Quick Review focus
This independent Quick Review is for candidates preparing for the real Microsoft Azure Fundamentals (AZ-900) exam from Microsoft. Use it to refresh high-yield concepts before moving into topic drills, mock exams, and detailed explanations.
AZ-900 is a recognition-and-understanding exam. You usually need to identify the best Azure service, pricing concept, security control, governance tool, or cloud model from short scenarios. The main challenge is not deep configuration; it is choosing the correct concept quickly and avoiding similar-sounding distractors.
What to know at a glance
| Area | High-yield review target |
|---|
| Cloud concepts | IaaS, PaaS, SaaS; public, private, hybrid; CapEx vs OpEx; elasticity, scalability, high availability |
| Azure architecture | Regions, availability zones, subscriptions, resource groups, management groups, Azure Resource Manager |
| Compute | Virtual Machines, App Service, Azure Functions, containers, Azure Kubernetes Service |
| Networking | Virtual networks, subnets, NSGs, VPN Gateway, ExpressRoute, Azure Bastion, load balancing options |
| Storage | Blob, Files, Queue, Table, Disk Storage; access tiers; redundancy options |
| Identity and access | Microsoft Entra ID, users, groups, tenants, MFA, Conditional Access, RBAC |
| Security | Shared responsibility, defense in depth, Key Vault, Microsoft Defender for Cloud, Microsoft Sentinel |
| Governance | Azure Policy, resource locks, tags, management groups, Azure Blueprints conceptually if encountered |
| Cost and support | Pricing calculator, TCO calculator, Cost Management, reservations, Azure Advisor |
| Monitoring | Azure Monitor, Log Analytics, Application Insights, Service Health, Resource Health |
Cloud concepts
Cloud service models
| Model | You manage | Provider manages | Best clue in a question |
|---|
| IaaS | OS, runtime, apps, data, many security settings | Physical datacenter, hosts, networking foundation | “Lift and shift,” custom OS control, virtual machines |
| PaaS | App code and data | OS, runtime platform, scaling platform, patching foundation | “Deploy code without managing servers” |
| SaaS | Configuration and data usage | Application and underlying platform | “Use a complete application” such as email or CRM |
Common trap: Virtual Machines are IaaS, even when hosted in Azure. Azure App Service and Azure Functions are PaaS-style services because you do not manage the underlying server OS.
Deployment models
| Model | Meaning | Exam clue |
|---|
| Public cloud | Cloud resources delivered over the public internet and shared provider infrastructure | Fast provisioning, consumption-based pricing |
| Private cloud | Cloud-like environment dedicated to one organization | More direct control, often on-premises or dedicated hosting |
| Hybrid cloud | Combines public and private environments | Integration between on-premises and Azure |
| Multi-cloud | Uses more than one cloud provider | Avoid vendor concentration or use specialized provider features |
Core cloud benefits
| Concept | Meaning | Candidate mistake to avoid |
|---|
| High availability | System remains accessible despite failures | Do not confuse with backup |
| Scalability | Ability to increase or decrease capacity | Scaling can be vertical or horizontal |
| Elasticity | Automatic or rapid scaling based on demand | Usually tied to variable workloads |
| Reliability | Ability to recover from failure | Often supported by redundancy and resilient design |
| Predictability | More consistent performance and cost planning | Includes both performance and financial predictability |
| Security | Tools and controls to protect systems | Cloud does not remove customer security responsibilities |
| Governance | Enforcing standards and compliance | Think policy, tagging, locks, and scope |
| Manageability | Ability to deploy, monitor, and control resources | Includes portal, CLI, PowerShell, templates, automation |
CapEx vs OpEx
| Term | Meaning | Azure exam angle |
|---|
| Capital expenditure | Up-front spending on assets such as datacenters and servers | Traditional on-premises purchasing |
| Operational expenditure | Ongoing pay-as-you-go operating cost | Cloud consumption model |
| Consumption-based pricing | Pay for what you use | Helps avoid overprovisioning |
Shared responsibility model
The shared responsibility model is one of the most frequently tested AZ-900 concepts. The more managed the service, the more responsibility Microsoft carries for the platform, but the customer still owns identity decisions, data, access, and configuration choices.
| Responsibility | IaaS | PaaS | SaaS |
|---|
| Physical datacenter | Microsoft | Microsoft | Microsoft |
| Physical network | Microsoft | Microsoft | Microsoft |
| Physical hosts | Microsoft | Microsoft | Microsoft |
| Operating system | Customer | Microsoft | Microsoft |
| Application runtime | Customer | Microsoft | Microsoft |
| Application | Customer | Customer | Microsoft |
| Data | Customer | Customer | Customer |
| Identities and access | Customer | Customer | Customer |
| Endpoint devices | Customer | Customer | Customer |
High-yield rule: Microsoft secures the cloud infrastructure; customers secure what they put in the cloud and how they allow access to it.
Azure architecture and resource organization
Management hierarchy
| Level | Purpose | Exam clue |
|---|
| Management group | Organize multiple subscriptions | Apply governance across subscriptions |
| Subscription | Billing, access, and resource boundary | Separate environments, departments, or billing |
| Resource group | Logical container for resources | Manage lifecycle of related resources |
| Resource | Individual service instance | VM, storage account, virtual network, database |
Important rules:
- A resource belongs to one resource group.
- A resource group belongs to one subscription.
- Resources in the same resource group do not have to be in the same Azure region.
- Role assignments and policies can be applied at multiple scopes and inherited downward.
- Tags help with organization and cost reporting, but tags do not enforce compliance by themselves.
Regions and availability
| Concept | Meaning | Watch for |
|---|
| Region | Geographic area containing Azure datacenters | Choose for latency, compliance, availability, cost |
| Availability zone | Physically separate datacenter location within a region | Protects against datacenter-level failure |
| Region pair | Azure pairs many regions for resilience planning | Useful for disaster recovery design |
| Sovereign/specialized cloud | Isolated cloud for specific government or regulatory needs | Do not assume every service is available everywhere |
Common trap: Availability zones are inside a region. They are not the same as regions, and they are not the same as resource groups.
Azure Resource Manager
Azure Resource Manager, often called ARM, is the deployment and management layer for Azure resources.
| Feature | Why it matters |
|---|
| Consistent management layer | Portal, CLI, PowerShell, templates, and SDKs use ARM |
| Role-based access control integration | Access can be controlled by scope |
| Declarative deployment | ARM templates and Bicep define desired infrastructure |
| Tagging and policy support | Governance is applied through the management plane |
Compute services
| Service | Use when | Do not confuse with |
|---|
| Azure Virtual Machines | Need OS-level control, custom software, lift-and-shift | App Service |
| Virtual Machine Scale Sets | Need many identical VMs that scale | Manual VM creation |
| Azure App Service | Host web apps, APIs, or mobile back ends without managing servers | Azure Functions |
| Azure Functions | Run event-driven, serverless code | Always-on web hosting |
| Azure Container Instances | Run containers quickly without orchestrating a cluster | AKS |
| Azure Kubernetes Service | Orchestrate containerized applications at scale | Simple single-container jobs |
| Azure Virtual Desktop | Provide cloud-hosted desktops and apps | VM Scale Sets |
Compute decision rules
| Scenario phrase | Likely answer |
|---|
| “Full control over the operating system” | Azure Virtual Machines |
| “Deploy a web app without managing infrastructure” | Azure App Service |
| “Run code in response to an event” | Azure Functions |
| “Run a container quickly without managing servers” | Azure Container Instances |
| “Manage many containers with orchestration” | Azure Kubernetes Service |
| “Provide remote desktops from Azure” | Azure Virtual Desktop |
Common trap: “Serverless” does not mean no servers exist. It means the customer does not manage the servers.
Storage services
Core storage types
| Service | Best for | Exam clue |
|---|
| Blob Storage | Unstructured object data such as images, videos, backups, logs | “Object storage” or “unstructured data” |
| Azure Files | Managed file shares using SMB/NFS-style access | “Lift-and-shift file share” |
| Queue Storage | Simple message queue | “Decouple application components” |
| Table Storage | NoSQL key-value style data | “Structured NoSQL data” |
| Disk Storage | Persistent disks for Azure VMs | “Attach storage to a VM” |
Blob access tiers
| Tier | Use case | Key idea |
|---|
| Hot | Frequently accessed data | Higher storage cost, lower access cost |
| Cool | Infrequently accessed data | Lower storage cost, higher access cost |
| Archive | Rarely accessed data | Lowest storage cost, rehydration required before access |
Common trap: Archive is not for data that must be immediately readable.
Storage redundancy
| Option | Protects against | Quick interpretation |
|---|
| LRS | Local hardware failure within a datacenter | Lowest redundancy scope |
| ZRS | Datacenter/zone failure within a region | Replicates across availability zones |
| GRS | Regional outage using paired region replication | Cross-region protection |
| GZRS | Zone redundancy plus geo-replication | Stronger regional and zone resilience |
| RA-GRS / RA-GZRS | Read access to secondary copy | Readable secondary endpoint |
Decision rule: If the question says protect against datacenter failure within the same region, think ZRS. If it says protect against regional outage, think GRS/GZRS.
Networking
Foundational networking concepts
| Concept | Purpose | Candidate mistake |
|---|
| Virtual network | Private network boundary in Azure | Not the same as a subnet |
| Subnet | Segment inside a virtual network | Used to organize and isolate resources |
| Network security group | Allow/deny inbound and outbound traffic | Works at subnet or NIC level |
| Route table | Controls traffic routing | Different from NSG filtering |
| Public IP address | Internet-reachable address | May increase exposure if misused |
| Private IP address | Internal network communication | Used inside VNets and private connectivity |
Connectivity services
| Service | Use when | Watch for |
|---|
| VPN Gateway | Encrypted connection over the public internet | Site-to-site, point-to-site, VNet-to-VNet |
| ExpressRoute | Private connection to Microsoft cloud services | Does not travel over the public internet |
| Azure Bastion | Secure browser-based RDP/SSH to VMs | Avoids exposing RDP/SSH public IPs |
| Azure DNS | Host DNS domains and records | DNS hosting, not web hosting |
| Private Link | Private access to supported Azure services | Keeps traffic off public endpoint path |
Load balancing and traffic distribution
| Service | Layer / purpose | Best clue |
|---|
| Azure Load Balancer | Layer 4 TCP/UDP load balancing | Low-level network load distribution |
| Application Gateway | Layer 7 HTTP/HTTPS routing | Web traffic, URL routing, WAF |
| Azure Front Door | Global HTTP/HTTPS entry point | Global web acceleration and routing |
| Traffic Manager | DNS-based traffic distribution | Routes by DNS responses |
| Content Delivery Network | Cache static content near users | Improve delivery of static assets |
Common trap: Traffic Manager does not directly proxy application traffic; it uses DNS to direct clients.
Identity, access, and security
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud identity and access management service. AZ-900 questions often test whether you can distinguish identity authentication from Azure resource authorization.
| Concept | Meaning |
|---|
| Tenant | Dedicated identity instance for an organization |
| User | Identity assigned to a person or workload |
| Group | Collection of users for easier access management |
| MFA | Requires additional verification beyond a password |
| Conditional Access | Enforces access decisions based on signals such as user, device, location, or risk |
| Single sign-on | Sign in once to access multiple applications |
| External identities | Collaborate with users outside the organization |
Authentication vs authorization
| Term | Question it answers | Example |
|---|
| Authentication | “Who are you?” | Sign in with password and MFA |
| Authorization | “What are you allowed to do?” | RBAC role assignment on a resource group |
Common trap: Microsoft Entra ID authenticates identities. Azure RBAC authorizes management access to Azure resources.
Azure role-based access control
| RBAC concept | Meaning |
|---|
| Security principal | User, group, service principal, or managed identity |
| Role definition | Set of allowed actions |
| Scope | Where the role applies: management group, subscription, resource group, or resource |
| Role assignment | Principal + role + scope |
High-yield rule: Grant access at the least broad scope that satisfies the requirement.
| Tool | Purpose | Exam clue |
|---|
| Microsoft Defender for Cloud | Security posture management and workload protection | Recommendations, secure score, threat protection |
| Microsoft Sentinel | Cloud-native SIEM/SOAR | Security analytics, incidents, automated response |
| Azure Key Vault | Store secrets, keys, and certificates | Protect passwords, API keys, cryptographic keys |
| Azure Firewall | Managed network firewall | Centralized network filtering |
| DDoS Protection | Protect against distributed denial-of-service attacks | Network-level attack mitigation |
| Network security groups | Basic network traffic filtering | Allow/deny by protocol, port, source, destination |
Defense in depth
Defense in depth means using layered controls rather than relying on a single security mechanism.
| Layer | Example controls |
|---|
| Physical security | Microsoft datacenter controls |
| Identity and access | MFA, Conditional Access, RBAC |
| Perimeter | DDoS Protection, Azure Firewall |
| Network | NSGs, segmentation, private endpoints |
| Compute | Endpoint protection, patching, hardening |
| Application | Secure development, WAF |
| Data | Encryption, Key Vault, access control |
Governance and compliance
| Tool | Use for | Common trap |
|---|
| Azure Policy | Enforce or audit rules | Policy can deny noncompliant deployments |
| Initiative | Group of policies | Useful for broader compliance goals |
| Resource locks | Prevent deletion or modification | Locks are not access permissions |
| Tags | Organize resources and costs | Tags do not enforce resource configuration |
| Management groups | Organize subscriptions | Good for enterprise governance |
| Azure Arc | Manage resources across Azure, on-premises, and other clouds | Extends Azure management |
Policy vs RBAC vs locks
| Need | Best fit |
|---|
| Prevent creation of resources in disallowed regions | Azure Policy |
| Allow a user to read but not change resources | Azure RBAC |
| Prevent accidental deletion of a resource | Resource lock |
| Track department or cost center | Tags |
| Apply governance across many subscriptions | Management groups |
Common trap: If the scenario says “ensure resources can only be created in approved regions,” choose Azure Policy, not tags.
Compliance and trust resources
| Resource | Purpose |
|---|
| Microsoft Purview | Data governance, risk, and compliance capabilities |
| Service Trust Portal | Compliance reports, audit information, trust documents |
| Azure compliance offerings | Information about Microsoft cloud compliance coverage |
| Privacy and security documentation | Understand how Microsoft handles security, privacy, and compliance responsibilities |
Pricing, cost management, and service levels
Cost drivers
| Cost factor | Review point |
|---|
| Resource type | Different services have different pricing models |
| Region | Pricing can vary by region |
| Usage amount | Compute time, storage volume, transactions, operations |
| Data transfer | Inbound is often treated differently from outbound; watch wording |
| Support plan | Support level can affect monthly cost |
| Reservations/savings | Commitment-based discounts can reduce predictable workload costs |
| Storage tier | Hot, cool, and archive trade storage cost against access cost |
| Tool | Best use |
|---|
| Pricing calculator | Estimate cost of planned Azure resources |
| TCO calculator | Compare on-premises costs with Azure costs |
| Microsoft Cost Management | Monitor, analyze, and control current Azure spend |
| Budgets and alerts | Notify when spending approaches thresholds |
| Azure Advisor | Recommendations for cost, performance, reliability, security, and operational excellence |
Common trap: Use the pricing calculator before deployment to estimate Azure service costs. Use Cost Management after resources exist to monitor and manage spending.
Service level concepts
| Concept | Meaning |
|---|
| SLA | Microsoft’s service-level commitment for a service or configuration |
| Composite SLA | Combined availability of multiple dependent services |
| Preview service | Feature not generally available; may have limitations |
| Public preview | Available for testing by customers |
| General availability | Production-ready release status |
For composite availability, multiply the availability of dependent components when every component is required for the solution to work:
\[
\text{Composite availability} = A_1 \times A_2 \times A_3 \times \cdots
\]
Common trap: Adding more required dependencies can reduce composite availability unless the architecture adds redundancy.
Monitoring and management
| Tool | Use for | Exam clue |
|---|
| Azure Monitor | Collect and analyze telemetry across Azure resources | Metrics, logs, alerts |
| Log Analytics | Query logs using a workspace | Analyze log data |
| Application Insights | Application performance monitoring | Web app performance, failures, dependencies |
| Azure Service Health | Azure service incidents affecting you | Regional/service outage communication |
| Azure Resource Health | Health of a specific resource | Diagnose whether a resource is affected |
| Alerts | Notify or trigger actions | Thresholds, metrics, logs |
| Tool | Best for |
|---|
| Azure portal | Browser-based graphical management |
| Azure PowerShell | Scripted management using PowerShell cmdlets |
| Azure CLI | Cross-platform command-line management |
| Azure Cloud Shell | Browser-based shell with Azure tools preinstalled |
| ARM templates | JSON declarative infrastructure deployment |
| Bicep | Simpler declarative language for Azure resources |
| Azure mobile app | Monitor and manage resources from mobile devices |
Common trap: PowerShell and CLI can often perform similar management tasks, but they use different syntax and are preferred by different administrator workflows.
Scenario decision map
flowchart TD
A[Read the scenario requirement] --> B{Need identity or access?}
B -->|Sign-in, MFA, SSO| C[Microsoft Entra ID]
B -->|Permissions on Azure resources| D[Azure RBAC]
B -->|Prevent noncompliant deployments| E[Azure Policy]
A --> F{Need compute hosting?}
F -->|OS control| G[Azure Virtual Machines]
F -->|Web app without server management| H[Azure App Service]
F -->|Event-driven code| I[Azure Functions]
F -->|Container orchestration| J[AKS]
A --> K{Need connectivity?}
K -->|Encrypted over internet| L[VPN Gateway]
K -->|Private circuit| M[ExpressRoute]
K -->|Secure VM admin without public RDP/SSH| N[Azure Bastion]
A --> O{Need cost planning?}
O -->|Estimate before deployment| P[Pricing calculator]
O -->|Compare on-premises to Azure| Q[TCO calculator]
O -->|Analyze current spend| R[Cost Management]
Common AZ-900 traps
| Trap | Correct thinking |
|---|
| “Cloud means Microsoft handles all security.” | Responsibility is shared; customer still manages data, identity, and access. |
| “Resource groups are physical locations.” | Resource groups are logical containers. Regions are physical/geographic. |
| “Tags enforce compliance.” | Tags organize and report; Azure Policy enforces rules. |
| “RBAC controls network traffic.” | RBAC controls management access; NSGs and firewalls control traffic. |
| “Availability zones are separate regions.” | Zones are separate datacenter locations within a region. |
| “Archive storage is instantly available.” | Archive data must be rehydrated before access. |
| “ExpressRoute is a VPN.” | ExpressRoute is private connectivity; VPN uses encrypted tunnels over the internet. |
| “Traffic Manager is a load balancer proxy.” | Traffic Manager is DNS-based routing. |
| “App Service gives full OS control.” | Use Virtual Machines when full OS control is required. |
| “Azure Monitor and Service Health are the same.” | Azure Monitor tracks telemetry; Service Health reports Azure service issues affecting you. |
How to use practice questions effectively
After this Quick Review, use IT Mastery practice to turn recognition into exam-speed decision making.
- Start with topic drills for one area at a time, such as identity, pricing, storage, or networking.
- Review every missed item with detailed explanations, especially when two Azure services seemed plausible.
- Build a short “confusion list” of pairs you mix up, such as Azure Policy vs RBAC or VPN Gateway vs ExpressRoute.
- Move to mixed original practice questions once individual topics feel familiar.
- Use mock exams to practice pacing, wording recognition, and elimination.
A strong AZ-900 question bank should help you explain why the right answer is right and why the distractors are wrong.
Final quick checklist
Before your next practice set, confirm you can answer these without notes:
- Which responsibilities remain with the customer in IaaS, PaaS, and SaaS?
- When should you choose VMs, App Service, Functions, containers, or AKS?
- What is the difference between a region, availability zone, resource group, and subscription?
- Which storage service fits blobs, files, queues, tables, and VM disks?
- When do you choose LRS, ZRS, GRS, or GZRS?
- How do Microsoft Entra ID, MFA, Conditional Access, and Azure RBAC differ?
- When should you use Azure Policy, tags, locks, or management groups?
- Which tool estimates cost before deployment, compares TCO, or monitors current spend?
- Which monitoring tool fits logs, app performance, service incidents, or resource health?
Next step: take a focused AZ-900 topic drill from the question bank, review the detailed explanations, and repeat this Quick Review for any topic where you miss more than a few questions.
Continue in IT Mastery
Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official Microsoft questions, copied live-exam content, or exam dumps.