AZ-900 Exam Review: Key Concepts Summary
Key Takeaways
- Domain 1 (Cloud Concepts): Focus on IaaS/PaaS/SaaS, shared responsibility model, cloud benefits, deployment models, and consumption-based pricing.
- Domain 2 (Azure Architecture and Services): Focus on regions, availability zones, resource hierarchy, compute, networking, storage, database, identity, and security services.
- Domain 3 (Management and Governance): Focus on cost management tools, Azure Policy, resource locks/tags, ARM templates, monitoring, compliance, and SLAs.
- Questions test breadth of knowledge — know WHAT each service does and WHEN to use it.
- Use the process of elimination, flag difficult questions, and never leave a question blank.
Last updated: March 2026
AZ-900 Exam Review: Key Concepts Summary
Domain 1: Cloud Concepts (25-30%) — Quick Reference
| Concept | Key Facts |
|---|---|
| Cloud Computing | On-demand IT resources over the internet, pay-as-you-go |
| CapEx vs. OpEx | CapEx = buy hardware (traditional); OpEx = rent services (cloud) |
| IaaS | You manage OS + apps (Azure VMs) |
| PaaS | You manage apps + data only (Azure App Service) |
| SaaS | You manage data + settings only (Microsoft 365) |
| Shared Responsibility | Customer ALWAYS owns data, accounts, identities, devices |
| Public Cloud | Multi-tenant, no CapEx, Azure |
| Private Cloud | Single-tenant, dedicated infrastructure |
| Hybrid Cloud | Public + private combined |
| Serverless | Event-driven, auto-scale, micro-billing (Azure Functions) |
| Scalability | Ability to adjust resources to meet demand |
| Elasticity | AUTOMATIC scaling based on real-time demand |
| High Availability | Redundancy with SLA-backed uptime |
Domain 2: Azure Architecture & Services (35-40%) — Quick Reference
Infrastructure
| Concept | Key Facts |
|---|---|
| Regions | 60+ geographic areas, each with data centers |
| Availability Zones | 3+ separate data centers within a region (protect against DC failure) |
| Region Pairs | 300+ miles apart, planned maintenance staggered, disaster recovery |
| Management Groups | Governance above subscriptions (policy + RBAC) |
| Subscriptions | Billing boundary + access control boundary |
| Resource Groups | Logical container; every resource in exactly ONE group |
| ARM | Single control plane for ALL Azure management tools |
Compute
| Service | Type | When to Use |
|---|---|---|
| Azure VMs | IaaS | Full OS control, lift-and-shift |
| VM Scale Sets | IaaS | Auto-scaling identical VMs |
| App Service | PaaS | Web apps, APIs |
| Container Instances | PaaS | Simple containers, quick start |
| Kubernetes Service | Managed | Complex microservices |
| Functions | Serverless | Event-driven code |
| Virtual Desktop | VDI | Remote desktops (multi-session) |
Networking
| Service | Purpose |
|---|---|
| Virtual Network | Private networking in Azure |
| VPN Gateway | Encrypted tunnel over internet (on-prem to Azure) |
| ExpressRoute | Private connection (NOT internet), up to 100 Gbps |
| Load Balancer | Layer 4 traffic distribution |
| Application Gateway | Layer 7 + WAF |
| Front Door | Global Layer 7 + CDN |
| Traffic Manager | DNS-based global routing |
| CDN | Cache content at edge locations |
| NSG | Virtual firewall (rules per subnet/NIC) |
Storage
| Service | Use Case |
|---|---|
| Blob Storage | Unstructured data (images, videos, backups) |
| Azure Files | SMB file shares |
| Queue Storage | Async messaging between app components |
| Table Storage | NoSQL key-value data |
| LRS/ZRS/GRS/GZRS | Redundancy from 3 copies to 6 copies |
| Hot/Cool/Cold/Archive | Access tiers by frequency |
Databases
| Service | Type | Best For |
|---|---|---|
| SQL Database | Managed SQL Server | New cloud-native apps |
| SQL Managed Instance | Near-100% SQL Server compat | Migration |
| Cosmos DB | Global NoSQL | Low-latency, multi-region |
| MySQL/PostgreSQL | Managed open-source | OSS database workloads |
Identity & Security
| Service | Purpose |
|---|---|
| Entra ID | Cloud identity (SSO, MFA, Conditional Access) |
| RBAC | WHO can access WHAT (Owner, Contributor, Reader) |
| Defender for Cloud | Security posture + threat protection (Secure Score) |
| Key Vault | Secrets, keys, certificates |
| Sentinel | SIEM + SOAR |
| Azure Firewall | Managed network firewall (L3-L7) |
| DDoS Protection | Anti-DDoS |
Domain 3: Management & Governance (30-35%) — Quick Reference
| Concept | Key Facts |
|---|---|
| Pricing Calculator | Estimate Azure costs BEFORE deployment |
| TCO Calculator | Compare on-premises vs. Azure costs |
| Cost Management | Monitor ACTUAL spending, create budgets |
| Azure Advisor | FREE recommendations (cost, security, reliability, performance, ops) |
| Azure Policy | Enforce WHAT resources can do (e.g., allowed regions) |
| RBAC | Control WHO can access resources |
| Resource Locks | Prevent accidental deletion (CanNotDelete) or modification (ReadOnly) |
| Tags | Key-value pairs for organization (NOT inherited) |
| ARM Templates | JSON infrastructure as code |
| Bicep | Simplified DSL that compiles to ARM JSON |
| Azure Monitor | Telemetry collection and analysis |
| Log Analytics | Query logs with KQL |
| Application Insights | Application performance monitoring |
| Service Health | Azure service issues and maintenance |
| SLAs | 99.9% ≈ 43 min downtime/month; composite = multiply percentages |
| Trust Center | Compliance certifications hub |
| Purview | Unified data governance |
Final Exam Day Checklist
Before sitting for the AZ-900, confirm you can answer these questions:
- What are the three cloud service models and how do they differ?
- What is the shared responsibility model?
- What are the three cloud deployment models?
- What are Azure Regions, Availability Zones, and Region Pairs?
- How does the Azure resource hierarchy work?
- When would you use VMs vs. App Service vs. Functions?
- What is the difference between VPN Gateway and ExpressRoute?
- What are the Azure Storage redundancy options?
- What does Entra ID do? How is it different from on-premises AD?
- What is RBAC and how does it differ from Azure Policy?
- What are the Zero Trust principles?
- What do the Pricing Calculator, TCO Calculator, and Cost Management do?
- What are resource locks and tags?
- What is Azure Monitor and what are its components?
- How are SLAs calculated when combining services?
Final Tip: The AZ-900 tests breadth, not depth. If you know WHAT each service does and WHEN to use it, you are well-prepared. Trust your first instinct, use process of elimination, and never leave a question blank. Good luck!
Test Your Knowledge
Which cloud service model requires you to manage the operating system but NOT the physical hardware?
A
B
C
D
Test Your Knowledge
An application needs to process thousands of short-lived tasks triggered by messages in a queue, with billing based only on actual execution time. Which service is BEST?
A
B
C
D
Test Your Knowledge
Which Azure service should you check FIRST when you suspect an Azure service outage is affecting your resources?
A
B
C
D
Test Your KnowledgeMulti-Select
Which THREE of the following are principles of Zero Trust? (Select THREE)
Select all that apply
Verify explicitly
Trust internal network traffic
Use least privilege access
Assume breach
Allow all authenticated users full access
Test Your Knowledge
A company stores critical data in Azure and needs protection against a complete Azure region failure. Which storage redundancy option should they choose?
A
B
C
D
Test Your Knowledge
What happens to the composite SLA when you add more dependent services to an architecture?
A
B
C
D