Study Guide · AZ-900

AZ-900 Cheat Sheet

272 entries · 11 chapters · 3 domains

Cloud Concepts

Cloud Computing

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Cloud computing rents IT resources over the internet

Cloud computing delivers compute, storage, networking, databases, and software as metered services over the internet, so you rent capacity and release it when you're done instead of buying and maintaining a datacenter. On Microsoft Azure you provision a resource in minutes and pay only for what you use, with the provider maintaining the underlying power, cooling, hardware, and networking.

2 questions test this
Azure is a multi-tenant public cloud

Azure is a public cloud where many customers (tenants) share the same physical infrastructure while staying logically isolated from one another. A tenant is a dedicated instance of a Microsoft Entra directory holding an organization's identities and resources, so isolation is logical, not a separate physical environment per customer.

Trap Assuming a public-cloud tenant gets its own dedicated physical hardware: multi-tenancy isolates customers logically while they share the same hosts.

1 question tests this
Shared responsibility model splits security by service type

The shared responsibility model defines which security tasks belong to Microsoft and which to the customer, and the boundary shifts with the service type. The more managed the service (IaaS → PaaS → SaaS), the more responsibility moves to Microsoft. In IaaS you still own the OS, applications, and network controls, while in SaaS Microsoft handles all but your data, identities, and access.

2 questions test this
Microsoft always owns the physical layer

Across IaaS, PaaS, and SaaS, Microsoft is always responsible for the physical datacenters, the physical network, and the physical hosts (plus the hypervisor). The customer never secures the hardware in a public cloud, no matter the service model.

Trap Assuming the customer secures the physical hosts or datacenter in IaaS, when Microsoft owns the physical layer at every service model.

18 questions test this
You always own data, identities, and access

Regardless of service model, even SaaS, the customer always retains responsibility for their data, accounts/identities, client endpoints, and access management. These four never transfer to Microsoft, which makes them the single most common shared-responsibility trap on the exam.

Trap Assuming a fully managed SaaS service makes Microsoft responsible for your data and user identities: those stay with the customer at every service tier.

17 questions test this
Public cloud is provider-owned and shared

A public cloud is built, controlled, and maintained by a third-party provider (Microsoft) and open to anyone who purchases its services, with no capital expenditure to scale up and pay-only-for-what-you-use billing. The tradeoff is that you don't have complete control over the resources and security the provider operates.

Trap Picking public cloud when the scenario demands complete control and data that is not collocated with other tenants, which points to private cloud.

2 questions test this
Private cloud is dedicated to one organization

A private cloud is used exclusively by a single organization and gives the most control over resources and security, with your data not collocated with other tenants'. You must purchase and maintain the hardware yourself, so it carries greater cost and fewer of the public cloud's elasticity benefits.

Trap Assuming a private cloud removes up-front hardware cost like public cloud, when you still buy and maintain the hardware yourself.

2 questions test this
Hybrid cloud connects public and private

A hybrid cloud links a public cloud with a private cloud or on-premises datacenter in one interconnected environment, letting a private cloud surge into public capacity for temporary demand. It gives the most flexibility: you choose which workloads run where to meet security, compliance, or legal requirements, e.g. keeping regulated data private while bursting elsewhere.

Trap Choosing multicloud for a scenario that keeps some workloads private or on-premises while using public cloud, which is hybrid, not multiple public providers.

1 question tests this
Multicloud uses more than one cloud provider

Multicloud means using two or more public cloud providers at once (often to use the best feature from each or while migrating between them) so you manage resources and security across both. Azure Arc can help manage resources spanning public, private, hybrid, and multicloud environments.

Trap Labeling a public-plus-on-premises setup as multicloud, when multicloud means two or more public cloud providers and that mix is hybrid.

Match the scenario to the deployment model

Map the scenario to its model: no up-front cost plus quick scale-up points to public cloud; complete control with data not collocated and strict requirements points to private cloud; keeping some workloads on-premises or private while using public cloud points to hybrid. Multiple public providers at once is multicloud.

Trap Confusing hybrid with multicloud, where hybrid mixes public with private or on-premises and multicloud uses two or more public providers.

3 questions test this
CapEx is an up-front hardware purchase

Capital expenditure (CapEx) is up-front spending on physical infrastructure (servers, network hardware, datacenter space) that is depreciated over years. It is the traditional on-premises model and forces capacity planning that risks over- or under-provisioning.

Trap Classifying pay-as-you-go cloud spending as CapEx, when CapEx is up-front depreciated hardware and consumption billing is OpEx.

1 question tests this
OpEx is ongoing pay-as-you-go spending

Operational expenditure (OpEx) is ongoing spending on services as you consume them, with no physical asset to depreciate. Because you pay for cloud services as you use them, cloud computing is classified as an operating expense, not a capital one.

Trap Treating an up-front depreciated hardware purchase as OpEx, when that is CapEx and only consumed-as-you-go service spending is OpEx.

2 questions test this
Consumption-based billing means pay for what you use

Azure runs on a consumption-based, pay-as-you-go model: you pay only for the IT resources you use and release them, and stop paying, when you're done. This removes up-front hardware cost and the need to buy capacity that may sit idle, letting you scale out at peak and back in when demand drops.

21 questions test this
Reserved pricing rewards steady, predictable workloads

Azure Reservations commit to a one- or three-year term in exchange for a discount of up to 72% over pay-as-you-go, applied automatically to matching resources. They are the right pick for consistent, always-on base usage, not for bursty or short-lived workloads where consumption pricing fits better.

Trap Choosing reservations for bursty or short-lived workloads, when a one- or three-year commitment fits steady always-on usage and consumption pricing fits intermittent demand.

18 questions test this
Spot pricing uses reclaimable spare capacity

Azure Spot Virtual Machines run on Azure's unused capacity at a significant discount, but there is no SLA and Azure evicts them with only 30 seconds' notice whenever it needs the capacity back. They fit interruptible, fault-tolerant work (batch jobs, dev/test, large compute) not critical always-on services.

Trap Running a production always-on service on Spot to save money: a 30-second eviction with no SLA takes the node down whenever Azure reclaims capacity.

Serverless abstracts the servers away

Serverless computing has the platform provision, scale, and maintain the servers while you supply only code: you never deploy or patch the underlying infrastructure. Azure Functions is Azure's serverless compute service, letting you run code without managing the VMs it runs on.

12 questions test this
Serverless is event-driven and pay-per-execution

Serverless code runs in response to triggers (HTTP, timer, queue, blob change), scales automatically with the number of incoming events, and on the consumption plan bills only on executions, execution time, and memory used. When nothing runs you pay nothing for compute, making it ideal for spiky or intermittent workloads.

41 questions test this
Serverless is a poor fit for always-on workloads

Serverless suits short, stateless, intermittent tasks: on the Azure Functions consumption plan a function execution times out after a configurable maximum and idle instances incur cold starts. Long-running or always-on, latency-sensitive services are better on dedicated or premium (always-warm) compute that doesn't time out or cold-start.

Trap Reaching for the serverless consumption plan for a long-running, latency-sensitive service, when execution timeouts and cold starts make dedicated or premium compute the fit.

Reservations give a billing discount, up to 72%, applied per hour

Azure Reservations provide a billing discount of up to 72% over pay-as-you-go for a one- or three-year commitment, applied automatically to matching resources without changing their runtime state. A reservation covers only the compute capacity (additional software, Windows licensing, networking, and storage are billed separately), and the discount is applied on an hourly basis: any hour without a matching resource forfeits that hour's benefit.

Trap Assuming a reservation covers Windows licensing, networking, and storage too, when it discounts only the compute capacity and those are billed separately.

19 questions test this

Cloud Benefits

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

High availability means staying online through component failures

High availability (HA) keeps an application running and reachable with minimal downtime even when individual components fail, and the cloud achieves it with redundant infrastructure that removes single points of failure. On AZ-900 the fingerprint is "stay online," "survive an outage," or "no single point of failure." HA is about avoiding downtime, not about handling more load.

Trap Confusing high availability with scalability: both use multiple instances, but HA is about staying up, scalability is about having enough capacity.

4 questions test this
Availability zones give HA inside one region

Availability zones are separated groups of datacenters within a single region, each with independent power, cooling, and networking, so if one zone fails the others keep serving, typically within ~100 km of each other for low-latency replication. A resource is zone-resilient only once it spans two or more zones, and many Azure SLAs require a multi-zone deployment to reach their highest uptime tier. Use them for in-region HA; they do not protect against a full-region outage.

Trap Assuming a single availability zone is redundant: one zone is one logical group of datacenters, and zonal (single-zone) deployment carries no cross-zone protection.

7 questions test this
Scalability is having enough capacity for demand

Scalability is the ability to add or remove resources so capacity matches workload demand. It is distinct from high availability: scalability is about having enough capacity, HA is about staying online. A stem about handling more users or growing load points to scalability.

Trap Picking high availability when the stem is about growing load, since HA targets staying online through failures while scalability targets having enough capacity for demand.

2 questions test this
Scale up is vertical, scale out is horizontal

Scaling up (vertical) adds power to a single instance (moving a VM to a SKU with more CPU and RAM) and is capped by the largest hardware available, sometimes needing a restart. Scaling out (horizontal) adds more identical instances behind a load balancer and is the cloud-preferred path because it has no fixed ceiling. Shorthand: "bigger machine" = up, "more machines" = out.

Trap Confusing scaling up with scaling out, since up resizes a single instance vertically while out adds more identical instances horizontally.

20 questions test this
Elasticity is automatic, demand-driven scaling

Elasticity is scaling that happens automatically as load rises and falls, with no manual intervention, delivered through autoscale on services like Virtual Machine Scale Sets and the Web Apps feature of Azure App Service. Autoscale is horizontal only: it adds and removes instances, never resizes one, and triggers on metrics (CPU, queue length) or a schedule. The signal is "automatically handle spikes" or "scale in when traffic drops."

Trap Treating autoscale as vertical scaling: it scales out and in by instance count, it does not give a single machine more CPU or memory.

25 questions test this
Consumption pricing means you pay only for what you use

The consumption-based (pay-as-you-go) model charges you only for the resources you actually consume, with no upfront capital outlay, so elastic autoscaling lets you avoid provisioning (and paying) for a rare worst-case peak. This is the financial benefit that pairs with elasticity: capacity follows demand, and so does the bill.

Trap Treating consumption pricing as a capital expense, since pay-as-you-go is an operational expense (OpEx) with no upfront CapEx outlay.

12 questions test this
Reliability is recovering from failure, not just avoiding it

Reliability is a system's ability to be resilient (withstand faults), recoverable (restore within agreed targets after a disruption), and available, one of the five pillars of the Azure Well-Architected Framework. It is broader than HA: reliability also covers recovering through backup and regional failover after a failure, not only staying up. The five pillars are Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency.

Trap Equating reliability with high availability alone, when reliability also covers recovering through backup and failover after a disruption, not just avoiding downtime.

3 questions test this
Performance predictability uses autoscale and load balancing

Performance predictability keeps the user experience consistent as load changes, achieved with autoscale (add capacity on demand) and load balancing (spread traffic so no single instance is overwhelmed). The signal is "consistent response times during a traffic surge." It is the performance half of predictability, distinct from cost predictability.

Trap Answering cost predictability when the stem is about consistent response times under load, which is the performance half, not the spend-forecasting half.

Cost predictability uses the Pricing Calculator and Cost Management

Cost predictability is forecasting and tracking spend accurately, using the Pricing Calculator (a free, unauthenticated tool to estimate a planned deployment before anything is provisioned) and Microsoft Cost Management (track and analyze actual spend after deployment, with budgets and alerts). On-premises-vs-Azure TCO comparison now runs through the Azure Migrate business case feature. Signal: "estimate monthly cost before deploying" → Pricing Calculator; "forecast and track the bill" → Cost Management.

Trap Reaching for the Total Cost of Ownership (TCO) Calculator: Microsoft has retired the standalone TCO Calculator, and on-prem-vs-Azure cost analysis now lives in Azure Migrate.

2 questions test this
Predictability splits into performance and cost

AZ-900 tests predictability as two distinct halves: performance predictability (consistent experience under load) and cost predictability (forecastable, trackable spend). A single "predictability" answer can be wrong if the stem is actually about the other half: read whether it is about performance or spend before answering.

The cloud's security benefit is defense in depth

Defense in depth layers multiple overlapping protections (physical, identity, network, application, data) so breaching one layer does not compromise the whole system. As a cloud benefit it means you inherit Microsoft's continuously updated security investment across the lower layers rather than building every layer yourself.

The shared responsibility model splits security duties by deployment type

Under the shared responsibility model Microsoft always secures the physical hosts, network, and datacenters, while you always retain responsibility for your data, identities, accounts, and access management, regardless of whether the workload is IaaS, PaaS, or SaaS. Responsibility for the OS, network controls, and applications shifts toward Microsoft as you move IaaS → PaaS → SaaS. Cloud security is a benefit because Microsoft owns the layers you cannot.

Trap Assuming the cloud provider is responsible for securing your data and identities, when those always stay your responsibility across IaaS, PaaS, and SaaS.

3 questions test this
Defender for Cloud centralizes security posture and threat protection

Microsoft Defender for Cloud continuously assesses your posture and rolls it into a Secure Score that rises as you remediate its recommendations, and adds threat protection across Azure, hybrid, and multicloud resources. Its free Foundational CSPM tier covers Secure Score and recommendations; paid Defender plans add workload threat protection (CWPP). It is the centralized tooling that operationalizes the cloud's security benefit (formerly Azure Security Center).

Trap Confusing Defender for Cloud with Microsoft Sentinel, when Defender assesses posture and Secure Score while Sentinel is the cloud-native SIEM for security event analytics.

The governance benefit is enforcing standards at scale

Governance is applying organizational standards and staying compliant across many resources without manual, per-resource effort. The AZ-900 signal is "ensure every team follows company standards" or "deploy a compliant environment repeatedly": about standardizing and enforcing rules, not about protecting against attackers (that is security).

Trap Picking security when the stem is about enforcing company standards, since governance standardizes and enforces rules while security protects against attackers.

Azure Policy audits and enforces organizational rules

Azure Policy enforces organizational standards and assesses compliance at scale (for example "allow only approved regions" or "require a tag") evaluating resources against business rules and applying effects that audit (flag) or deny (block) non-compliant ones. It is the governance enforcement service the exam pairs with compliance and consistency scenarios. Group related policies into an initiative to assign them as one unit.

Trap Picking Azure RBAC for compliance: RBAC controls who can perform actions, while Azure Policy controls whether the resulting resource state is allowed.

Templates and IaC deploy compliant baselines repeatably

ARM templates (and Bicep) define infrastructure as code so a compliant configuration deploys identically every time, delivering governance by making standard setups reproducible. Azure Blueprints packaged policies, role assignments, and templates into a reusable environment baseline, but it is a Preview service deprecating July 11, 2026. Microsoft directs customers to Template Specs and Deployment Stacks, and Azure Policy is the current AZ-900 governance enforcement tool.

Trap Reaching for Azure Blueprints as the current governance tool, when it is a deprecating Preview service and Azure Policy is the present-day enforcement service.

10 questions test this
Security protects; governance standardizes

Security is about protecting resources (defense in depth, Defender for Cloud); governance is about standardizing and enforcing rules (Azure Policy). "Block deployments outside approved regions" is governance, not security: a common AZ-900 discriminator that hinges on whether the stem is about threat protection or about consistency/compliance.

Manageability splits into 'of' and 'in' the cloud

Manageability has two halves the exam distinguishes: management of the cloud (the platform manages itself for you: autoscale, automatic provisioning, self-healing, monitoring) and management in the cloud (the tools you use to configure and operate resources). Read which side a stem is testing before choosing.

Management OF the cloud is the platform working for you

Management of the cloud is the platform doing work automatically on your behalf: autoscale, automatic resource provisioning, self-healing (automatic recovery of unhealthy resources), and continuous monitoring of resource health. You get the benefit without performing the work: it is the automated, platform-side half of manageability.

Trap Confusing management of the cloud with management in the cloud, since 'of' is the platform acting automatically for you while 'in' is the tools you operate yourself.

1 question tests this
Management IN the cloud spans portal, CLI, PowerShell, and IaC

Management in the cloud is the toolset you use to operate resources: the Azure portal (graphical web UI) for ad-hoc work, Azure CLI and Azure PowerShell for command-line scripting and automation, the Azure mobile app, and ARM/Bicep templates for repeatable infrastructure as code. Match the tool to the job: portal for one-off changes, CLI/PowerShell for automation, templates for reproducible deployments.

Trap Treating autoscale or self-healing as management in the cloud, when those are management of the cloud and 'in' is the tooling you operate yourself.

Cost predictability is not the same as cost savings

Cost predictability is forecasting and tracking spend reliably; it is distinct from the cost savings benefit (the CapEx-to-OpEx shift and pay-as-you-go pricing). Match "forecast the bill" or "track where spend goes" to the cost tools, not to a generic "the cloud is cheaper" claim.

Trap Choosing cost savings when the stem is about forecasting and tracking spend, since that is cost predictability rather than the CapEx-to-OpEx savings benefit.

Availability and scalability are distinct benefits

Because both often use multiple instances, AZ-900 offers high availability and scalability as competing answers. Anchor on the goal: staying up through a failure = availability; having enough capacity for demand = scalability. Good designs combine them, but the exam tests them as separate benefits.

Scale sets build every VM from one base image

Virtual Machine Scale Sets create all instances from the same base OS image and configuration, eliminating configuration drift and letting you manage hundreds of identical VMs without per-machine setup. They are also the foundation for autoscale, illustrating the manageability benefit of treating many machines as one managed pool.

6 questions test this
ARM deploys independent resources in parallel

Azure Resource Manager orchestrates a template by deploying resources that have no dependencies in parallel while still creating interdependent resources in the correct order. This parallel orchestration finishes multi-resource deployments faster than running serial, imperative commands, and you trigger it with a single command.

5 questions test this
ARM templates are declarative, version-controlled IaC

ARM templates use declarative syntax: you state the desired end state of your resources and Azure works out how to reach it, instead of writing step-by-step commands. Because the template is code (a JSON file), teams store it in source control to version, review, and roll back infrastructure changes like application code.

Trap Calling ARM templates imperative, when declarative syntax states the desired end state rather than the step-by-step commands to reach it.

13 questions test this
ARM templates are idempotent

ARM templates are idempotent: deploying the same template repeatedly yields the same resource types in the same state. If a resource with the specified properties already exists, no change is made. This gives repeatable, consistent results, so identical infrastructure can be reproduced across dev, test, and production from one template.

7 questions test this
ARM templates integrate with CI/CD pipelines

ARM templates plug into continuous integration and continuous deployment tools such as Azure Pipelines and GitHub Actions, automating release pipelines for fast, reliable infrastructure updates. This supports the agility benefit: responding quickly to changing requirements by shipping infrastructure changes through the same automated pipeline as code.

6 questions test this
Azure Backup recovers data from the cloud

Azure Backup backs up Azure VMs, files, Azure Files, databases, and on-premises workloads into a Recovery Services vault, guarding against accidental deletion, corruption, and ransomware. It runs at cloud scale with no on-premises backup infrastructure to maintain, automatically managing backup storage on a pay-as-you-use model. It is the recovery side of reliability: restoring data, distinct from availability's goal of avoiding downtime.

Trap Confusing Azure Backup with Azure Site Recovery, when Backup restores data from a vault and Site Recovery replicates and fails over workloads to keep them running.

5 questions test this
Geo-redundant storage copies data to a far-away paired region

Geo-redundant storage (GRS) first replicates data within the primary region, then copies it asynchronously to a secondary paired region hundreds of miles away, protecting against a full regional outage or disaster. GRS is the default and recommended option for a Recovery Services vault. Choose it when data must survive the loss of an entire region; contrast with LRS (one datacenter) and ZRS (across zones in one region).

Trap Relying on locally redundant storage (LRS) for disaster recovery. LRS keeps all copies in a single datacenter and won't survive a regional outage.

6 questions test this
Cost Management analyzes spend at no separate charge

Microsoft Cost Management is a native suite of FinOps tools to analyze, monitor, and optimize Azure spend, available to anyone with billing, subscription, resource-group, or management-group access at no additional charge to use the tooling itself. Its Cost analysis breaks spend down by service, location, subscription, resource group, or tag so you can see exactly where costs originated, and it supports budgets and cost alerts.

Trap Reaching for the Pricing Calculator to track actual spend, when that tool only estimates planned cost before deployment and Cost Management analyzes spend after deployment.

7 questions test this

Cloud Service Types

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Cloud services come in three types: IaaS, PaaS, SaaS

Cloud offerings fall into three service models (Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)) distinguished by how much of the stack the provider manages versus you. IaaS is essentially renting datacenter hardware, PaaS adds a managed runtime platform on top, and SaaS is a finished application you simply use.

1 question tests this
Control drops, convenience rises moving IaaS to SaaS

Across IaaSPaaSSaaS you trade control for convenience: IaaS is the most flexible with maximum control and the largest operational responsibility, while SaaS is the least flexible but easiest to stand up and needs the least technical expertise. PaaS sits in the middle, splitting duties roughly evenly between you and the provider.

Trap Assuming SaaS gives the most control because the provider manages the most, when in fact SaaS gives the customer the least control and IaaS the most.

6 questions test this
IaaS: provider runs the hardware, you run the OS upward

Under IaaS the provider maintains only the physical hardware, internet connectivity, and physical security; you own everything else: operating-system install/config/patching, network configuration, and database/storage setup. You're essentially renting cloud hardware and what you do on it is up to you, which is why IaaS carries the heaviest operational load.

Trap Assuming the provider patches the guest operating system under IaaS, when OS install, configuration, and patching stay with the customer.

67 questions test this
PaaS: provider also runs the OS, middleware, and runtime

Under PaaS the provider maintains the physical infrastructure plus the operating systems, middleware, development tools, and managed runtimes, so you never handle OS or database licensing and patching. You focus only on your application code, data, and access controls: a complete development platform without maintaining the underlying infrastructure.

Trap Treating OS and runtime patching as the customer's job under PaaS, when the provider owns the operating system, middleware, and runtime there.

72 questions test this
SaaS: provider runs almost the whole stack

Under SaaS the provider manages almost the entire stack (infrastructure, platform, and the application itself, including updates and patching) giving customers the lowest operational overhead. You manage only your data, identity and access settings, and which devices may connect; you're essentially using a fully developed application.

Trap Assuming the customer has nothing to manage under SaaS, when the customer still owns their data, identities and access, and the devices allowed to connect.

9 questions test this
Azure Virtual Machines is the canonical IaaS example

Azure Virtual Machines and Azure Virtual Network are IaaS: you pick the VM image and size, then patch the guest OS and deploy your app yourself. This is the model for lift-and-shift migrations and for software with specific OS or driver dependencies that need operating-system-level control.

16 questions test this
App Service, SQL Database, and Functions are PaaS

Azure App Service (web apps and APIs), Azure SQL Database (managed relational database), and Azure Functions (serverless code) are PaaS: you supply code or schema and Microsoft handles the OS, runtime, patching, and scaling. App Service runs web apps "without worrying about managing the underlying infrastructure," and Functions runs your code without you deploying or maintaining servers.

Trap Classifying Azure App Service or Functions as IaaS because they run your code, when Microsoft owns the OS, runtime, and scaling, making them PaaS.

20 questions test this
Microsoft 365 and Dynamics 365 are SaaS

Microsoft 365 (email and productivity) and Dynamics 365 (CRM/ERP) are SaaS: fully developed applications you sign in to and consume over the internet, with no infrastructure or platform to maintain. Email, messaging, and finance/productivity apps are the classic SaaS scenarios.

2 questions test this
Choose IaaS for OS-level control or lift-and-shift

Pick IaaS when the scenario needs operating-system control, a lift-and-shift migration of existing servers with minimal change, or rapid spin-up/tear-down of dev-and-test environments while keeping full control. It's also the fit for software with specific OS or driver dependencies that a managed platform can't accommodate.

Trap Reaching for PaaS for a lift-and-shift migration of existing servers, when minimal-change migration and OS-level control point to IaaS.

19 questions test this
Choose PaaS to ship code without managing servers

Pick PaaS when developers want to build and deploy custom applications without patching, scaling, or otherwise managing the underlying servers: the provider supplies the development framework, and cloud features like scalability and high availability come built in. Analytics and business-intelligence tooling delivered as a service is the other classic PaaS use case.

Trap Picking IaaS when developers want to deploy custom code without managing servers, when avoiding server management points to PaaS.

25 questions test this
Choose SaaS for ready-to-use, off-the-shelf software

Pick SaaS when a finished, subscription-based product (email, CRM, office productivity) already meets the need and you want the fastest time to value with the least technical effort. There's nothing to build or maintain; you just sign in and use it.

Trap Reaching for PaaS to build an application when a finished off-the-shelf product like email or CRM already meets the need, which is the SaaS case.

5 questions test this
Service type sets where the shared-responsibility line falls

The shared responsibility model divides duties between customer and provider, and the dividing line shifts with the service type: IaaS places the most on you, SaaS the most on the provider, and PaaS distributes them roughly evenly. Identifying the service type in a question is what tells you who owns a given task.

3 questions test this
Data, identities, and devices are always the customer's

Regardless of IaaS, PaaS, or SaaS, the customer always owns the information and data stored in the cloud, the accounts and identities, and the devices allowed to connect. The provider always owns the physical datacenter, physical network, and physical hosts; only the layers in between shift by service type.

Trap Assuming the provider owns your data and identities under SaaS because it runs the application, when data, identities, and devices stay the customer's at every service type.

4 questions test this
OS patching ownership flips between IaaS and PaaS

OS patching ownership depends on the service type: in IaaS the customer patches the guest operating system, while in PaaS Microsoft handles OS (and database) patching and licensing. The identical task therefore has a different owner depending on which service type the question names.

Trap Assuming the provider patches the guest OS in IaaS the same way it does in PaaS, when OS patching is the customer's job under IaaS.

42 questions test this
Map the stem verb to the service type

Map the action in the question stem to the service type: "manage/control the OS" points to IaaS, "just deploy code" or "no servers to manage" points to PaaS, and "use ready-made software" points to SaaS. The verb describing how much the team wants to manage is the fastest tell.

2 questions test this
"No server management" rules out IaaS as the answer

When a scenario explicitly says the team does NOT want to manage servers, the OS, or patching, IaaS is the tempting wrong answer because it's the most familiar model, but the correct choice is PaaS (deploy your own code) or SaaS (use off-the-shelf software). IaaS always keeps OS management with the customer.

Trap Choosing IaaS when the scenario says the team does not want to manage servers or the OS, when avoiding that management rules IaaS out in favor of PaaS or SaaS.

3 questions test this
Azure SQL Database is PaaS, not IaaS

Azure SQL Database is a fully managed relational database-as-a-service in the PaaS category: Microsoft owns the host, patching, upgrades, and built-in high availability. That's distinct from running SQL Server yourself on an IaaS VM (SQL Server on Azure VMs), where you keep OS-level access and manage updates and HA.

Trap Treating Azure SQL Database as IaaS because it's a database: it's a managed PaaS service; only SQL Server installed on a VM is IaaS.

31 questions test this

Azure Architecture & Services

Core Architecture

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Azure's physical footprint nests four levels

Azure's physical infrastructure nests as geography > region > availability zone > datacenter: a geography holds regions, a region holds availability zones, and a zone is one or more datacenters. You never touch a datacenter directly: you deploy into a region, and Azure groups the underlying datacenters into regions and zones for you.

Trap Inverting the nesting order so a region is treated as containing geographies rather than the geography containing regions.

A region is what you pick at deployment time

A region is a geographical area holding one or more datacenters that are nearby and networked together over a low-latency network, and it's the unit you choose when you deploy most resources. That choice drives latency, which services and VM sizes are available, price, and where data lives, though a few global services (Microsoft Entra ID, Traffic Manager, Azure DNS) need no region.

Trap Confusing a region with an availability zone as the thing you select at deployment, when the region is the unit you pick and zones sit inside it.

A geography is a data-residency / compliance boundary

A geography is a discrete market, typically a country, that contains two or more regions and exists to keep data inside a legal jurisdiction. Paired regions keep data within the same geography for residency and compliance, so a requirement like "data must stay within Germany" is a geography/region decision, not a zone one.

Trap Treating a data-residency requirement as an availability-zone choice when it is a geography/region decision.

3 questions test this
A datacenter is the physical building of hardware

A datacenter is the physical facility of server racks with dedicated power, cooling, and networking that Microsoft owns and operates: the bottom layer where resources actually run. You never deploy to a datacenter directly; Azure groups datacenters into regions and availability zones, and those are what you target.

An enabled region has at least three availability zones

A zone-enabled region contains a minimum of three separate availability zones, each a physically separate location with independent power, cooling, and networking connected by high-speed private fiber. The three-zone floor exists so a region can survive a full zone outage and still keep a quorum running.

2 questions test this
Availability zones give high availability within one region

Availability zones protect against the failure of a single datacenter or zone: replicate a workload across zones in the same region and it keeps running if one zone goes down. A requirement like "survive a datacenter failure" points to availability zones (staying inside one region) not to region pairs, which address losing the whole region.

Trap Reaching for a region pair when the requirement is in-region datacenter resilience: that over-provisions for a different (whole-region) failure.

2 questions test this
Zonal pins to one zone; zone-redundant spreads across zones

Zonal services are pinned to a single availability zone you select (for example a Virtual Machine, managed disk, or public IP in zone 2), so you own spreading copies across zones for resilience. Zone-redundant services replicate across the region's zones automatically (for example zone-redundant storage or Azure SQL Database), and the platform handles the failover.

Trap Assuming a single zonal resource is zone-resilient: a lone zonal deployment dies with its zone unless you place instances in multiple zones yourself.

Not every region has availability zones

Availability zones exist only in zone-enabled regions, so zone-redundant deployment isn't possible everywhere. Before designing for in-region HA, confirm the region supports zones (or choose one that does); a region without zones falls back to region pairs and geo-redundant storage for resilience.

Trap Assuming every Azure region offers availability zones, when zones exist only in zone-enabled regions.

A region pair is two regions in the same geography, 300+ miles apart

A region pair links two regions within the same geography at least 300 miles (~480 km) apart, so one natural disaster, outage, or civil disruption is unlikely to hit both. Region pairs are the basis for cross-region disaster recovery: examples are West US/East US and Southeast Asia/East Asia.

Trap Assuming a region's pair sits in a different geography, when both regions of a pair stay within the same geography.

5 questions test this
Region pairs get sequential updates and recovery priority

Azure rolls planned platform updates to only one region of a pair at a time, so an update can't take down both halves at once. During a broad outage Azure also prioritizes restoring at least one region of every pair, but note that not all services auto-replicate or auto-fail-over across the pair, so the customer often must configure replication.

Trap Assuming every service automatically replicates and fails over across a region pair: many require you to configure cross-region replication yourself.

12 questions test this
Zones = HA within a region; region pairs = DR across regions

Availability zones give high availability against a single datacenter or zone failure while staying inside one region; region pairs give disaster recovery against losing an entire region. Match the failure scope to the answer: in-region resilience is zones, whole-region loss is region pairs.

Trap Picking region pairs for an in-region high-availability requirement, or zones for whole-region disaster recovery, matching the failure scope to the wrong construct.

1 question tests this
Sovereign regions are isolated for government / residency

Sovereign regions are instances of Azure physically and logically isolated from the main public cloud for strict government or national data-residency rules. The named clouds are Azure Government (US Gov / US DoD regions, run by screened US personnel) and Azure operated by 21Vianet (China regions). Reach for these only when data legally cannot touch the public cloud.

Trap Reaching for a sovereign cloud for ordinary data-residency needs, when a standard geography/region already keeps data in-country and sovereign clouds are only for strict government or legal isolation.

8 questions test this
Azure Government and 21Vianet are the named sovereign clouds

Azure Government serves US government agencies and partners through network-isolated regions (US Gov Virginia, US Gov Arizona, US DoD Central) operated by screened US staff with extra compliance certifications. Azure operated by 21Vianet runs China regions via a Microsoft–21Vianet partnership where Microsoft doesn't directly run the datacenters, satisfying Chinese law. Pick these when data must never leave the jurisdiction.

11 questions test this
A resource lives in exactly one resource group

A resource group is a logical container for related resources, and every resource belongs to exactly one resource group at a time. You can move a resource to another group, but it can never live in two; resource groups also can't be nested or renamed after creation, so choose a naming convention up front.

Trap Assuming resource groups can be nested inside one another, when a resource group cannot contain another resource group.

3 questions test this
Deleting a resource group deletes every resource in it

Actions on a resource group cascade to everything inside it, so deleting the group deletes all its resources at once: handy for tearing down a temporary or per-project environment cleanly. The corollary is to group resources that share a lifecycle, since they get deployed, updated, and deleted together.

Trap Putting a long-lived shared resource in a throwaway resource group: deleting the group to clean up takes the shared resource down with it.

7 questions test this
Resources in one group can span regions

A resource group is a logical, not regional, boundary: it can hold resources located in several different regions. The group itself still has a location, but only to store its own metadata (control-plane data). Microsoft recommends matching it to the resources' region, though it doesn't constrain where the resources run.

Trap Treating a resource group's location as the region its resources run in: the group location only sets where the group's metadata is stored.

2 questions test this
A subscription is the billing and access boundary

A subscription is a logical container for resource groups and the unit of billing, access control, and scale: Azure issues a separate invoice per subscription and applies access-management policies at the subscription level. Organizations spin up multiple subscriptions to separate environments (dev/test/prod), teams, or billing, since each gives its own cost report and access rules.

Trap Treating the resource group as the billing boundary, when invoices and quotas are scoped to the subscription.

7 questions test this
A management group groups subscriptions for governance

A management group sits above subscriptions and lets you apply Azure Policy and RBAC role assignments to many subscriptions at once, with all subscriptions inheriting those conditions. Management groups can nest, all under a single root group per directory, so you can mirror an org structure for unified policy and access.

Trap Confusing a management group with a subscription as the level for cross-subscription governance, when the management group sits above subscriptions and they inherit its policies.

6 questions test this
The hierarchy: management group > subscription > resource group > resource

Azure has four management scope levels: resources live in a resource group, resource groups live in a subscription, and subscriptions roll up under management groups. This four-level hierarchy is the structure for governance: the level you assign a policy or role at determines how widely it applies.

Trap Misordering the scope levels, for example placing subscriptions inside resource groups instead of resource groups inside subscriptions.

Policy and RBAC inherit downward, never upward

An Azure Policy or RBAC role assignment made at a higher scope is automatically inherited by everything beneath it: a policy on a management group flows down to its subscriptions, resource groups, and resources. Inheritance only flows down: a sibling scope or a parent is never affected by an assignment made below it.

Trap Assuming an assignment made at a low scope bubbles up to affect a parent or sibling scope, when inheritance only flows downward.

9 questions test this
Apply broad governance high, narrow exceptions low

Because assignments inherit downward, place organization-wide policy and roles at the management group or subscription scope so they cover everything below, and put narrow exceptions at the resource group or resource scope. A policy set high (e.g. allowed VM regions on a management group) can't be overridden by a resource owner below it, which is what makes it enforceable governance.

Trap Assuming a resource owner can override an organization-wide policy set at the management group scope, when a higher-scope assignment cannot be loosened from below.

1 question tests this
A resource group is not a billing boundary

Billing and access policies are scoped to the subscription, not the resource group; a resource group's costs simply roll up to its parent subscription. To truly separate spend (or quotas) between workloads, use different subscriptions: splitting resources into different resource groups within one subscription doesn't separate the bill.

Trap Using separate resource groups to split billing: invoices are per-subscription, so same-subscription resource groups land on one bill.

3 questions test this
Azure Resource Manager is the single management control plane

Azure Resource Manager (ARM) is the deployment and management service that receives every request from the portal, CLI, PowerShell, REST APIs, and SDKs through one consistent API, so you get the same results and capabilities whichever tool you use. After deployment ARM applies access control (RBAC), resource locks, and tags, and its declarative templates honor defined dependencies to deploy resources in the correct order for repeatable results.

Trap Assuming a resource created through one tool such as the portal behaves differently from one created via CLI or PowerShell, when every request goes through Azure Resource Manager for consistent results.

5 questions test this
New subscriptions land under the root management group

Every directory has a single built-in root management group (the Tenant Root Group) at the top, and all management groups and subscriptions fold up into it. A newly created subscription is placed under this root group by default (you can configure a different default target), and the root group itself can never be moved or deleted.

5 questions test this
A subscription or management group has exactly one parent

Each subscription and each management group can have only one parent management group at a time, which keeps governance inheritance predictable: you can move a subscription between groups but never have it in two at once. A management group tree can be up to six levels deep, not counting the root level or the subscription level.

Trap Assuming a subscription can sit under two management groups at once, when each subscription has exactly one parent management group.

5 questions test this

Compute & Networking

Read full chapter
  • VMs, containers, and functions are the three compute types
  • Azure Virtual Machines give full OS control (IaaS)
  • Containers share the host kernel and are lightweight
  • ACI runs a single container serverlessly
  • AKS orchestrates many containers (managed Kubernetes)
  • Azure Container Apps is serverless containers with autoscale
  • Azure Functions is serverless, event-driven, pay-per-execution
  • Availability sets use fault and update domains
  • Availability zones survive a whole-datacenter outage
  • Availability set vs zone differ by blast radius
  • Scale Sets = identical, load-balanced, autoscaling VMs
  • Azure Virtual Desktop delivers cloud VDI
  • A VM needs disks, a NIC, a VNet/subnet, and an NSG
  • Azure App Service is PaaS for web apps and APIs
  • Apps can run on VMs, containers, or App Service
  • A VNet is your private isolated network in Azure
  • Subnets segment a VNet for organization and security
  • VNet peering connects VNets over the Microsoft backbone
  • Azure DNS hosts and resolves domain names
  • VPN Gateway encrypts traffic over the public internet
  • ExpressRoute is a private link that bypasses the internet
  • VPN Gateway vs ExpressRoute: internet vs private
  • Public endpoint is internet-reachable; private endpoint is not
  • Private endpoint keeps PaaS traffic on the Microsoft backbone
  • Azure manages the AKS control plane (free tier, or paid Standard for an SLA)
  • VM size families match workload shape
  • Availability sets give 99.95%, zones give 99.99%
  • Apps in one App Service plan share the same VM instances
  • Deployment slots enable zero-downtime swaps at no extra cost
  • NSGs filter traffic at the subnet or NIC level
  • Azure Firewall is a managed, stateful firewall with FQDN and threat-intel filtering
  • Azure DDoS Protection guards layers 3 and 4
  • VPN Gateway offers site-to-site and point-to-site connections over IPsec/IKE
  • A site-to-site VPN can back up ExpressRoute

Unlock with Premium — includes all practice exams and the complete study guide.

Storage Services

Read full chapter
  • A storage account is the container for all four data services
  • Choose general-purpose v2 as the default storage account type
  • Blob Storage is object storage for unstructured data
  • Azure Files gives fully managed SMB/NFS shares you can mount anywhere
  • Queue Storage decouples components for async messaging
  • Table Storage is a schemaless NoSQL key-value store
  • Managed disks are block storage for VMs, managed by Azure
  • Blob Storage has four access tiers from Hot to Archive
  • Use the Hot tier for frequently accessed data
  • Cooler tiers carry rising minimum-retention windows: 30/90/180 days
  • Archive is offline storage that must be rehydrated before reading
  • LRS keeps three copies in one datacenter: cheapest, no DR
  • ZRS spreads copies across availability zones in one region
  • LRS and ZRS are both single-region: no geo protection
  • GRS = LRS plus an async copy to the paired region
  • GZRS combines ZRS in-region with geo-replication
  • Only the RA- variants let you read the secondary before failover
  • Geo-replication is asynchronous, so a regional failure can lose recent writes
  • AzCopy is the command-line tool for scripted bulk transfer
  • Storage Explorer is the free cross-platform desktop GUI
  • Azure File Sync caches an Azure file share on local servers
  • Azure Data Box ships a physical appliance for offline bulk transfer
  • Azure Migrate is the central hub to discover, assess, and migrate
  • AzCopy for online transfers, Data Box for offline shipment
  • Managed disk types range from Ultra (fastest) to Standard HDD (cheapest)
  • Lifecycle management automates tier transitions and deletion
  • Queue messages are up to 64 KB, reached over HTTP/HTTPS

Unlock with Premium — includes all practice exams and the complete study guide.

Identity, Access & Security

Read full chapter
  • Microsoft Entra ID is Azure's cloud identity and access service
  • Azure AD is now Microsoft Entra ID: same product, new name
  • Entra ID is not a cloud version of Active Directory
  • Entra Domain Services gives you a managed domain with no DCs to run
  • Need legacy domain features for a lift-and-shift VM? Use Entra Domain Services
  • Authentication proves who you are; authorization decides what you may do
  • Single sign-on means authenticate once, reach many apps
  • MFA needs two or more factors from different categories
  • Two factors from the same category is not MFA
  • Passwordless replaces the password with a stronger factor
  • B2B collaboration invites partners in as guests on their own credentials
  • Keep customer identities out of your employee directory
  • Conditional Access turns sign-in signals into an access decision
  • Conditional Access lets you demand MFA only when risk warrants it
  • An RBAC role assignment is principal + role definition + scope
  • Know the four fundamental built-in roles: Owner, Contributor, Reader, UAA
  • Only Owner and User Access Administrator can hand out roles
  • RBAC scope inherits down the resource hierarchy
  • RBAC is additive, so assign least privilege at the narrowest scope
  • Zero Trust: verify explicitly, least privilege, assume breach
  • Defense-in-depth stacks independent layers so one failure isn't a breach
  • Data is the innermost defense-in-depth layer
  • Defender for Cloud does posture management plus workload protection
  • Secure Score summarizes your posture and rises as you remediate
  • Defender for Cloud covers Azure, hybrid, and other clouds
  • Conditional Access needs P1, and every matching policy must be satisfied

Unlock with Premium — includes all practice exams and the complete study guide.

Azure Management & Governance

Cost Management

Read full chapter
  • Resource type, its settings, and region set the per-unit price
  • Usage drives cost because billing is pay-as-you-go
  • Region is a cost choice: the same workload prices differently by geography
  • Inbound data is generally free; outbound (egress) is billed by zone
  • Reserve capacity for steady, predictable workloads
  • Azure Hybrid Benefit reuses on-prem Windows/SQL licenses to pay only base compute
  • Run interruption-tolerant work on Spot VMs at a deep discount
  • Right-sizing and autoscale cut waste
  • Pricing Calculator estimates a planned Azure config before deploy
  • TCO compares on-premises vs Azure cost to justify migration
  • Calculators estimate before deploy; Cost Management tracks after
  • Cost Management lives under Cost Management + Billing
  • Cost analysis breaks spend down by scope, service, and tag
  • Budgets alert on spend; they do not stop it
  • A tag is a name/value pair of metadata
  • Tags organize resources for cost reporting
  • Tags are not inherited by default
  • Azure Policy can require, append, or inherit tags
  • Planning tools estimate; they never show actual spend
  • Forecasted budget alerts warn before you exceed the budget
  • Attach an action group to a budget to automate a response
  • Budgets scope to subscription, resource group, or management group; reset is monthly/quarterly/annual

Unlock with Premium — includes all practice exams and the complete study guide.

Governance & Compliance

Read full chapter
  • Match the governance scenario to Purview, Azure Policy, or resource locks
  • Use Microsoft Purview to govern the data itself, across clouds
  • Purview builds a Data Map and a searchable catalog of assets
  • Purview adds automatic classification and end-to-end data lineage
  • Use Azure Policy to enforce standards and assess compliance at scale
  • A policy definition is a single configuration rule
  • Bundle related policies into an initiative for one assignment
  • The policy effect decides what happens to a non-compliant resource
  • Azure Policy reports compliance on an aggregated dashboard
  • Azure Policy can auto-remediate existing non-compliant resources
  • Azure Policy governs configuration; Azure RBAC governs who can act
  • Apply a resource lock to prevent accidental delete or change
  • CanNotDelete allows read and modify but blocks deletion
  • ReadOnly allows only reads: no modify, no delete
  • Locks apply at subscription, RG, or resource scope and are inherited
  • A lock blocks even a Subscription Owner until it's removed
  • Choose CanNotDelete, not ReadOnly, when edits must stay allowed
  • Owner can assign roles, Contributor can't, Reader is view-only
  • RBAC is additive, so the most permissive assignment wins
  • Create a custom role when no built-in role fits
  • A role assignment = security principal + role definition + scope
  • Compliance Manager scores your posture by completed improvement actions

Unlock with Premium — includes all practice exams and the complete study guide.

Resource Management Tools

Read full chapter
  • ARM is Azure's deployment and management layer, not a tool you click
  • Every management request flows through ARM, so results are identical
  • ARM authenticates and authorizes every request before acting
  • The Azure portal is the web-based graphical console for Azure
  • Reach for the portal for one-off, interactive tasks and dashboards
  • Azure Cloud Shell is a browser shell that's already signed in
  • Cloud Shell lets you pick Bash (Azure CLI) or PowerShell
  • Azure CLI uses cross-platform Bash-style az commands
  • Azure PowerShell manages Azure with verb-noun cmdlets
  • CLI vs PowerShell is mostly a matter of preferred syntax
  • CLI and PowerShell are the imperative, scriptable approach
  • Infrastructure as Code defines infrastructure in versioned config files
  • IaC keeps deployments in a consistent, drift-free state
  • An ARM template is a declarative JSON file of desired state
  • ARM template deployments are idempotent, so re-running is safe
  • Bicep is a cleaner DSL that compiles down to ARM JSON
  • Azure Arc extends Azure management to resources outside Azure
  • Arc projects non-Azure resources into ARM to manage them as native
  • Arc-enabled resources accept Azure governance like native ones
  • Resources already in Azure don't need Arc
  • The tools differ by interaction model, but ARM is the shared layer
  • For repeatable, consistent deployments, choose IaC over the portal
  • Distinguish ARM the layer from an ARM template

Unlock with Premium — includes all practice exams and the complete study guide.

Monitoring Tools

Read full chapter
  • Match the monitoring tool to the question it answers
  • Use Azure Advisor for personalized best-practice recommendations
  • Azure Advisor itself is free
  • Advisor has exactly five recommendation categories
  • Advisor's security recommendations come from Microsoft Defender for Cloud
  • Advisor recommends resizing VMs, enabling resilience, and cutting waste
  • Azure Service Health reports Azure-side issues affecting your subscription
  • Service Health covers service issues, planned maintenance, and health advisories
  • Service Health is personalized; the Azure Status page is global
  • Azure Resource Health drills down to one specific resource
  • Azure Monitor is the umbrella platform for your own telemetry
  • Metrics are numeric points over time; logs are queryable event records
  • Log Analytics queries Azure Monitor log data with KQL in a workspace
  • Log Analytics is part of Azure Monitor, not a separate product
  • Azure Monitor alerts proactively notify you when a condition is met
  • Alerts notify and can trigger automation, but don't self-heal by default
  • Application Insights is the APM feature for live applications
  • Web-app performance, availability, usage, or exceptions points to Application Insights
  • "Optimize" or "best practices" maps to Azure Advisor
  • "Outage" or "maintenance" maps to Azure Service Health
  • "Metrics," "logs," or "alerts" maps to Azure Monitor
  • Advisor Score is one percentage across the five WAF-aligned categories
  • Postpone or dismiss an Advisor recommendation to drop it from the score
  • An action group defines who is notified and what runs when an alert fires
  • Smart Detection flags anomalies automatically with no thresholds to set
  • Live Metrics streams real-time activity but retains nothing
  • Azure Service Health is three views: Azure Status, Service Health, Resource Health

Unlock with Premium — includes all practice exams and the complete study guide.