Exam identity and study focus
This Quick Reference supports independent review for Microsoft Azure Fundamentals (AZ-900), exam code AZ-900, from Microsoft.
AZ-900 is a fundamentals exam. Expect concept and service-selection questions more than deep configuration. Focus on:
- Cloud concepts: IaaS, PaaS, SaaS, public/private/hybrid cloud, CapEx vs OpEx.
- Azure architecture: regions, availability zones, subscriptions, resource groups, management groups.
- Core services: compute, networking, storage, databases, identity, security, monitoring.
- Governance and cost: Azure Policy, RBAC, locks, tags, pricing tools, SLAs, support, compliance.
Cloud concepts
Cloud benefits and exam meanings
| Concept | Meaning for AZ-900 | Common trap |
|---|
| High availability | Keep services accessible despite failure | Not the same as backup |
| Scalability | Increase or decrease capacity | Vertical = bigger resource; horizontal = more instances |
| Elasticity | Scale automatically with demand | Usually tied to automation and consumption billing |
| Agility | Deploy and change resources quickly | Not a security feature |
| Fault tolerance | Continue operating when a component fails | Often uses redundancy |
| Disaster recovery | Restore service after major outage | Usually includes backup, replication, failover plans |
| Global reach | Deploy near users in multiple regions | Requires intentional architecture |
| Economies of scale | Cloud provider spreads cost across many customers | Helps explain lower unit costs |
| Consumption-based pricing | Pay for what you use | Does not mean every service is free when idle |
| OpEx | Operating expense; pay-as-you-go style spending | Cloud usually shifts spend from CapEx to OpEx |
| CapEx | Up-front capital purchase | Typical of owning datacenters |
Cloud models
| Model | Who owns infrastructure? | When to choose | AZ-900 distinction |
|---|
| Public cloud | Cloud provider | General workloads, rapid deployment, elastic scale | Shared infrastructure, accessed over network |
| Private cloud | Organization or dedicated provider | More direct control, legacy constraints, specific governance | Still cloud if it has cloud characteristics |
| Hybrid cloud | Both public and private | Gradual migration, regulatory constraints, on-prem integration | Combines environments |
| Multi-cloud | Multiple cloud providers | Avoid lock-in, use provider-specific services | Not the same as hybrid unless private/on-prem is included |
Service models and responsibility
| Model | Provider manages | Customer manages | Best fit |
|---|
| IaaS | Physical datacenter, hardware, virtualization | OS, runtime, apps, data, access | Maximum control in cloud |
| PaaS | Infrastructure, OS, middleware/runtime platform | App code, data, access, configuration | Build apps without server administration |
| SaaS | Full application stack | Users, data, access, configuration | Use a ready application |
High-yield rule: the customer is always responsible for data, identities, accounts, and access decisions. Microsoft handles more of the stack as you move from IaaS to PaaS to SaaS.
Azure architecture essentials
Core hierarchy
| Layer | Purpose | Key exam facts |
|---|
| Microsoft Entra tenant | Identity boundary | Formerly Azure Active Directory; users, groups, apps, authentication |
| Management group | Organize subscriptions | Apply governance across many subscriptions |
| Subscription | Billing and resource boundary | Associated with an Entra tenant; quotas and access scopes apply here |
| Resource group | Lifecycle container for resources | Cannot be nested; deleting a resource group deletes contained resources |
| Resource | Individual Azure service instance | VM, storage account, database, VNet, etc. |
Important distinctions:
- A resource group has a location for metadata, but resources inside it can be in different Azure regions.
- A resource belongs to one resource group at a time.
- RBAC and Azure Policy inherit downward from higher scopes such as management groups, subscriptions, and resource groups.
- Tags do not automatically enforce rules. They help organize, report, automate, and allocate costs.
Regions, availability, and resilience
| Term | Meaning | Use it for |
|---|
| Region | Geographic area containing Azure datacenters | Place workloads near users or data requirements |
| Region pair | Microsoft-designated pairing used for regional resilience planning | Disaster recovery concepts |
| Availability zone | Physically separate datacenter location within a region | Protect against datacenter-level failure |
| Availability set | Logical grouping for VMs across fault/update domains | Older VM resiliency pattern inside a datacenter/region |
| Fault domain | Hardware failure boundary | Avoid all VMs failing from same hardware issue |
| Update domain | Maintenance/reboot boundary | Avoid all VMs rebooting at once |
| Zone-redundant service | Replicated across availability zones | Higher regional resilience |
| Geo-redundant service | Replicated to another region | Disaster recovery across regions |
Common traps:
- Availability zones protect against datacenter-level failures within a region.
- Region pairs support regional recovery planning; you usually do not memorize pair names for fundamentals.
- Backups protect data recovery; they are not the same as high availability.
- A single highly available Azure service can still be part of a low-availability solution if other dependencies are single points of failure.
Compute and application hosting
| Service | Model | Choose when | Avoid/confuse with |
|---|
| Azure Virtual Machines | IaaS | Need OS control, custom software, lift-and-shift | More admin work: patching, OS security, scaling |
| Virtual Machine Scale Sets | IaaS automation | Need many similar VMs with autoscale | Not for one unique server |
| Azure App Service | PaaS | Host web apps, APIs, mobile back ends | No full OS control like a VM |
| Azure Functions | Serverless | Event-driven code, small tasks, automatic scaling | Not the same as Logic Apps workflow design |
| Azure Logic Apps | PaaS/serverless workflow | Low-code automation with connectors | Not primarily for custom compute-heavy code |
| Azure Container Instances | Container | Run a container quickly without managing servers | Not full orchestration |
| Azure Kubernetes Service | Container orchestration | Need Kubernetes for microservices and container scheduling | More operational complexity than basic containers |
| Azure Container Apps | Serverless containers | Event-driven containerized apps and microservices | Not chosen just because “container” appears |
| Azure Virtual Desktop | Desktop/app virtualization | Provide cloud-hosted desktops or remote apps | Not general VM hosting for server workloads |
| Azure Batch | Batch compute | Large-scale parallel or scheduled compute jobs | Not a web hosting platform |
Compute selection shortcuts
| Requirement phrase | Likely answer |
|---|
| “Maximum control over OS” | Azure Virtual Machines |
| “Run event-driven code without managing servers” | Azure Functions |
| “Connect SaaS apps and automate workflow with minimal code” | Azure Logic Apps |
| “Host a web app without managing OS patches” | Azure App Service |
| “Run containers without orchestration” | Azure Container Instances |
| “Orchestrate many containers with Kubernetes” | Azure Kubernetes Service |
| “Scale out identical VM instances” | Virtual Machine Scale Sets |
| “Provide remote desktops from Azure” | Azure Virtual Desktop |
Storage and data services
Azure Storage options
| Service | Data type | Choose when | Exam distinction |
|---|
| Blob Storage | Object/unstructured data | Images, video, documents, backups, logs | Best general object storage |
| Azure Files | Managed file shares | SMB/NFS-style shared file access | Can be mounted by cloud or on-prem systems |
| Queue Storage | Simple messages | Decouple app components with basic queueing | Simpler than Service Bus |
| Table Storage | NoSQL key/attribute data | Simple structured non-relational storage | Not relational SQL |
| Managed Disks | VM disks | Persistent disks for Azure VMs | Tied to VM storage needs |
| Azure Data Lake Storage | Analytics data lake | Big data analytics, hierarchical namespace | Built on Azure Storage concepts |
| Archive tier | Rarely accessed data | Lowest-cost long-term storage pattern | Retrieval is slower than hot/cool access |
Storage redundancy
| Redundancy type | Protects against | Core idea |
|---|
| LRS | Local hardware failure | Replication within one primary region location |
| ZRS | Datacenter/zone failure | Replication across availability zones in a region |
| GRS | Regional outage | Replication to a secondary region |
| GZRS | Zone plus regional failure | Combines zone and geo redundancy |
| Read-access geo redundancy | Need reads from secondary copy | Secondary region can be read if configured |
High-yield rule: choose ZRS for zone resilience inside a region; choose GRS/GZRS for cross-region disaster recovery patterns.
Database and analytics services
| Service | Type | Choose when | Trap |
|---|
| Azure SQL Database | Managed relational database | Modern SQL app needing PaaS database | Not full SQL Server OS control |
| Azure SQL Managed Instance | Managed SQL with broader compatibility | Migrate SQL Server apps needing instance-level features | More SQL compatibility than single database PaaS |
| SQL Server on Azure VMs | IaaS database | Need full OS and SQL Server control | Customer manages OS and SQL operations |
| Azure Cosmos DB | Globally distributed NoSQL | Low-latency NoSQL apps, global distribution | Not the default for every database |
| Azure Database for PostgreSQL | Managed open-source relational | PostgreSQL workloads without VM admin | Not Microsoft SQL Server |
| Azure Database for MySQL | Managed open-source relational | MySQL workloads without VM admin | Not SQL Database |
| Azure Synapse Analytics | Analytics platform | Data warehousing, big data analytics | Not an OLTP app database |
| Azure Data Factory | Data integration/ETL | Move and transform data across systems | Not a database engine |
| Microsoft Fabric | Unified analytics platform | Analytics, data engineering, BI scenarios | Know broad purpose, not deep configuration for AZ-900 |
Networking quick reference
Core networking services
| Service | Purpose | Choose when |
|---|
| Virtual Network | Private network in Azure | Isolate and connect Azure resources |
| Subnet | Segment inside a VNet | Organize resources and apply controls |
| Network Security Group | Allow/deny traffic at subnet or NIC level | Basic network filtering |
| Route table | Custom routing | Control packet paths |
| VNet peering | Connect VNets privately | Low-latency private VNet-to-VNet connectivity |
| VPN Gateway | Encrypted connection over public internet | Site-to-site, point-to-site, VNet-to-VNet VPN |
| ExpressRoute | Private connectivity through connectivity provider | Dedicated private circuit to Microsoft cloud |
| Azure Bastion | Browser-based RDP/SSH without public IPs | Secure admin access to VMs |
| NAT Gateway | Outbound internet connectivity for private resources | Stable outbound access from subnets |
| Azure DNS | Host DNS domains | Manage DNS records |
| Private Link / Private Endpoint | Private IP access to Azure services | Keep service access off public internet path |
| Service Endpoint | Secure VNet access to supported Azure services | Simpler service access tied to VNet identity |
| DDoS Protection | Network-layer DDoS protection | Protect public-facing resources from volumetric attacks |
Load balancing and traffic routing
| Service | Layer/scope | Choose when | Common trap |
|---|
| Azure Load Balancer | Layer 4, regional | TCP/UDP load balancing | Not web-aware routing |
| Application Gateway | Layer 7, regional | HTTP/HTTPS routing, WAF, path-based routing | Regional, not global edge by itself |
| Azure Front Door | Layer 7, global | Global web app acceleration, WAF, HTTP routing | Not just a regional load balancer |
| Traffic Manager | DNS-based, global | Route users by DNS policy | Does not proxy application traffic |
| Azure CDN | Content caching | Cache static content near users | Not a compute platform |
Network security distinctions
| If the question asks for… | Choose |
|---|
| Basic allow/deny by source, destination, port, protocol | Network Security Group |
| Centralized stateful network firewall | Azure Firewall |
| Protection from common web attacks | Web Application Firewall |
| Protection from large-scale network DDoS attacks | Azure DDoS Protection |
| Private admin access to VMs without public IP | Azure Bastion |
| Private circuit from on-premises to Microsoft cloud | ExpressRoute |
| Encrypted tunnel over internet | VPN Gateway |
| Private IP for a PaaS service in your VNet | Private Endpoint |
Identity, access, and security
Identity and access control
| Concept | Purpose | AZ-900 distinction |
|---|
| Microsoft Entra ID | Cloud identity and access service | Formerly Azure Active Directory |
| Tenant | Dedicated Entra ID instance | Identity boundary for an organization |
| Authentication | Prove who you are | Sign-in, passwordless, MFA |
| Authorization | Decide what you can do | RBAC, app permissions, policies |
| Multi-factor authentication | Extra sign-in verification | Reduces identity compromise risk |
| Conditional Access | Access decisions based on signals | User, device, location, risk, app conditions |
| Role-based access control | Grant actions on Azure resources | Scope can be management group, subscription, resource group, or resource |
| Managed identity | Azure-managed identity for a resource | Avoid storing credentials in code |
| Privileged Identity Management | Just-in-time privileged access | Reduces standing admin access |
| External identities | Access for partners/customers | Collaboration and customer identity scenarios |
High-yield distinction:
- Microsoft Entra ID authenticates identities.
- Azure RBAC authorizes actions on Azure resources.
- Azure Policy enforces resource rules.
- Resource locks prevent deletion or modification.
- These are often combined but answer different questions.
Security services and controls
| Service/control | Use it for | Do not confuse with |
|---|
| Microsoft Defender for Cloud | Cloud security posture and workload protection | Microsoft Sentinel SIEM |
| Microsoft Sentinel | SIEM/SOAR, security analytics, incident response | Defender posture recommendations |
| Key Vault | Store secrets, keys, certificates | General file storage |
| Azure Firewall | Managed network firewall | NSG basic filtering |
| Web Application Firewall | Protect web apps from common attacks | DDoS volumetric protection |
| Azure DDoS Protection | DDoS mitigation | Identity security |
| Microsoft Defender XDR | Extended detection and response across Microsoft security products | Azure RBAC |
| Azure Backup | Data protection and restore | High availability by itself |
| Azure Site Recovery | Disaster recovery replication/failover | Routine backup only |
Security principles to remember:
- Use least privilege with RBAC.
- Use MFA and Conditional Access for identity protection.
- Use managed identities instead of embedded secrets.
- Store secrets in Key Vault, not in source code or app settings when avoidable.
- Use Defense in Depth: identity, network, application, data, monitoring, governance.
Governance and resource management
| Tool | Primary purpose | Example exam phrase |
|---|
| Management groups | Organize subscriptions for governance | “Apply policy across many subscriptions” |
| Azure Policy | Enforce or audit resource compliance | “Only allow specific regions/SKUs” |
| Policy initiative | Group multiple policies | “Track compliance against a standard” |
| Azure RBAC | Grant permissions | “Allow a user to manage VMs” |
| Resource lock | Prevent deletion or modification | “Stop accidental deletion” |
| Tags | Metadata for organization and cost allocation | “Identify cost center or environment” |
| Azure Resource Manager | Deployment and management control plane | “Consistent resource deployment model” |
| ARM templates / Bicep | Infrastructure as code | “Repeatable declarative deployment” |
| Azure Arc | Manage hybrid and multicloud resources with Azure tools | “Apply Azure governance outside Azure” |
| Azure Advisor | Recommendations for cost, reliability, security, performance, operations | “Find optimization recommendations” |
| Need | Correct tool |
|---|
| Deny creating resources in an unapproved region | Azure Policy |
| Audit whether resources meet a standard | Azure Policy |
| Grant a user permission to restart a VM | Azure RBAC |
| Prevent owners from accidentally deleting a resource | Resource lock |
| Group resources by department for reporting | Tags |
| Apply governance to many subscriptions | Management groups |
| Deploy the same environment repeatedly | ARM template or Bicep |
Exam trap: RBAC says who can do something. Azure Policy says what is allowed or required.
Monitoring, health, and operations
| Service/tool | Purpose | Choose when |
|---|
| Azure Monitor | Collect and analyze metrics and logs | Central monitoring platform |
| Metrics | Numeric time-series data | CPU, availability, performance counters |
| Logs | Queryable event and diagnostic data | Troubleshooting and analysis |
| Log Analytics workspace | Store/query logs | Run log queries and centralize diagnostics |
| Application Insights | Application performance monitoring | Web app availability, dependencies, exceptions |
| Activity Log | Subscription-level control-plane events | Who changed what resource and when |
| Alerts | Notify or trigger actions | Respond to metrics/log conditions |
| Action groups | Alert response targets | Email, webhook, automation, ITSM |
| Network Watcher | Network diagnostics | Connection troubleshoot, packet capture, topology |
| Azure Service Health | Personalized Azure service incidents and maintenance | “Is Azure having an issue affecting my resources?” |
| Azure Resource Health | Health of individual resources | “Is this VM or service instance healthy?” |
| Azure Status | Public global Azure status | Broad service status, not personalized |
| Azure Advisor | Best-practice recommendations | Cost, reliability, performance, security, operations |
High-yield distinction:
- Azure Monitor is the overall monitoring service.
- Log Analytics is where logs are stored and queried.
- Application Insights focuses on application telemetry.
- Service Health is about Azure service issues that may affect you.
- Resource Health is about a specific resource.
Integration, messaging, AI, and IoT
Messaging and integration
| Service | Best for | Distinction |
|---|
| Event Grid | Event routing | Reactive event notifications |
| Event Hubs | High-volume event ingestion | Telemetry and streaming data |
| Service Bus | Enterprise messaging | Queues/topics, reliable brokered messaging |
| Queue Storage | Simple queueing | Lightweight decoupling |
| Logic Apps | Workflow integration | Low-code connectors and orchestration |
| API Management | Publish and secure APIs | Gateway, policies, developer access |
AI and machine learning
| Service | Purpose | Choose when |
|---|
| Azure AI services | Prebuilt AI APIs | Vision, language, speech, translation-style scenarios |
| Azure Machine Learning | Build/train/deploy ML models | Custom ML lifecycle |
| Azure AI Search | Search over content | Index and query documents/content |
| Azure Bot Service | Conversational agents | Chatbot scenarios |
| Azure OpenAI Service | Generative AI models through Azure | Enterprise app integration with generative AI capabilities |
For AZ-900, know the purpose and service family. Deep model training details are not usually the focus.
IoT services
| Service | Purpose | Choose when |
|---|
| Azure IoT Hub | Device-to-cloud communication | Manage and ingest device telemetry |
| Azure IoT Central | Managed IoT app platform | Build IoT solutions with less custom infrastructure |
| Device Provisioning Service | Provision IoT devices at scale | Automate device enrollment |
| Azure Sphere | Secured IoT device platform | Device hardware/software/security scenario |
Cost management, pricing, and SLAs
| Need | Tool or concept |
|---|
| Estimate cost for a planned Azure solution | Pricing Calculator |
| Compare on-premises cost to Azure migration | TCO Calculator |
| View and manage actual cloud spend | Microsoft Cost Management + Billing |
| Alert when spend approaches a threshold | Budgets and cost alerts |
| Group costs by project, owner, or department | Tags |
| Get optimization recommendations | Azure Advisor |
| Reduce cost with committed usage | Reservations or savings plans |
| Use unused capacity for interruptible workloads | Spot VMs |
| Use existing eligible licenses | Azure Hybrid Benefit |
| Understand third-party solution charges | Azure Marketplace billing details |
Cost drivers commonly tested:
- Resource type, size, and SKU.
- Region.
- Runtime duration.
- Storage capacity, redundancy, access tier, and transactions.
- Network bandwidth, especially outbound data transfer.
- Licensing.
- Support plan.
- Commitment discounts, reservations, and savings plans.
If an application depends on multiple independent services, composite availability is lower than each individual service:
\[
\text{Composite availability} = A_1 \times A_2 \times \cdots \times A_n
\]
If redundant components can serve the same function and either one can keep the solution available:
\[
\text{Redundant availability} = 1 - (1 - A_1)(1 - A_2)
\]
AZ-900-level SLA points:
- An SLA defines Microsoft uptime commitments and possible service credits.
- Higher resilience often requires multiple instances, availability zones, or regional redundancy.
- Preview services typically do not carry the same production commitments as generally available services.
- Composite solutions inherit risk from all critical dependencies.
Support, lifecycle, and compliance
| Topic | Know this |
|---|
| General availability | Production-ready service stage with standard support/SLA expectations |
| Preview | Early access; may have limited support or no standard SLA |
| Azure support plans | Technical support level depends on selected plan |
| Billing/subscription support | Separate from deep technical support |
| Microsoft Learn and documentation | Free learning and reference resources |
| Service Trust Portal | Microsoft compliance, audit, and trust documentation |
| Microsoft Purview | Data governance, risk, and compliance family |
| Compliance Manager | Helps assess and manage compliance posture |
| Azure Government | Azure environment for eligible government workloads |
| Azure China | Operated separately for China-specific cloud availability |
Do not memorize legal rules. Know which Microsoft tools help customers find compliance documentation and manage compliance posture.
| Tool | Use it for | Exam distinction |
|---|
| Azure portal | Browser-based management | Good for visual administration |
| Azure CLI | Cross-platform command-line automation | Often used in Bash or Cloud Shell |
| Azure PowerShell | PowerShell-based automation | Common for administrators |
| Azure Cloud Shell | Browser shell with Azure tools | No local install required |
| Azure Mobile App | Monitor/manage resources from mobile device | Lightweight management |
| Azure Resource Manager | Azure deployment/control plane | All resource requests go through ARM |
| ARM templates | JSON infrastructure as code | Declarative deployments |
| Bicep | Simplified Azure IaC language | Compiles to ARM templates |
| REST API / SDKs | Programmatic management | App and automation integration |
| Azure Marketplace | Find/deploy Microsoft and third-party solutions | May include paid third-party offerings |
| Azure DevOps / GitHub Actions | CI/CD automation | Deployment pipelines, not governance by themselves |
High-yield “if the question says…” table
| Scenario wording | Best answer |
|---|
| “Move existing servers with minimal change” | Azure Virtual Machines |
| “No server management for a web app” | Azure App Service |
| “Run code when an event occurs” | Azure Functions |
| “Automate business process using connectors” | Azure Logic Apps |
| “Store images, documents, and backups” | Blob Storage |
| “Shared file system using SMB/NFS-style access” | Azure Files |
| “Managed relational Microsoft SQL database” | Azure SQL Database |
| “Need full SQL Server and OS control” | SQL Server on Azure VMs |
| “Globally distributed NoSQL database” | Azure Cosmos DB |
| “Connect on-premises to Azure over encrypted internet tunnel” | VPN Gateway |
| “Private dedicated connection to Azure” | ExpressRoute |
| “Filter subnet traffic” | Network Security Group |
| “Central firewall policy” | Azure Firewall |
| “Protect web app from common web exploits” | Web Application Firewall |
| “Global DNS-based routing” | Traffic Manager |
| “Global HTTP acceleration and WAF” | Azure Front Door |
| “Regional HTTP routing with path-based rules” | Application Gateway |
| “Layer 4 TCP/UDP load balancing” | Azure Load Balancer |
| “Avoid public IPs for VM admin access” | Azure Bastion |
| “Store secrets and certificates” | Key Vault |
| “Grant user access to manage resources” | Azure RBAC |
| “Require resources to be in approved regions” | Azure Policy |
| “Prevent accidental deletion” | Resource lock |
| “Track cost by department” | Tags |
| “Estimate a new Azure solution” | Pricing Calculator |
| “Estimate savings from migration” | TCO Calculator |
| “Investigate Azure service outage affecting you” | Service Health |
| “Investigate health of one VM/resource” | Resource Health |
| “Security posture recommendations” | Microsoft Defender for Cloud |
| “SIEM/SOAR security analytics” | Microsoft Sentinel |
Common traps to avoid
- IaaS does not remove OS responsibility. If you choose VMs, the customer still manages OS patching and configuration.
- Serverless does not mean no servers exist. It means server infrastructure is abstracted from the customer.
- Azure Policy is not permissions. Use RBAC for access, Policy for compliance.
- Locks override ordinary management intent. Even authorized users may be blocked until a lock is removed.
- Tags are metadata, not enforcement. Use Policy if enforcement is required.
- Traffic Manager is DNS-based. It does not sit in the traffic path like a proxy.
- Load Balancer is Layer 4. For HTTP path-based routing, think Application Gateway or Front Door.
- Defender for Cloud and Sentinel are different. Defender improves security posture and workload protection; Sentinel is SIEM/SOAR.
- Backup is not the same as high availability. Backup restores data; HA keeps service running.
- A subscription is not the same as a tenant. Tenant is identity; subscription is billing/resource boundary.
- Resource groups are not folders with nested groups. They are flat lifecycle containers under a subscription.
- Region choice can affect cost, latency, availability, and compliance.
Rapid final-review checklist
Before sitting for AZ-900, be able to answer quickly:
- Which cloud model is public, private, or hybrid?
- Which service model is IaaS, PaaS, or SaaS?
- What does the customer always remain responsible for?
- How do management groups, subscriptions, resource groups, and resources relate?
- When do you choose availability zones versus region redundancy?
- Which compute option fits VMs, web apps, serverless code, workflows, and containers?
- Which storage service fits blobs, files, queues, tables, and disks?
- Which database fits relational SQL, full SQL Server control, open-source relational, and NoSQL?
- Which networking service fits VPN, ExpressRoute, Bastion, NSG, Firewall, WAF, and load balancing?
- Which identity/security tool fits authentication, authorization, secrets, posture management, and SIEM?
- Which governance tool fits policy enforcement, access assignment, locks, and tags?
- Which monitoring tool fits metrics/logs, app telemetry, service incidents, and resource health?
- Which cost tool fits estimates, migration TCO, budgets, recommendations, and actual spend?
- How do composite SLAs change when multiple dependencies are required?
Practical next step
Use this Quick Reference as a service-selection map, then practice mixed AZ-900 scenario questions that force you to choose between similar Azure services, governance controls, monitoring tools, and cost-management options.