The AZ-900 Services Domain Is A Service-Selection Test
The biggest mistake AZ-900 candidates make is trying to memorize every Azure product name equally. The current Microsoft Learn AZ-900 study guide lists skills measured as of January 14, 2026 and weights Azure architecture and services at 35-40% of the exam, the largest domain. The outline names regions, availability zones, resource groups, subscriptions, management groups, compute, networking, storage, migration options, identity, access, and security.
Competitor pages often summarize the same services, but many stop at definitions. AZ-900 questions ask which service fits a scenario. Your goal is not to say what Virtual Machines, App Service, Blob Storage, VPN Gateway, and Cosmos DB are. Your goal is to choose one when three answer choices look plausible.
Start With The Azure Resource Hierarchy
Before individual services make sense, know where they live. Management groups organize subscriptions. Subscriptions are billing, quota, and access boundaries. Resource groups collect resources with a shared lifecycle. Resources are the deployed items, such as virtual machines, virtual networks, storage accounts, public IP addresses, databases, and app services.
This hierarchy shows up in service questions because governance, billing, and organization depend on scope. If a question asks for a broad rule across many subscriptions, think management group. If it asks for a payment or quota boundary, think subscription. If it asks where related resources should be deployed and deleted together, think resource group.
Regions and availability zones are the next foundation. A region is a geographic area with one or more datacenters. Availability zones are physically separate locations inside supported regions. Region pairs support resiliency and planned update sequencing. Sovereign regions are isolated clouds for specific regulatory or government needs. For AZ-900, the purpose matters more than configuration detail.
Compute: Pick The Control Level
Azure compute questions are usually about how much infrastructure the customer wants to manage. The answer is rarely the newest service. It is the service that matches the control level.
| Service | AZ-900 cue | Why it is right |
|---|---|---|
| Azure Virtual Machines | Full OS control, custom software, lift-and-shift | IaaS gives the customer guest OS responsibility. |
| Virtual Machine Scale Sets | Many identical VMs that scale together | Use for automatic scaling of VM instances. |
| Availability Sets | VM resiliency within a datacenter pattern | Know the concept, though zones are the clearer modern clue. |
| Azure App Service | Managed web app or API | PaaS hosting without managing servers. |
| Azure Functions | Event-driven serverless code | Runs small tasks from events, timers, queues, or HTTP triggers. |
| Azure Container Instances | Simple container execution | Run a container quickly without orchestration. |
| Azure Kubernetes Service | Managed Kubernetes | Orchestrated containers, pods, rolling updates, and microservices. |
| Azure Virtual Desktop | Cloud-hosted desktops and apps | Remote Windows desktops or application virtualization. |
The practical rule is simple: choose VMs for OS control, App Service for managed web hosting, Functions for event-driven serverless tasks, Container Instances for a simple container, AKS when Kubernetes orchestration is the point, and Virtual Desktop for remote desktop/app access. Do not choose AKS just because the word container appears.
Networking: Read The Traffic Direction And Layer
Networking questions become easier when you ask what is connecting to what. Azure Virtual Network is the private network foundation. Subnets divide the address space. VNet peering connects virtual networks over Microsoft's backbone. Azure DNS hosts DNS zones. Public endpoints expose services over public IP addresses. Private endpoints connect privately to supported Azure services.
For hybrid networking, VPN Gateway uses encrypted connectivity over the public internet. ExpressRoute uses a private provider connection instead of the public internet. If a question emphasizes predictable enterprise connectivity, private path, or lower latency, ExpressRoute is usually better. If it emphasizes encrypted site-to-site connectivity at lower cost, VPN Gateway is usually better.
Traffic distribution questions test layers. Azure Load Balancer is layer 4 for TCP and UDP. Application Gateway is layer 7 for HTTP/HTTPS and features such as URL path routing, host routing, and Web Application Firewall integration. Azure Front Door is global HTTP/HTTPS edge routing and acceleration. Traffic Manager is DNS-based routing. AZ-900 will not ask you to configure them, but it will ask whether you can distinguish network layer, application layer, global edge, and DNS routing.
Storage: Match Data Shape, Access Pattern, And Redundancy
Microsoft's Azure Storage documentation separates storage services, data management, and migration options. AZ-900 tests the service-selection version of that map.
Blob Storage is object storage for unstructured data such as images, backups, logs, documents, and data lake files. Azure Files is managed SMB/NFS file shares for lift-and-shift applications or shared file access. Disk Storage provides persistent disks for Azure VMs. Queue Storage stores simple messages between application components. Table Storage is a NoSQL key-value store, though Cosmos DB is the broader globally distributed NoSQL answer.
Tiers and redundancy are common exam cues. Hot is for frequently accessed data. Cool is for infrequently accessed data with lower storage cost and higher access cost. Archive is for rarely accessed data that can tolerate retrieval delay. Locally redundant storage keeps copies in one datacenter. Zone-redundant storage spreads copies across availability zones in a region. Geo-redundant storage replicates to a secondary region. Geo-zone-redundant storage combines zone resilience in the primary region with geo-replication.
File movement tools are fair game because Microsoft names them in the study guide. AzCopy is a command-line copy tool. Azure Storage Explorer is a graphical tool. Azure File Sync helps cache and synchronize Azure Files with Windows Server. Azure Data Box is for moving large offline datasets when network transfer is impractical. Azure Migrate is for assessment and migration planning, not just copying files.
Databases: Stay At Fundamentals Depth
AZ-900 is not a database administration exam, but database service selection can appear inside architecture and services. Azure SQL Database is the default managed relational database answer for a single database. Azure SQL Managed Instance is closer to SQL Server compatibility for lift-and-shift scenarios that need instance-level features. SQL Server on Azure Virtual Machines gives the most control and most management responsibility. Azure Database for PostgreSQL and Azure Database for MySQL are managed open-source relational database services. Cosmos DB is the globally distributed NoSQL database answer.
The cue is the data model and management preference. Relational tables and less administration point to Azure SQL Database. Existing SQL Server instance compatibility points to SQL Managed Instance. Full OS and SQL Server control points to SQL Server on Azure VMs. Globally distributed NoSQL with low latency across regions points to Cosmos DB.
Do not over-study every Azure data product for this query. Synapse, Databricks, Fabric, and advanced analytics tools are useful in real work, but the AZ-900 architecture/services objective is foundational. If a practice page turns this domain into a professional data-engineering catalog, come back to the official Microsoft outline.
Identity, Access, And Security Basics Are In This Domain
The 2026 AZ-900 outline keeps identity, access, and security inside architecture and services. Microsoft Entra ID is cloud identity and access management. Microsoft Entra Domain Services supports managed domain services for legacy apps that need LDAP, Kerberos, or domain join behavior. Single sign-on lets one identity access multiple apps. Multifactor authentication requires additional proof. Passwordless uses options such as Microsoft Authenticator, Windows Hello for Business, or FIDO2 keys.
Azure RBAC controls who can perform actions on Azure resources at a scope. Conditional Access evaluates sign-in conditions before access is granted. Zero Trust means verify explicitly, use least privilege, and assume breach. Defender for Cloud is posture management and workload protection. These are not deep security-engineer topics on AZ-900, but they frequently appear as short scenario questions.
High-Yield Azure Service Pairs
Use this as your final review sheet. It is more valuable than another alphabetical list.
| Pair | Choose this when... | Do not confuse it with... |
|---|---|---|
| VMs vs App Service | You need guest OS control. | Managed web hosting without server management. |
| App Service vs Functions | You host a web app or API continuously. | Event-driven serverless code. |
| ACI vs AKS | You need a simple container quickly. | Kubernetes orchestration and production container management. |
| VPN Gateway vs ExpressRoute | You need encrypted internet-based hybrid connectivity. | Private provider connectivity. |
| Load Balancer vs Application Gateway | You need layer 4 TCP/UDP distribution. | Layer 7 HTTP routing and WAF integration. |
| Front Door vs Traffic Manager | You need global HTTP edge acceleration/routing. | DNS-based traffic routing. |
| Blob vs Files vs Disks | You need object storage. | Shared file shares or VM disks. |
| Azure SQL Database vs Cosmos DB | You need managed relational SQL. | Globally distributed NoSQL. |
For each pair, practice explaining the wrong answer. If a question says route HTTP requests by URL path, Application Gateway is right because it is layer 7; Load Balancer is wrong because it is layer 4; Traffic Manager is wrong because it is DNS-based; VPN Gateway is wrong because it is hybrid connectivity.
Best Study Method For This Domain
Build a two-column page: scenario clue on the left, Azure service on the right. Then take practice questions until your explanations are faster than your memorization. Good review notes sound like: ExpressRoute is wrong because the scenario only asks for encrypted internet VPN, or Blob is wrong because the workload needs an SMB file share.
Buy on Amazon
Take courses on Udemy
Learning path on Pluralsight