AZ-900 — Microsoft Azure Fundamentals Exam Blueprint
Practical AZ-900 exam blueprint for Microsoft Azure Fundamentals exam readiness across cloud concepts, Azure services, security, governance, cost, and management.
Use this Exam Blueprint as a practical study map for the Microsoft Azure Fundamentals (AZ-900) exam from Microsoft. It is designed for final review: confirm that you can explain core concepts, choose appropriate Azure services in simple scenarios, and recognize the management, security, governance, and cost controls that appear in fundamental Azure questions.
This checklist does not replace Microsoft’s exam page or training materials. It translates the public AZ-900 topic areas into readiness tasks you can check off before practice exams and test day.
How to Use This Checklist
- Scan the readiness table first. Mark each area as strong, mixed, or weak.
- Review the decision prompts. AZ-900 often tests whether you can choose between similar Azure concepts.
- Use the checkboxes for active recall. Do not just recognize terms; explain when and why each service is used.
- Finish with the final-week checklist. Remove weak spots, especially identity, governance, cost, and core service selection.
AZ-900 Readiness Areas at a Glance
| Readiness area | What you should be able to do | Ready when you can… |
|---|---|---|
| Cloud concepts | Explain cloud computing benefits and service models | Distinguish IaaS, PaaS, SaaS, public, private, hybrid, and multicloud scenarios |
| Azure global infrastructure | Understand regions, region pairs, availability zones, and datacenters | Match resiliency concepts to basic workload requirements |
| Azure resources and hierarchy | Understand tenants, subscriptions, resource groups, and resources | Explain where billing, access, organization, and lifecycle management apply |
| Compute services | Identify when to use virtual machines, containers, Azure App Service, functions, and Azure Virtual Desktop | Pick a compute option from a short business scenario |
| Networking | Understand VNets, subnets, VPN, ExpressRoute, DNS, load balancing, and security boundaries | Recognize basic connectivity and isolation patterns |
| Storage | Compare Blob, Files, Queue, Table, and disk storage at a fundamental level | Choose storage based on object, file share, messaging, NoSQL, or VM disk needs |
| Databases and analytics | Recognize Azure SQL, Cosmos DB, database migration, and analytics-related services | Match relational, globally distributed NoSQL, and reporting/insight needs |
| Identity and access | Understand Microsoft Entra ID, authentication, authorization, MFA, Conditional Access, and RBAC | Separate identity verification from permission assignment |
| Security | Recognize Microsoft Defender for Cloud, Key Vault, network security groups, firewalls, and encryption concepts | Identify basic controls for protecting identities, secrets, networks, and workloads |
| Governance and compliance | Understand Azure Policy, resource locks, tags, Blueprints/landing-zone concepts, and compliance tools | Choose the right control for standardization, prevention, organization, or audit |
| Cost management | Understand pricing factors, budgets, cost analysis, reservations/savings options, and TCO concepts | Identify major cost drivers and basic cost-control tools |
| Monitoring and management | Recognize Azure Monitor, Log Analytics, alerts, Service Health, Advisor, Portal, CLI, PowerShell, and ARM/Bicep concepts | Know which tool helps deploy, inspect, alert, automate, or improve resources |
| SLA and lifecycle concepts | Understand availability, SLAs, preview/GA ideas, and support basics | Interpret availability choices without assuming exact exam scoring or service limits |
Cloud Concepts Checklist
Core Cloud Vocabulary
Be ready to explain these without memorized marketing phrases.
| Concept | You should know | Common exam-style cue |
|---|---|---|
| Cloud computing | On-demand computing services delivered over a network | “Avoid buying and maintaining physical servers” |
| Shared responsibility | Security and operations responsibilities are split between provider and customer | “Who manages the operating system?” |
| Scalability | Ability to increase or decrease resources | “Handle more users during peak periods” |
| Elasticity | Automatic or rapid adjustment to demand | “Scale out when demand spikes, scale in after” |
| High availability | Keep services accessible despite failures | “Reduce downtime” |
| Fault tolerance | Continue operating when components fail | “Application survives hardware failure” |
| Disaster recovery | Restore service after a major outage | “Recover in another location” |
| Agility | Deploy and change quickly | “Provision resources in minutes” |
| CapEx | Up-front capital spending | “Buy datacenter hardware” |
| OpEx | Ongoing operational spending | “Pay for what you use” |
Service Models
| Model | Customer manages more of… | Provider manages more of… | Example direction |
|---|---|---|---|
| IaaS | OS, runtime, apps, data, configuration | Physical datacenter, hardware, virtualization | Virtual machines |
| PaaS | Apps, data, some configuration | OS, runtime platform, scaling platform | App Service, managed databases |
| SaaS | User data and configuration | Application and underlying platform | Microsoft 365-style services |
Can you do this?
- Explain why IaaS gives more control but more operational responsibility.
- Explain why PaaS reduces infrastructure management.
- Explain why SaaS is usually the least customer-managed model.
- Identify whether a scenario needs control, speed, or minimal administration.
- Apply shared responsibility to identity, data, applications, OS, network, and physical infrastructure.
Cloud Deployment Models
| Model | Key idea | Watch for |
|---|---|---|
| Public cloud | Services delivered over shared provider infrastructure | Fast provisioning, global scale, consumption pricing |
| Private cloud | Cloud-like environment dedicated to one organization | More direct control, organization-managed infrastructure |
| Hybrid cloud | Combines on-premises/private resources with public cloud | Gradual migration, regulatory constraints, existing datacenters |
| Multicloud | Uses services from multiple cloud providers | Avoiding dependency, specialized services, redundancy strategies |
Azure Architecture and Resource Organization
Azure Hierarchy
Understand the management hierarchy and what each level is for.
| Level or artifact | What it represents | Readiness check |
|---|---|---|
| Microsoft Entra tenant | Identity boundary for users, groups, apps, and authentication | Can you explain where users and identities live? |
| Management group | Optional hierarchy for organizing multiple subscriptions | Can you explain broad policy and access organization? |
| Subscription | Billing, access, and resource management boundary | Can you explain why teams may use separate subscriptions? |
| Resource group | Logical container for related resources | Can you explain lifecycle grouping and access scoping? |
| Resource | Individual Azure service instance | Can you identify examples such as VM, storage account, VNet, database? |
Can you do this?
- Explain the relationship between a tenant and a subscription at a high level.
- Describe why a resource group is useful for lifecycle management.
- Recognize that a resource belongs to a resource group.
- Understand that permissions can be scoped at different hierarchy levels.
- Know that tags help organize and report on resources.
Global Infrastructure
| Concept | What to know | Scenario cue |
|---|---|---|
| Geography | Broad market or data residency area | “Store data in a specific country or market area” |
| Region | Set of datacenters in a location | “Deploy resources close to users” |
| Region pair | Pairing concept for resiliency planning | “Plan recovery across related regions” |
| Availability zone | Physically separate locations within a region where supported | “Protect against datacenter-level failure” |
| Datacenter | Facility containing physical infrastructure | “Underlying building and hardware” |
| Edge location / CDN concept | Bring content closer to users | “Improve static content delivery latency” |
Readiness prompts:
- If a company wants low latency, can you select a nearby region conceptually?
- If a workload needs datacenter-level resiliency, can you identify availability zones?
- If a workload needs regional disaster recovery, can you distinguish zone-level from region-level resilience?
- Can you avoid assuming every service is available in every region?
Azure Compute Services
Compute Selection Table
| Need | Likely Azure concept | Why |
|---|---|---|
| Full OS control, custom server configuration | Azure Virtual Machines | IaaS with control over OS and installed software |
| Run a web app without managing servers | Azure App Service | PaaS web/application hosting |
| Package and run containerized workloads | Azure Container Instances or Azure Kubernetes Service conceptually | Containers isolate app dependencies and improve portability |
| Event-driven code with minimal infrastructure management | Azure Functions | Serverless function execution model |
| Remote desktop/app experience from Azure | Azure Virtual Desktop | Virtualized desktop and application access |
| Build repeatable deployments | ARM templates, Bicep, or automation tools | Infrastructure as code concept |
Compute Readiness Checklist
- Explain what a virtual machine is and when IaaS is appropriate.
- Identify why VM scale sets or scaling concepts matter for repeated VM instances.
- Explain the basic value of containers compared with traditional VM deployment.
- Distinguish container hosting from Kubernetes orchestration at a high level.
- Explain why App Service is a PaaS option for web apps and APIs.
- Explain what “serverless” means in an Azure Functions context.
- Recognize Azure Virtual Desktop scenarios.
- Understand that compute choices affect management responsibility, scaling, cost, and control.
Common Compute Traps
| Trap | Correct thinking |
|---|---|
| “Serverless means no servers exist.” | Servers exist, but the customer does not manage the server infrastructure directly. |
| “PaaS gives the same OS control as VMs.” | PaaS reduces OS and platform management, which also reduces low-level control. |
| “Containers and VMs are the same.” | Containers share a host OS model and package app dependencies; VMs virtualize full operating systems. |
| “Kubernetes is always required for containers.” | Simple container workloads may not need full orchestration. |
Azure Networking
Networking Concepts to Review
| Concept | What it does | Ready when you can… |
|---|---|---|
| Virtual network | Provides private network space for Azure resources | Explain why resources need network isolation |
| Subnet | Segments a virtual network | Place services into logical network sections |
| Network security group | Filters network traffic using rules | Recognize basic allow/deny traffic control |
| VPN Gateway | Encrypted connection over the internet | Identify site-to-site or point-to-site connectivity scenarios |
| ExpressRoute | Private connectivity to Microsoft cloud services through a provider | Distinguish from internet-based VPN |
| Azure DNS | Hosts DNS domains and records | Explain name resolution purpose |
| Load Balancer | Distributes traffic at lower network layers | Recognize availability and traffic distribution use cases |
| Application Gateway | Web traffic load balancing features | Recognize application-layer routing and web app scenarios |
| Azure Firewall | Managed network firewall service | Identify centralized network protection |
| CDN / Front Door concepts | Improve delivery and global routing for web content | Recognize performance and edge delivery scenarios |
Networking “Can You Do This?” Checklist
- Explain the difference between a virtual network and a subnet.
- Identify when a VPN is used instead of ExpressRoute.
- Identify why a company might choose private connectivity.
- Recognize NSGs as network filtering controls.
- Distinguish Azure Firewall from an NSG at a high level.
- Recognize that load balancing improves availability and traffic distribution.
- Explain why DNS matters for human-readable names.
- Match content delivery needs to CDN or global routing concepts.
Networking Decision Cues
| Scenario cue | Think about |
|---|---|
| “Secure connection from branch office to Azure over the internet” | VPN Gateway |
| “Private dedicated connectivity, not over the public internet” | ExpressRoute |
| “Allow or deny traffic to subnet or network interface” | Network security group |
| “Centralized managed firewall controls” | Azure Firewall |
| “Distribute requests across backend instances” | Load balancing |
| “Route web traffic based on application-layer needs” | Application Gateway or related web routing concept |
| “Serve static content closer to global users” | CDN or edge delivery concept |
Azure Storage
Storage Services and Use Cases
| Storage type | Primary use | Scenario cue |
|---|---|---|
| Blob Storage | Object storage for unstructured data | Images, videos, backups, logs, documents |
| Azure Files | Managed file shares | Lift-and-shift apps needing file share access |
| Queue Storage | Simple message queue | Decouple application components |
| Table Storage | NoSQL key-value style storage | Simple structured non-relational data |
| Managed disks | Persistent disks for Azure VMs | VM operating system and data disks |
| Archive/cool/hot access concepts | Cost and access frequency tradeoffs | Store rarely accessed data at lower cost |
Storage Readiness Checklist
- Explain the difference between object, file, queue, table, and disk storage.
- Identify Blob Storage for unstructured object data.
- Identify Azure Files for shared file access.
- Identify Queue Storage for asynchronous messaging.
- Identify managed disks as VM storage.
- Understand that redundancy options affect durability, availability, and cost.
- Recognize access tiers as a cost/performance choice based on usage patterns.
- Understand that storage accounts are Azure resources that can be secured and monitored.
Storage Traps
| Trap | Correct thinking |
|---|---|
| “Blob Storage is the same as a file share.” | Blob stores objects; Azure Files provides managed file shares. |
| “Archive storage is for frequently accessed production files.” | Archive-style tiers are for rarely accessed data and may involve retrieval considerations. |
| “Managed disks are general-purpose object storage.” | Managed disks are attached to VMs for OS/data disk use. |
| “Redundancy is only about backup.” | Redundancy is about maintaining copies across infrastructure scopes; backup is a separate protection strategy. |
Databases, Analytics, and AI-Adjacent Fundamentals
AZ-900 is a fundamentals exam, so focus on recognizing service categories and use cases rather than designing deep data platforms.
| Need | Azure concept to recognize | Readiness cue |
|---|---|---|
| Managed relational database with SQL | Azure SQL family concepts | Structured data, relational tables, SQL queries |
| Globally distributed NoSQL database | Azure Cosmos DB | Low-latency NoSQL, global distribution concepts |
| Migrate existing databases | Azure database migration concepts | Move database workloads to Azure |
| Big data analytics | Azure Synapse Analytics / analytics services conceptually | Analyze large volumes of data |
| Data integration | Azure Data Factory conceptually | Move and transform data between systems |
| Dashboards and business reporting | Power BI conceptually | Visualize and report business data |
| AI services | Azure AI services conceptually | Prebuilt AI capabilities such as vision, language, speech |
Can you do this?
- Distinguish relational databases from NoSQL databases at a high level.
- Recognize Cosmos DB as a globally distributed NoSQL option.
- Recognize Azure SQL concepts for managed relational database scenarios.
- Identify analytics services when the scenario emphasizes reporting, pipelines, or large-scale analysis.
- Avoid over-designing: choose the fundamental service category the question is asking for.
Identity, Access, and Security
Identity and Access Core Concepts
| Concept | What it means | Exam-readiness cue |
|---|---|---|
| Microsoft Entra ID | Cloud-based identity and access management service | Users, groups, applications, authentication |
| Authentication | Proving who you are | Password, MFA, sign-in |
| Authorization | Determining what you can access | Roles, permissions, access decisions |
| Multi-factor authentication | Requires additional verification beyond a password | Reduce risk from compromised passwords |
| Conditional Access | Policy-based access decisions | “Require MFA when conditions are met” |
| Role-based access control | Assigns permissions to users/groups/service principals at a scope | “Grant Reader access to a resource group” |
| Zero Trust concept | Never automatically trust; verify explicitly | Identity, device, network, least privilege |
| Least privilege | Grant only required access | Avoid excessive permissions |
RBAC vs Policy vs Locks
This is one of the most important AZ-900 distinction areas.
| Control | Main purpose | Example |
|---|---|---|
| RBAC | Controls who can perform actions | Allow a user to read resources in a subscription |
| Azure Policy | Enforces or audits resource rules | Require resources to use approved regions or tags |
| Resource locks | Prevent accidental deletion or modification | Stop a critical resource from being deleted |
| Tags | Organize resources for reporting and management | Track department, cost center, environment |
Can you do this?
- Explain authentication versus authorization.
- Explain Microsoft Entra ID at a fundamental level.
- Identify MFA as a way to strengthen sign-in security.
- Identify Conditional Access as policy-based access control using conditions.
- Explain RBAC as permission assignment, not resource compliance enforcement.
- Explain Azure Policy as governance enforcement/auditing, not user permission assignment.
- Explain resource locks as protection against changes or deletion.
- Recognize managed identities as an identity option for Azure resources in application scenarios.
Security Services and Concepts
| Security area | Azure concept | What to know |
|---|---|---|
| Security posture management | Microsoft Defender for Cloud | Recommendations, security posture, workload protection concepts |
| Secrets and keys | Azure Key Vault | Store secrets, keys, and certificates |
| Network filtering | NSGs, Azure Firewall | Control traffic at different scopes and levels |
| DDoS protection concept | DDoS protection services | Protect against distributed denial-of-service attacks |
| Encryption | Encryption at rest/in transit concepts | Protect data confidentiality |
| Threat protection | Defender-related services | Detect, assess, and help protect workloads |
| Security recommendations | Azure Advisor and Defender concepts | Improve reliability, performance, security, and cost posture |
Security readiness checklist:
- Know where secrets should be stored: Key Vault.
- Know why MFA is stronger than password-only authentication.
- Know that RBAC grants access to Azure resources.
- Know that Microsoft Entra ID is central to Azure identity.
- Know that Defender for Cloud helps assess and improve security posture.
- Know that encryption protects data but does not replace access control.
- Know that network security and identity security are separate but complementary controls.
Governance, Compliance, Privacy, and Trust
Governance Tool Selection
| Need | Best-fitting concept |
|---|---|
| Require resources to follow organizational rules | Azure Policy |
| Group policies for broader governance | Initiatives / policy grouping concept |
| Prevent accidental deletion | Resource locks |
| Track ownership, environment, or cost center | Tags |
| Apply governance across many subscriptions | Management groups |
| Review compliance posture | Compliance and governance tools |
| Understand Microsoft privacy/security/compliance commitments | Microsoft trust and compliance documentation concepts |
Governance Readiness Checklist
- Explain why governance matters in cloud environments.
- Identify Azure Policy for enforcing allowed locations, required tags, or allowed resource types.
- Identify tags for organization, reporting, and cost allocation.
- Identify resource locks for preventing accidental deletion or changes.
- Recognize management groups as a way to organize subscriptions.
- Understand that compliance is shared: Microsoft provides platform capabilities, and customers configure and operate their workloads responsibly.
- Recognize that privacy, compliance, and trust resources help customers evaluate Microsoft cloud commitments and controls.
Governance Traps
| Trap | Correct thinking |
|---|---|
| “Tags enforce security.” | Tags organize and report; Policy enforces rules. |
| “RBAC prevents resource deletion in all cases.” | RBAC controls permissions; locks can specifically protect resources from deletion or modification. |
| “Policy grants users access.” | Policy enforces or audits resource configuration rules; RBAC grants access. |
| “Compliance is fully handled by the cloud provider.” | Cloud compliance involves shared responsibilities and customer configuration choices. |
Cost Management, Pricing, and Support
Cost Factors to Understand
| Cost factor | What changes cost |
|---|---|
| Resource type | Different services have different pricing models |
| Usage amount | Compute time, storage consumed, transactions, data processed |
| Region | Costs can vary by location |
| Performance tier or SKU | Higher capabilities usually affect price |
| Data transfer | Some transfer patterns may affect cost |
| Reserved or committed options | Discounts may be available for predictable usage |
| Hybrid licensing benefits | Existing licenses may reduce costs in eligible scenarios |
| Support plan | Support level can affect support-related cost |
Cost Tools and Concepts
| Tool or concept | Use |
|---|---|
| Pricing calculator | Estimate cost before deployment |
| Total Cost of Ownership calculator | Compare on-premises and Azure cost assumptions |
| Cost Management | Analyze and manage actual cloud spending |
| Budgets | Set spending thresholds and alerts |
| Advisor | Get recommendations that can include cost optimization |
| Tags | Allocate and report costs by department, project, or environment |
| Reservations / savings concepts | Reduce cost for predictable workloads where appropriate |
Can you do this?
- Identify the pricing calculator for estimating Azure service costs.
- Identify TCO concepts for comparing existing infrastructure with cloud alternatives.
- Explain how budgets help monitor spending.
- Explain how tags support cost allocation.
- Recognize that stopping, resizing, scaling, deleting, or changing tiers can affect cost depending on the service.
- Recognize that high availability, redundancy, premium tiers, and data transfer choices can affect cost.
- Avoid assuming “cloud is always cheaper”; cloud cost depends on design and usage.
Azure Monitoring, Management, and Deployment Tools
Management Tool Selection
| Tool | Primary use | Readiness cue |
|---|---|---|
| Azure portal | Web-based management interface | “Use a browser to create and manage resources” |
| Azure CLI | Command-line management, often cross-platform | “Run commands in a shell” |
| Azure PowerShell | PowerShell-based Azure management | “Use PowerShell cmdlets” |
| Azure Cloud Shell | Browser-based shell environment | “Run CLI or PowerShell from the portal” |
| Azure Mobile App | Monitor/manage from mobile device | “Check status from a phone” |
| ARM templates | Declarative JSON infrastructure deployment | “Repeatable resource deployment” |
| Bicep | Declarative infrastructure as code language for Azure | “Simpler syntax for Azure deployments” |
| Azure Resource Manager | Deployment and management layer for Azure resources | “Consistent resource management API” |
Monitoring and Health
| Need | Azure concept |
|---|---|
| Collect metrics and logs | Azure Monitor |
| Query and analyze logs | Log Analytics concept |
| Notify when conditions occur | Alerts |
| View Azure service issues | Azure Service Health |
| View personalized resource health | Resource Health concept |
| Get optimization recommendations | Azure Advisor |
| Track activity on resources | Activity Log concept |
Readiness checklist:
- Explain Azure Monitor as the central monitoring concept.
- Distinguish Service Health from resource-level health.
- Identify Advisor for recommendations across areas such as cost, security, reliability, performance, and operational excellence.
- Explain why alerts are used.
- Recognize that infrastructure as code supports repeatable deployments.
- Know the difference between portal-based management and command-line automation.
Reliability, SLAs, and Lifecycle Concepts
Reliability Concepts
| Concept | What to know |
|---|---|
| SLA | Formal availability commitment concept for a service |
| Composite SLA | Combined availability when multiple dependent services are used |
| Availability set | VM availability concept for fault/update isolation |
| Availability zone | Physical separation within a region where supported |
| Region-level redundancy | Resiliency across different Azure regions |
| Backup | Point-in-time recovery concept |
| Disaster recovery | Restore service after a larger outage |
| Scaling | Add/remove capacity to match demand |
Can you do this?
- Explain that adding dependencies can affect overall availability.
- Distinguish high availability from backup.
- Distinguish backup from disaster recovery.
- Recognize availability zones as a resiliency feature where supported.
- Recognize that stronger resiliency often increases complexity and cost.
- Avoid memorizing unsupported exact SLA numbers unless the official study materials require them.
Scenario and Decision-Point Practice
Use these prompts to test whether you can choose, not just define.
| Scenario | Best concept to consider | Why |
|---|---|---|
| A company wants to host a website without managing the operating system | App Service | PaaS web hosting |
| A team needs full control of the operating system | Azure Virtual Machines | IaaS control |
| A workload runs code only when events occur | Azure Functions | Serverless event-driven compute |
| Users need access to cloud apps with stronger sign-in protection | MFA / Conditional Access | Identity-based access protection |
| Admins need to grant read-only access to a resource group | RBAC | Permission assignment |
| A company wants to require a tag on all new resources | Azure Policy | Governance enforcement |
| A critical resource must not be accidentally deleted | Resource lock | Deletion/change protection |
| A finance team needs cost allocation by department | Tags and Cost Management | Reporting and cost analysis |
| A branch office needs encrypted connectivity to Azure over the internet | VPN Gateway | Site-to-site connectivity concept |
| A company wants private connectivity to Azure through a provider | ExpressRoute | Private connection concept |
| An app needs simple asynchronous messaging | Queue Storage | Decoupling components |
| A company needs object storage for images and videos | Blob Storage | Unstructured object data |
| A team needs secure secret storage | Key Vault | Secrets, keys, certificates |
| Operations needs alerts when resource metrics exceed thresholds | Azure Monitor alerts | Monitoring and notification |
| Leadership wants recommendations to reduce cost and improve reliability | Azure Advisor | Optimization recommendations |
High-Value “Can You Do This?” Checklist
Mark these only when you can explain the answer aloud.
Cloud and Azure Basics
- Define cloud computing in practical business terms.
- Explain scalability, elasticity, high availability, and fault tolerance.
- Distinguish CapEx from OpEx.
- Compare public, private, hybrid, and multicloud.
- Apply the shared responsibility model to IaaS, PaaS, and SaaS.
- Explain why Azure regions and availability zones matter.
Services and Architecture
- Choose between VM, App Service, Functions, and containers for simple scenarios.
- Choose between Blob Storage, Azure Files, Queue Storage, Table Storage, and managed disks.
- Recognize relational vs NoSQL database scenarios.
- Explain the purpose of VNets, subnets, NSGs, VPN Gateway, and ExpressRoute.
- Identify when load balancing, application routing, or content delivery concepts apply.
- Explain subscriptions, resource groups, management groups, and tags.
Security, Identity, and Governance
- Explain Microsoft Entra ID.
- Distinguish authentication from authorization.
- Distinguish RBAC from Azure Policy.
- Distinguish Azure Policy from resource locks.
- Identify Key Vault for secrets.
- Identify Microsoft Defender for Cloud for security posture.
- Recognize MFA and Conditional Access scenarios.
- Apply least privilege and Zero Trust at a fundamental level.
Cost, Monitoring, and Operations
- Use the pricing calculator concept for estimating costs.
- Use TCO concepts for comparing on-premises and Azure.
- Explain budgets, cost alerts, and cost analysis.
- Explain Azure Monitor, alerts, Service Health, Resource Health, and Advisor.
- Recognize Azure portal, CLI, PowerShell, Cloud Shell, ARM templates, and Bicep.
- Explain why infrastructure as code supports repeatability.
Common AZ-900 Weak Areas and Traps
| Weak area | Why candidates miss it | How to fix it |
|---|---|---|
| RBAC vs Azure Policy | Both sound like “control” | RBAC controls user actions; Policy controls resource compliance |
| Authentication vs authorization | Terms are similar | Authentication proves identity; authorization grants access |
| Tags vs Policy | Tags are often used in governance scenarios | Tags label; Policy enforces or audits tag requirements |
| Locks vs permissions | Both can stop changes indirectly | Locks protect resources from deletion/modification even when permissions exist |
| Azure Monitor vs Service Health | Both relate to status | Monitor tracks resources/workloads; Service Health reports Azure service issues |
| VPN vs ExpressRoute | Both connect networks | VPN uses encrypted internet path; ExpressRoute is private connectivity through a provider |
| Blob vs Files | Both store data | Blob is object storage; Azure Files is managed file share storage |
| IaaS vs PaaS | Both can host apps | IaaS gives OS control; PaaS reduces platform management |
| Availability zones vs regions | Both sound geographic | Zones are within a region; regions are broader locations |
| Cost tools | Names blur together | Pricing calculator estimates; Cost Management analyzes; budgets alert; TCO compares |
Quick Decision Matrix
| If the question asks… | Think first of… |
|---|---|
| “Who can access this resource?” | RBAC |
| “Which sign-in protections should apply?” | Microsoft Entra ID, MFA, Conditional Access |
| “How do we enforce allowed resource settings?” | Azure Policy |
| “How do we prevent deletion?” | Resource locks |
| “How do we organize cost by department?” | Tags |
| “How do we estimate before deploying?” | Pricing calculator |
| “How do we compare cloud vs on-premises cost?” | TCO calculator |
| “How do we receive health issue notifications?” | Service Health or Azure Monitor alerts, depending on scope |
| “How do we store app secrets?” | Key Vault |
| “How do we host a simple managed web app?” | App Service |
| “How do we run event-triggered code?” | Azure Functions |
| “How do we store unstructured objects?” | Blob Storage |
| “How do we connect on-premises privately?” | ExpressRoute |
| “How do we connect on-premises over encrypted internet?” | VPN Gateway |
Final-Week Review Checklist
Three to Five Days Before the Exam
- Re-read each readiness table and mark weak rows.
- Build a one-page comparison sheet for these pairs:
- IaaS vs PaaS vs SaaS
- Public vs private vs hybrid cloud
- Region vs availability zone
- Subscription vs resource group
- RBAC vs Azure Policy vs locks
- Azure Monitor vs Service Health vs Advisor
- Blob Storage vs Azure Files vs Queue Storage
- VPN Gateway vs ExpressRoute
- Complete a mixed AZ-900 practice set.
- Review every missed question by identifying the concept distinction, not just the right answer.
- Practice explaining Azure cost, governance, and identity topics aloud.
One to Two Days Before the Exam
- Stop deep-diving into advanced architecture topics that are beyond fundamentals.
- Focus on service selection and vocabulary precision.
- Review Microsoft Entra ID, RBAC, Policy, locks, tags, and Cost Management.
- Review Azure compute, storage, and networking service matching.
- Review monitoring and management tools.
- Take one timed practice set if it helps your pacing.
- Create a short list of remaining terms that still feel confusing.
Exam-Day Readiness Check
You are likely ready when you can:
- Read a short scenario and identify the best Azure service category.
- Explain why the correct answer is better than two similar distractors.
- Avoid mixing up identity, governance, and monitoring tools.
- Recognize fundamental Azure terminology without needing exact service-limit memorization.
- Handle cost, resiliency, and shared responsibility questions conceptually.
- Keep answers aligned to Microsoft Azure Fundamentals (AZ-900), not advanced Azure administrator or architect assumptions.
Practical Next Step
Use this Exam Blueprint to drive your next practice session: choose your weakest two readiness areas, answer a focused set of AZ-900-style questions, and write a one-sentence reason for every missed answer. Repeat until you can explain the service choice, governance control, or cloud concept without looking it up.