Last-Minute Review
The most-tested facts across AZ-900 — read this the morning of your exam
Domain 1 — Cloud Concepts
CapEx vs OpEx — On-prem = capital expenditure (upfront). Cloud = operational expenditure (pay-as-you-go). AZ-900 loves this distinction.
Consumption-based model — You pay only for the resources you use. No upfront cost, no wasted idle capacity.
High availability — Uptime guarantee expressed as an SLA percentage (e.g. 99.9%). Azure achieves this through redundancy and geo-replication.
Scalability vs Elasticity — Scalability = ability to grow. Elasticity = automatically scaling up AND down in response to demand.
IaaS / PaaS / SaaS — IaaS: you manage OS and up. PaaS: you manage app and data only. SaaS: you just use the software (e.g. Microsoft 365).
Shared responsibility — The cloud provider always owns physical security. Identity and data always remain the customer's responsibility regardless of model.
Public vs Private vs Hybrid cloud — Public = hosted by provider, open to all. Private = dedicated to one org. Hybrid = both connected together.
Domain 2 — Azure Architecture & Services
Regions and Availability Zones — A region is a geographic area with multiple datacenters. Availability Zones are physically separate buildings within a region (min. 3 per region).
Region Pairs — Azure pairs regions within the same geography for disaster recovery. Updates are rolled out to one region at a time.
Azure Resource Manager (ARM) — Every action in Azure goes through ARM. It's the management layer that authenticates and routes all requests.
Azure Virtual Machines vs Azure App Service — VMs = IaaS (you control the OS). App Service = PaaS (you only deploy your app code).
Azure Blob Storage tiers — Hot (frequent access) → Cool (infrequent, 30-day min) → Cold (rare access, 90-day min) → Archive (offline, 180-day min). Lower tiers = cheaper storage, higher retrieval cost.
Azure Entra ID vs Active Directory — Entra ID is cloud identity (OAuth 2.0/OIDC). On-prem AD uses Kerberos/LDAP. They are different products — Entra ID is NOT AD in the cloud.
Azure Defender for Cloud — Provides security posture management (CSPM) and workload protection (CWPP). Shows a Secure Score based on recommendations.
Domain 3 — Azure Management & Governance
Azure Policy — Enforces organizational standards and assesses compliance. Can audit, deny, or auto-remediate non-compliant resources.
Management hierarchy — Management Groups > Subscriptions > Resource Groups > Resources. Policies applied at a Management Group flow down to everything beneath it.
Azure Cost Management — Free tool for analyzing spend, setting budgets, and creating alerts. Use cost analysis to see breakdowns by service, resource, or tag.
Azure Monitor vs Azure Advisor — Monitor = collects metrics and logs, sets alerts. Advisor = gives personalized best-practice recommendations across cost, security, reliability, performance, and operational excellence.
Azure Service Health — Three components: Azure Status (global outages), Service Health (your subscription's services), Resource Health (individual resources).
Tags — Key-value pairs applied to resources for billing, governance, and automation. Tags are NOT inherited by resources inside resource groups by default.
Microsoft Purview — Unified data governance platform. Key use: classifying and governing data across your entire estate. Not just a compliance tool.