described scenario.
• Recognize that responding to Azure Advisor and Service Health alerts is part of ongoing operations and governance.

Tip: After finishing a domain, take a 15–20 question drill focused on that domain, then revisit weak objectives before moving on.