AZ-900: Microsoft Azure Fundamentals Study Guide
AZ-900: Microsoft Azure Fundamentals validates foundational knowledge of cloud concepts, core Azure services, and Azure management, governance, and security features. It is aimed at candidates new to the cloud and to non-technical roles (sales, purchasing, management) as well as technical learners starting their Azure journey; no hands-on experience is required. The exam has roughly 40-60 questions, a 45-minute working time, and a passing score of 700 on a 1-1000 scale.
Domain 1: Describe Cloud Concepts
- CapEx is an upfront capital purchase of physical infrastructure (servers, datacenters) that depreciates over time; OpEx is an ongoing operational spend on services as you consume them. Moving to the cloud shifts spending from CapEx to OpEx.
- The consumption-based (pay-as-you-go) model means you pay only for the resources you actually use, with no upfront infrastructure cost and the ability to stop paying when a resource is no longer needed.
- Cloud benefits to know: high availability, scalability, elasticity, reliability, predictability, security, governance, and manageability.
- Scalability comes in two forms: vertical scaling (scaling up/down) adds CPU/RAM to an existing VM; horizontal scaling (scaling out/in) adds or removes more instances.
- Elasticity is the automatic adjustment of resources to match real-time demand, scaling out during peaks and back in when demand drops so you stop paying for unused capacity.
- High availability keeps a system operational despite component or datacenter failures; in Azure it is delivered through features such as Availability Zones and is backed by SLAs.
- IaaS (Infrastructure as a Service) gives the most customer control: you manage the OS, patching, runtime, middleware, and applications, while Microsoft manages the physical hardware, network, and virtualization. Azure Virtual Machines is the classic example.
- PaaS (Platform as a Service) provides a managed platform where Microsoft handles the OS and runtime; you focus on your application and data. Azure App Service and Azure SQL Database are examples.
- SaaS (Software as a Service) delivers fully managed software over the internet; the customer only manages their data and user access. Microsoft 365 and Dynamics 365 are examples.
- In the shared responsibility model the cloud provider is ALWAYS responsible for physical security of datacenters, host hardware, and the physical network, regardless of the service model.
- Responsibility shifts by model: in IaaS the customer owns more (OS, network controls, applications); in SaaS Microsoft owns nearly everything; data, devices, accounts/identities, and access management always stay (at least partly) the customer's responsibility.
- Public cloud shares resources across multiple organizations (multi-tenant) with no upfront capital cost; private cloud dedicates resources to a single organization for full control over security and compliance; hybrid cloud combines on-premises/private with public cloud so workloads and data can move between them.
- A Service Level Agreement (SLA) is the provider's formal commitment to a metric such as uptime percentage (for example 99.9%); composite SLAs of chained services are calculated by multiplying the individual SLAs.
- A hybrid cloud is the right fit when sensitive data must remain on-premises for compliance while less-sensitive workloads can burst to the public cloud for scale.
Domain 2: Describe Azure Architecture and Services
- An Azure region is a geographical area containing one or more datacenters deployed within a latency-defined perimeter and connected by a dedicated regional low-latency network; Azure has 60+ regions worldwide.
- Region pairs are two regions within the same geography (typically 300+ miles apart) that provide disaster recovery and data residency; Azure sequences platform updates and prioritizes recovery across paired regions.
- Availability Zones are physically separate datacenter locations within a single region, each with independent power, cooling, and networking; deploying across zones protects against a datacenter-level failure.
- The Azure management hierarchy, from top to bottom, is: management groups, subscriptions, resource groups, and resources. Governance and RBAC applied at a higher scope are inherited downward.
- A resource group is a logical container for related resources; a resource exists in exactly one resource group at a time, and deleting the resource group deletes everything inside it.
- Azure Resource Manager (ARM) is the deployment and management layer; ARM templates (JSON) and Bicep enable infrastructure as code for consistent, repeatable deployments.
- Compute options: Azure Virtual Machines (IaaS), Azure App Service (PaaS web apps, mobile backends, REST APIs), Azure Functions (serverless, event-driven, pay-per-execution), Azure Container Instances/ACI (single fast-start containers), and Azure Kubernetes Service/AKS (managed Kubernetes orchestration with scaling and self-healing).
- Azure Virtual Network (VNet) enables Azure resources to securely communicate with each other, the internet, and on-premises networks, and provides isolation and segmentation.
- Network Security Groups (NSGs) filter inbound and outbound network traffic to Azure resources using prioritized allow/deny rules based on IP, port, and protocol.
- Cross-premises connectivity: Azure VPN Gateway sends encrypted traffic over the public internet, while Azure ExpressRoute provides a private, dedicated connection that does not traverse the internet.
- Azure Storage account services include Blob Storage (massive unstructured data such as images, video, and backups, with Hot/Cool/Cold/Archive tiers), Azure Files (managed SMB/NFS file shares), Queue Storage, and Table Storage.
- Storage redundancy options: LRS (locally redundant), ZRS (zone-redundant), GRS (geo-redundant, copies to the paired region), and GZRS (geo-zone-redundant); GRS and GZRS protect against a full regional outage.
- Azure database services include Azure SQL Database (managed relational PaaS), Azure Database for MySQL, Azure Database for PostgreSQL, and Azure Cosmos DB (globally distributed NoSQL).
- Microsoft Entra ID (formerly Azure Active Directory) is the cloud identity and access management service; RBAC uses an allow model and roles can be assigned at the management group, subscription, resource group, or resource scope. Azure Web Application Firewall (WAF) protects web apps from common exploits.
Domain 3: Describe Azure Management and Governance
- The Azure Pricing Calculator estimates the cost of services you plan to deploy; the Total Cost of Ownership (TCO) Calculator compares the cost of running on-premises workloads versus migrating them to Azure.
- Factors that affect cost include the resource type and configuration, the Azure region where it is deployed, and the volume of data transferred OUT of Azure datacenters (egress); inbound data transfer is generally free.
- Microsoft Cost Management (Cost Management + Billing) lets you monitor, allocate, and analyze cloud spend, set budgets, and create cost alerts; analyzing spend by tag requires applying tags to resources and resource groups first.
- Cost-optimization techniques: right-size or shut down underutilized VMs, configure auto-shutdown/auto-start schedules, use Azure Reserved Instances or savings plans for predictable workloads, and use the Azure Hybrid Benefit for existing licenses.
- Tags are name/value pairs applied to resources and resource groups for organization, cost reporting, and automation; tags are not inherited from a resource group to its resources by default.
- Azure Policy enforces organizational rules and standards over resources; a policy with a deny effect blocks non-compliant deployments (for example, the built-in 'Allowed locations' policy restricts which regions resources can be created in).
- Important distinction: Azure Policy with an audit effect flags non-compliant resources but lets them continue running, whereas a deny effect prevents creation; this differs from RBAC, which controls who can perform actions.
- Azure role-based access control (RBAC) governs WHO can do WHAT and WHERE using an allow model; common built-in roles are Owner (full access including granting access), Contributor (manage resources but not access), and Reader (view only).
- Resource locks protect against accidental change or deletion: a Delete lock (CanNotDelete) blocks deletion even by an Owner, and a ReadOnly lock blocks both modification and deletion until the lock is removed.
- Azure Advisor is a personalized recommendation engine analyzing your configuration and usage across five categories: Reliability, Security, Cost, Operational Excellence, and Performance.
- Microsoft Defender for Cloud assesses your security posture, provides hardening recommendations, calculates a Secure Score, and protects against threats across Azure and hybrid resources.
- Azure Service Health, Azure Monitor, Log Analytics, and Application Insights provide platform status, metrics/logs, and application telemetry for operational visibility.
- Management and deployment tools include the Azure portal (web GUI), Azure CLI (cross-platform command line), Azure PowerShell, and Azure Cloud Shell (browser-based shell, pre-authenticated, with Bash and PowerShell and pre-installed tools).
- Microsoft Purview supports data governance and compliance, while the Microsoft Trust Center, Service Trust Portal, and Microsoft Privacy Statement provide compliance documentation and regional/sovereign cloud offerings such as Azure Government and Azure China.
AZ-900 exam tips
- Master the IaaS vs PaaS vs SaaS boundaries and the shared responsibility model; many questions hinge on who (Microsoft or the customer) is responsible for a given task such as OS patching, physical security, or data.
- Memorize the management hierarchy order (management groups > subscriptions > resource groups > resources) and remember that policy and RBAC assignments are inherited downward.
- Distinguish similar concepts that are commonly confused: scaling up vs scaling out, regions vs region pairs vs availability zones, Azure Policy (what can be deployed) vs RBAC (who can act), and VPN Gateway vs ExpressRoute.
- Know which tool does what: Pricing Calculator (estimate planned cost) vs TCO Calculator (on-premises vs Azure) vs Cost Management (track actual spend) vs Azure Advisor (recommendations) vs Defender for Cloud (security posture).
- Read each scenario carefully for the keyword that points to the answer (compliance, automatic, lowest cost, no infrastructure to manage, cannot be deleted); pace yourself, flag uncertain questions, and review them since there is no penalty for guessing.
Study guide FAQ
How many questions are on AZ-900 and what score do I need to pass?
Expect roughly 40 to 60 questions in about 45 minutes of working time. You need a score of 700 on a scale of 1 to 1000 to pass; the scaled score is not a simple percentage of questions correct.
Do I need hands-on Azure or coding experience to pass AZ-900?
No. AZ-900 is a fundamentals exam designed for both technical and non-technical candidates. It tests conceptual understanding of cloud and Azure rather than hands-on configuration or coding, though a free Azure account is useful for reinforcing the concepts.
What is the difference between Azure Policy and RBAC?
RBAC controls WHO can perform actions on resources and at what scope (it answers 'is this user allowed to do this?'). Azure Policy controls WHAT resource configurations are allowed (for example, only certain regions or VM sizes) and can audit or deny deployments that violate the rules. They are complementary, not interchangeable.
Is the terminology up to date - is it still Azure Active Directory?
Azure Active Directory has been renamed Microsoft Entra ID. The exam may reference either name, but the identity and access management service and its concepts (RBAC, conditional access, identities) are unchanged. Expect the newer Microsoft Entra ID naming on current exams.