Practice Microsoft Azure AZ-900 Azure Fundamentals with free sample questions, timed mock exams, topic drills, and detailed answer explanations in IT Mastery.
Use this AZ-900 exam simulator page when you want realistic AZ-900 practice questions, clearer explanations, and a fast route into the full IT Mastery experience on web, iOS, and Android. This page is built for search intent like AZ-900 mock exam, AZ-900 practice test, Azure Fundamentals exam simulator, and AZ-900 practice questions.
Start a practice session for Microsoft Azure Fundamentals (AZ-900) below, or open the full app in a new tab. For the best experience, open the full app in a new tab and navigate with swipes/gestures or the mouse wheel—just like on your phone or tablet.
Open Full App in a New TabA small set of questions is available for free preview. Subscribers can unlock full access by signing in with the same account they use on web and mobile.
Prefer to practice on your phone or tablet? Download the IT Mastery – AWS, Azure, GCP & CompTIA exam prep app for iOS or IT Mastery app on Google Play (Android) and use the same account across web and mobile.
1) Cloud concepts
2) Azure architecture and core services
3) Security, identity, and governance
4) Cost management and SLAs
These sample questions include the same mix of single-answer and multiple-response items you should practice for AZ-900. Use them to check your readiness here, then move into the full IT Mastery question bank for broader timed coverage.
Topic: Domain 2: Describe Azure architecture and services
When planning to deploy an Azure virtual machine, which Azure resource is required to provide the private IP addressing and network isolation that allow the VM to communicate securely with other resources in your subscription?
Options:
Best answer: C
Explanation: The choice describing a virtual network is correct because a VNet is the Azure resource that defines private IP address ranges, subnets, and network isolation. Virtual machines attach their network interfaces to a subnet within a VNet, which enables private, secure communication with other resources in that network and, if configured, to on-premises networks or the internet via additional components.
Topic: Domain 2: Describe Azure architecture and services
A company runs a two-VM web application in a single Azure region. Both VMs must remain IaaS-based and should keep running if Azure performs maintenance on one host or if a single physical server fails. Which Azure configuration should you implement?
Options:
Best answer: C
Explanation: Placing both virtual machines in an availability set is correct because an availability set explicitly controls fault domain and update domain distribution. This means Azure places the VMs so that a single physical server failure or a single maintenance event will not affect all instances, directly satisfying the requirement to keep the application running during host maintenance or hardware failure within the region.
Topic: Domain 2: Describe Azure architecture and services
A company must perform a one-time migration of 500TB of on-premises file data into Azure Blob storage. They have a 200Mbps VPN connection to Azure and must complete the migration during a 7-day maintenance window without saturating the link needed for daily operations.
You propose several approaches.
Which TWO options should you AVOID? (Select TWO.)
Options:
Correct answers: B and C
Explanation: The option that copies all 500TB directly over the existing 200Mbps VPN connection during the 7-day window should be avoided because the available throughput is far too low for such a large dataset in such a short period, especially given that the VPN is also needed for normal operations. This ignores Azure Data Box, which is specifically designed to handle large, time-bound transfers more reliably.
The option that uses customer-owned external drives shipped directly to an Azure datacenter should also be avoided because this is not a supported or secure ingestion method. Microsoft does not accept arbitrary drives for manual import. Instead, Azure Data Box provides secure, tamper-evident devices with a documented chain of custody and a supported ingestion workflow, making this ad-hoc drive-shipping approach an anti-pattern.
Topic: Domain 2: Describe Azure architecture and services
Which of the following statements about using Azure Data Box to move data to Azure is NOT correct?
Options:
Best answer: A
Explanation: The statement that Azure Data Box is a “fully online service” that moves data directly over the internet without using any physical hardware is incorrect because it reverses the core idea of the service. Azure Data Box is built around Microsoft shipping a physical device to your location, you copying data locally to that device, and then shipping it back so Microsoft can ingest the data into your storage account. That physical, offline model is what makes Data Box suitable when network-based transfer is too slow or unreliable for very large datasets.
Topic: Domain 3: Describe Azure management and governance
Your team must deploy the same set of virtual machines, storage accounts, and networking resources to three Azure subscriptions every month. Deployments must be automated, repeatable, and defined as code stored in a Git repository, with minimal use of the Azure portal. Which of the following actions/solutions will meet these requirements? (Select TWO.)
Options:
Correct answers: B and D
Explanation: - ✔ Define the entire environment in a Bicep file, store it in a Git repository, and deploy it to each subscription using a CI/CD pipeline. This directly implements Infrastructure as Code with automation and version control, so deployments are repeatable across subscriptions.
Topic: Domain 2: Describe Azure architecture and services
Your company created a separate Windows virtual machine in Azure for each remote user so they can sign in with RDP and use corporate desktop applications. Users can connect, but IT reports high management overhead and rising costs for maintaining many individual VMs. You need a simpler Azure-based way to deliver Windows desktops and apps from the cloud. Which Azure service should you use?
Options:
Best answer: B
Explanation: Azure Virtual Desktop is purpose-built to provide cloud-hosted Windows desktops and applications to users. It reduces the need to manage many individual user-assigned VMs and instead offers a centralized, managed environment for virtual desktops and app streaming from Azure, which directly addresses the overhead and cost concerns in the scenario.
Topic: Domain 3: Describe Azure management and governance
Your company wants to break down Azure costs by department and project using Azure Cost Management. You are defining a tagging strategy for new and existing resources. Which of the following approaches should you AVOID? (Select TWO.)
Options:
costCenter tag and a project tag to their resources using a standard set of values.Correct answers: B and C
Explanation: The option that lets each team freely choose its own tag names and values for costs, skipping shared standards, is an anti-pattern because it destroys consistency. If teams use different tag keys (for example, Dept, Department, DeptName) and arbitrary values, you cannot easily group or filter costs across the whole organization.
The option that relies only on subscription-level totals and leaves most resources untagged is also an anti-pattern. Subscription-level data shows high-level spend but does not reveal which department or project consumes those costs. Without tags, Azure Cost Management cannot break costs down by business dimension, defeating the goal of detailed departmental and project reporting.
Topic: Domain 2: Describe Azure architecture and services
You move an existing Azure web app to a higher pricing tier App Service plan that provides more CPU and memory and enables automatic scale-out to additional instances during traffic spikes. Which cloud principle does this change primarily demonstrate?
Options:
Best answer: B
Explanation: Choosing scalability and elasticity is correct because changing the App Service plan pricing tier increases available compute resources and allows the app to scale out automatically when demand rises. App Service plans define the capacity and scale characteristics of web apps, so adjusting the plan to handle variable load is a direct application of the scalability principle.
Topic: Domain 1: Describe cloud concepts
Which statement BEST describes Azure’s consumption-based pricing model?
Options:
Best answer: C
Explanation: The statement that you “pay only for the Azure resources and services you actually use, with costs based on metered usage” directly captures the idea of consumption-based pricing. Azure meters usage of services (such as VM runtime, storage capacity, and data transfer) and bills you according to that actual consumption, which aligns exactly with the exam objective for cloud economics.
Topic: Domain 2: Describe Azure architecture and services
Which TWO of the following statements about Azure availability sets are INCORRECT? (Select TWO.)
Options:
Correct answers: A and C
Explanation: The statement that availability sets ensure all VMs are rebooted at the same time during planned maintenance is incorrect because the purpose of update domains is the opposite: to stagger reboots so at least some VMs stay running while others are updated.
The statement that using an availability set automatically backs up or replicates VMs to another region is also incorrect because availability sets only control VM placement across fault and update domains in a single region. Cross-region replication or backup requires separate services such as Azure Backup, geo-redundant storage, or Azure Site Recovery.
Topic: Domain 3: Describe Azure management and governance
In Azure, what is the primary purpose of assigning tags to resources?
Options:
Best answer: B
Explanation: The choice that describes tags as name-value metadata used to organize, filter, and report on resources—including scenarios like cost allocation by cost center or environment—is correct because it captures the core purpose of Azure tags at a fundamentals level. Tags are specifically designed for classification and reporting, not for deployment, security, or runtime behavior changes.
Topic: Domain 1: Describe cloud concepts
Your company stores sensitive customer data in Azure SQL Database and Azure Blob Storage. The security team requires that only authorized users can read or modify this data and that the data is encrypted with keys managed by your organization rather than only using Microsoft-managed defaults. According to the shared responsibility model, which tasks are your responsibility. Which of the following actions/solutions will meet these requirements? (Select TWO.)
Options:
Correct answers: B and C
Explanation: The option to define Microsoft Entra ID groups and assign least-privilege RBAC roles directly addresses the need to ensure that only authorized users can read or modify the data. The option to configure customer-managed keys (CMK) in Azure Key Vault and enable encryption at rest with those keys satisfies the requirement to use organization-managed keys instead of relying solely on Microsoft-managed defaults.
Topic: Domain 2: Describe Azure architecture and services
A company runs a mission-critical web application in a single Azure region. They want the app to stay online even if one datacenter in the region loses power, cooling, or networking. You plan to use availability zones. Which TWO deployment approaches should you AVOID? (Select TWO.)
Options:
Correct answers: A and C
Explanation: The choice that deploys all virtual machine instances into the same availability zone is something to avoid because it creates a clear single point of failure. If that zone loses power, cooling, or network connectivity, all instances fail together, contradicting the goal of surviving a datacenter-level issue.
The choice that runs the production application on a single VM in one zone and merely relies on daily backups to another region is also an anti-pattern in this context. Backups provide disaster recovery, not continuous availability. During a zone outage, the production app would be down until you restore from backup elsewhere, which does not meet the requirement to keep the app online if a zone fails.
Topic: Domain 1: Describe cloud concepts
A company runs a critical line-of-business web app on a single on-premises server and often experiences downtime during hardware failures. They plan to move the app to Azure and want it to keep running even if one Azure datacenter in a region becomes unavailable, while minimizing management effort. Which approach in Azure is the most appropriate?
Options:
Best answer: C
Explanation: Hosting the app on Azure App Service with multiple instances across availability zones uses multiple datacenters in one region for built-in redundancy while offloading most platform management to Azure, directly meeting the high-availability and low-management requirements.
Topic: Domain 1: Describe cloud concepts
Your team is designing a new event-driven backend API in Azure. You want to minimize infrastructure management and pay only when your code or workflows run by using fully serverless services. Which of the following Azure services should you AVOID choosing? (Select TWO.)
Options:
Correct answers: A and D
Explanation: Azure Virtual Machines is a classic IaaS offering. You must provision, configure, patch, and scale the virtual machines, and you pay for allocated compute capacity, not just for code executions. This conflicts with the requirement to avoid infrastructure management and pay only when code runs.
Azure Kubernetes Service (AKS) is a managed Kubernetes service, but it is still a cluster-based model. You manage node pools, capacity, and workloads. It is not classified as serverless in Azure Fundamentals. Therefore, both Azure Virtual Machines and Azure Kubernetes Service violate the key requirement of using fully serverless services and are the options that should be avoided.
Topic: Domain 1: Describe cloud concepts
You manage a small Azure subscription where administrators manually configure security settings on new resources, and auditors review a sample of resources every quarter. Leadership wants to automatically enforce required configurations on all new resources and have a central view of noncompliant resources for reporting. Which approach is the most appropriate way to improve this using Azure governance features?
Options:
Best answer: C
Explanation: The choice to create and assign an Azure Policy initiative at the subscription or management group scope directly addresses both requirements: automatic enforcement of required configurations on all new resources and centralized visibility of noncompliant resources. Azure Policy evaluates resources continuously, can deny noncompliant deployments, and presents compliance status in a dedicated dashboard suitable for reporting to auditors and leadership.
Topic: Domain 1: Describe cloud concepts
Your team wants to try several Azure services for a new product idea but must keep financial risk low. You use pay-as-you-go pricing and plan to delete test resources quickly. Which TWO actions should you AVOID if you want to minimize cost risk? (Select TWO.)
Options:
Correct answers: D and E
Explanation: Committing to a 3-year reserved capacity purchase for a new service before running any tests undermines low-risk experimentation. Reservations are designed for predictable, long-term workloads, not for trying out services. Doing this creates financial lock-in before you know whether the service fits your needs.
Leaving large test virtual machines running continuously after the experiment has ended also conflicts with the benefits of consumption-based pricing. In Azure, running compute resources incur cost over time. If test VMs remain running when they are no longer needed, you keep paying for them, turning a low-risk experiment into unnecessary ongoing spend.
Both of these actions limit the flexibility and cost control that make consumption-based experimentation attractive, so they are the actions you should avoid.
Topic: Domain 3: Describe Azure management and governance
Your company has many Azure storage accounts created by different teams. Some do not use secure transfer. You currently review configurations manually. You must 1) automatically block creation of noncompliant storage accounts and 2) see which existing accounts are noncompliant. Which approach is the most appropriate?
Options:
Best answer: C
Explanation: The choice to create and assign an Azure Policy that enforces secure transfer on storage accounts is correct because it directly uses Azure Policy’s deny and audit outcomes.
By assigning the policy at the subscription scope, all current and future storage accounts in that subscription are evaluated. Noncompliant new deployments are blocked by the deny effect, while existing noncompliant accounts are reported as noncompliant (audit) in the Azure Policy compliance dashboard. This exactly matches the goals of automatic enforcement and visibility into current compliance.
Topic: Domain 2: Describe Azure architecture and services
Which Azure service is specifically designed to deliver virtualized Windows desktops and applications from Azure to users over the internet?
Options:
Best answer: A
Explanation: Azure Virtual Desktop is correct because it is the dedicated Azure service for desktop and app virtualization. It is designed to deliver full Windows desktops and remote applications from Azure to users, aligning exactly with the description in the question.
Topic: Domain 1: Describe cloud concepts
Which TWO statements about Software as a Service (SaaS) in the Microsoft cloud are correct? (Select TWO.)
Options:
Correct answers: D and E
Explanation: The statement that, with SaaS, Microsoft manages the application, runtime, and operating system is correct because in SaaS the provider is responsible for the full stack and customers focus on configuration and usage. The statement that Microsoft 365 is an example of a SaaS offering is also correct, as Microsoft 365 delivers hosted email and productivity apps that users access over the internet without managing servers or application installation.
Topic: Domain 2: Describe Azure architecture and services
Your company runs a web application on a single Azure virtual machine. You need to improve resiliency to host failures and automatically add or remove VM instances as traffic changes, while continuing to use Azure VMs. Which option is the most appropriate?
Options:
Best answer: A
Explanation: Moving the workload to a virtual machine scale set and configuring autoscale rules based on CPU usage is correct because a scale set:
This option is the only one that satisfies both high availability and automatic scaling requirements together.
Topic: Domain 2: Describe Azure architecture and services
An Azure virtual machine (VM) in a virtual network must read and write data to an Azure Storage account. To avoid any exposure to the internet, an admin disabled public network access on the storage account. Now, applications on the VM time out when connecting to Blob storage. You need to restore connectivity while keeping traffic on private IP addresses only. What should you do?
Options:
Best answer: A
Explanation: Creating a private endpoint for the storage account in the VM’s virtual network gives the storage account a private IP inside that VNet. The VM can then reach Blob storage over the virtual network without using the internet, and the storage account can keep public network access disabled. This directly addresses the symptom and meets the requirement to use only private IP addresses.
Topic: Domain 3: Describe Azure management and governance
An Azure subscription’s monthly cost increased from $1,000 in April to $1,300 in May. The finance team exports this summary from Azure Cost Management + Billing:
| Cost category | April (USD) | May (USD) |
|---|---|---|
| Compute | 600 | 620 |
| Storage | 200 | 210 |
| Networking | 200 | 470 |
Based on this data, which factor most likely explains the majority of the cost increase? (Assume the table includes all relevant resource costs and use simple dollar differences.)
Options:
Best answer: B
Explanation: The choice stating that there is much more data transferred out of Azure to the internet matches the $270 networking cost increase, which is by far the largest change. Since networking costs are largely driven by outbound data egress, this factor best explains the majority of the $300 total cost increase.
Topic: Domain 2: Describe Azure architecture and services
Which of the following statements about Azure Files is NOT correct?
Options:
Best answer: C
Explanation: The statement that claims Azure Files requires you to deploy and manage your own Windows or Linux file server virtual machines for hosting the shares is not correct. Azure Files is a managed file share service built into Azure Storage. Microsoft operates the underlying file server infrastructure, so you do not create or maintain separate file server VMs for the shares themselves. This is a key benefit compared to running your own file server on IaaS virtual machines.
If you want concept-first reading before heavier simulator work, use the companion guide at TechExamLexicon.com .