13 min read3 domains coveredFree practice, no sign-up
Microsoft Azure Fundamentals (AZ-900) tests whether you can describe how cloud computing works and what Azure offers, not whether you can build anything. It is the entry door to the Microsoft certification ladder, and it is deliberately broad and shallow: you are expected to recognise services, name the right tool for a stated need, and understand the concepts behind cost, governance, and the shared responsibility model. Almost nothing on the exam asks you to configure or deploy. It asks you to identify and to choose.
It suits people new to the cloud and to Azure: students, career changers, salespeople and project managers who work near technical teams, and developers or administrators who want a vendor-recognised baseline before moving on to the associate exams. There is no requirement to have used Azure, although a few hours clicking around the portal makes the service names stick far faster than reading about them.
What makes AZ-900 pass-or-fail is breadth of recognition under light time pressure. The traps are not deep technical edge cases; they are close-sounding services that do different jobs. Defender for Cloud versus Microsoft Entra ID, Azure Policy versus a resource lock, an availability zone versus a region, Log Analytics versus Azure Monitor. The exam rewards a candidate who can read a one-line need, ignore the plausible-but-wrong neighbours, and point at the single Azure service or concept built for it. Drilling that matching skill across all three domains is the whole game.
AZ-900 is a recognition exam: read a short need, then name the single Azure service or concept built for it while rejecting the close-sounding neighbours that do a different job.
Difficulty
Foundational
Best for
Cloud and Azure newcomers: students, career changers, and non-engineering staff who work alongside technical teams, plus developers and administrators who want a recognised Azure baseline before tackling the associate-level exams.
Prerequisites
None. No prior Azure or cloud experience is required. A few hours in the Azure portal creating a free-tier resource makes the service names stick far faster than reading alone, but nothing is enforced.
Typically 40 to 60 questions
Questions
45 min
Time allowed
700 / 1000
Pass mark
$99
Exam cost (USD)
245
Practice questions
How this exam thinks
AZ-900 frames almost every question as a short need and asks you to recognise the one Azure service or concept that meets it. The decision rule is matching, not building: read what the scenario must achieve, then pick the service whose definition fits exactly, and reject the close-sounding neighbour that does a related but different job. When a benefit word like scalability, availability, or cost predictability appears, map it to the precise definition rather than the one that merely sounds reassuring. When two services overlap, the discriminator is scope: who or what each one governs. Microsoft expects you to favour the managed, purpose-built Azure tool named for the task, so when one option is the service literally designed for the stated need, that is the answer.
What each domain tests and how to study it
The AZ-900 blueprint is split across 3 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Describe cloud computing in plain terms: explain the shared responsibility model, tell IaaS, PaaS, and SaaS apart by who manages what, and match each named cloud benefit to its precise definition.
In one sentenceThe vocabulary domain: the shared responsibility model, the three service types, and the cloud benefits, each pinned to its exact meaning rather than a vague feel.
Recall check: answer these from memory first
Under the shared responsibility model, which two things stay the customer's responsibility no matter whether you use IaaS, PaaS, or SaaS?
Define cost predictability and scalability in one line each, so you could not mistake one for the other on the exam.
Which service type gives you full control of the operating system, and which use case (test and development, ready-made apps, or building without servers) does it suit best?
What it tests. The conceptual foundation the rest of the exam stands on. Describing cloud computing, including the shared responsibility model, the public, private, and hybrid cloud models, and the consumption-based pricing model where you pay only for what you use; describing the benefits of cloud services, including high availability, scalability (vertical and horizontal), reliability, security, manageability, and cost predictability; and describing the three cloud service types, IaaS, PaaS, and SaaS, with the use cases each suits and how much of the stack the customer keeps responsibility for under each.
How to study it. Anchor everything to the shared responsibility model, because it drives the service-type questions. Learn the line that never moves: your data and your identities are always the customer's responsibility, on IaaS, PaaS, or SaaS alike. Then learn what shifts: with IaaS the customer keeps the operating system and everything above it, with SaaS the provider runs nearly all of it, and PaaS sits between. Drill the benefit words against their definitions so cost predictability, scalability, high availability, and reliability cannot be swapped for one another. For the service types, tie each to a use case: IaaS for full operating-system control and quick test environments, SaaS for ready-to-use applications, PaaS for building apps without managing servers.
Easy to confuse
Scalability versus high availability. Scalability is adjusting the amount of resources to match current demand; high availability is keeping the service running with maximum uptime despite disruptions. One is about sizing to load, the other about staying up through failure.
IaaS versus PaaS. IaaS gives you the virtual machine and full operating-system control, so you patch and manage it; PaaS gives you a platform to build and run apps while the provider manages the operating system and servers. If the scenario needs OS control, it is IaaS.
Worked example from the AZ-900 bank
lock_openFree sampleDescribe Cloud Conceptseasy
A new cloud customer wants to know which responsibility they retain no matter whether they adopt IaaS, PaaS, or SaaS. Which set always stays with the customer?
ATheir stored data and their accounts and identitiescheck_circle Correct
BThe physical datacentre and the racks within it
CThe physical network that links the servers
DThe physical hosts that run the workloads
Your data and your identities are always your responsibility in the cloud, whatever the service model. Across the shared responsibility model, data or information stored in the cloud and the accounts and identities of people, services, and devices are listed as always the customer's, irrespective of whether the service is IaaS, PaaS, or SaaS, because only the customer can govern who and what they trust.
Why A is correct: Correct. Across the shared responsibility model, data or information stored in the cloud and the accounts and identities of people, services, and devices are listed as always the customer's, irrespective of whether the service is IaaS, PaaS, or SaaS, because only the customer can govern who and what they trust.
Why B is wrong: The physical datacentre is real and tempting because the customer pays for capacity, but the model lists it as always the provider's responsibility, never the customer's.
Why C is wrong: The physical network is a genuine shared-responsibility item, yet the model assigns the physical network to the provider in every service model, not the customer.
Why D is wrong: Physical hosts feel customer-adjacent because workloads run on them, but the model places the physical hosts permanently with the provider regardless of service type.
What you must be able to do. Identify Azure's core building blocks and the main compute, networking, storage, identity, and security services, matching each one to the need it serves rather than to a service that merely sounds similar.
In one sentenceThe heaviest domain: knowing the architectural hierarchy and naming the right compute, storage, identity, or security service for a stated need.
Recall check: answer these from memory first
Put these in order from broadest to narrowest: resource, subscription, management group, resource group.
Distinguish a region, an availability zone, and a region pair in one line each.
Which service manages security posture and a secure score across Azure, on-premises, and other clouds, and which service handles identity and sign-in?
What it tests. The bulk of the exam, recognising Azure's structure and services. The core architectural components, including regions, region pairs, availability zones, resources, resource groups, subscriptions, and management groups, and how they nest; compute and networking services such as virtual machines, containers, Azure Functions, virtual networks, and connectivity options; storage services, including the account types, redundancy options like LRS and GRS, access tiers, and migration tooling such as Storage Explorer, AzCopy, and Azure Migrate; and identity, access, and security, including Microsoft Entra ID, authentication methods, conditional access, role-based access control, defence in depth, and Microsoft Defender for Cloud.
How to study it. Build the architectural hierarchy first as a mental ladder: management groups contain subscriptions, subscriptions contain resource groups, resource groups contain resources, and regions and availability zones describe where those resources physically live. Drill the location terms until a region (nearby networked datacentres), an availability zone (an isolation boundary inside one region), and a region pair (two linked regions in one geography) cannot be confused. For services, learn each by the one job it is named for: Entra ID for identity, Defender for Cloud for security posture and secure score, Storage Explorer for a graphical cross-platform way to manage blobs and files. Spend the most time here, as it is the largest domain by weight.
Easy to confuse
Availability zone versus region. A region is a geographical area of nearby datacentres joined over a low-latency network; an availability zone is one or more physically separate datacentres inside a single region acting as an isolation boundary. Region is where; availability zone is the isolation unit within it.
Microsoft Entra ID versus Microsoft Defender for Cloud. Entra ID is the identity and access service that handles who can sign in and what they can reach; Defender for Cloud is the security posture and threat-protection service that assesses resources and calculates a secure score. One controls identity, the other measures and improves security.
Worked example from the AZ-900 bank
lock_openFree sampleDescribe Azure Architecture and Servicesmedium
Inside a single Azure region, a designer wants the construct made up of one or more physically separate datacentres that each have independent power, cooling, and networking and that act as an isolation boundary. Which construct fits?
AAn availability zone, a separate datacentre that is an isolation boundarycheck_circle Correct
BA region pair set up across two regions in one geography
CA sovereign region isolated for legal or compliance reasons
DA resource group that logically groups related Azure resources
An availability zone is a physically separate datacentre within a region acting as an isolation boundary. An availability zone is defined as one or more physically separate datacentres within a region, each equipped with independent power, cooling, and networking, deliberately set up as an isolation boundary so that one zone failing leaves the others working.
Why A is correct: Correct. An availability zone is defined as one or more physically separate datacentres within a region, each equipped with independent power, cooling, and networking, deliberately set up as an isolation boundary so that one zone failing leaves the others working.
Why B is wrong: A region pair spans two distinct regions for cross-region recovery, so it operates above the region level rather than as a separate datacentre inside one region, which is what the stem requires.
Why C is wrong: A sovereign region is an isolated instance of Azure for compliance purposes, not a separate datacentre within a normal region acting as a resiliency isolation boundary, so it does not fit.
Why D is wrong: A resource group is a logical management container with no physical datacentre or independent power meaning, so it cannot be the isolation boundary made of separate datacentres.
What you must be able to do. Match cost, governance, deployment, and monitoring needs to the right Azure tool: the pricing and TCO calculators and Cost Management for spend, Azure Policy and locks for governance, the portal and CLI and Arc for managing resources, and Advisor, Service Health, and Monitor for observability.
In one sentenceThe management domain: choosing the right tool for cost, governance, deployment, or monitoring, and not confusing the close neighbours within each group.
Recall check: answer these from memory first
Which calculator estimates the cost of a planned Azure deployment, and which one compares the cost of on-premises against Azure?
What does Azure Policy do with resources that already existed before the policy was assigned?
Name the tool for each: viewing Azure outages that affect your resources, getting best-practice recommendations, and writing interactive queries over collected log data.
What it tests. Keeping an Azure estate controlled, compliant, and observed. Cost management, including the factors that affect cost, the Pricing Calculator for forecasting a planned deployment versus the Total Cost of Ownership calculator for comparing on-premises with cloud, Microsoft Cost Management, and tags for organising and reporting on spend; governance and compliance, including Azure Policy for enforcing and auditing configuration rules, resource locks to prevent accidental change or deletion, and the Service Trust Portal; the tools for managing and deploying resources, including the portal, Cloud Shell, the CLI, PowerShell, Azure Arc, and infrastructure as code; and the monitoring tools Azure Advisor, Azure Service Health, and Azure Monitor with Log Analytics.
How to study it. Group the tools by the job and learn the discriminator inside each group, because that is where the traps live. For cost, separate the Pricing Calculator (estimate a planned Azure deployment) from the TCO calculator (compare staying on-premises with moving to Azure). For governance, fix that Azure Policy audits and enforces configuration and flags non-compliant resources, including ones created before the policy existed, while a resource lock simply blocks deletion or modification. For monitoring, place each tool: Advisor gives recommendations, Service Health reports Azure outages affecting you, Azure Monitor collects telemetry, and Log Analytics is where you write queries against that data. Match each scenario need to exactly one of these.
Easy to confuse
Azure Policy versus a resource lock. Azure Policy enforces and audits configuration rules across resources and flags non-compliant ones, including pre-existing resources; a resource lock only prevents a resource from being modified or deleted. Policy governs configuration broadly; a lock just protects against accidental change.
Azure Monitor versus Azure Log Analytics. Azure Monitor is the overall platform that collects metrics and logs from your resources; Log Analytics is the tool inside it where you write and run interactive queries against the collected log data. Monitor gathers; Log Analytics queries.
Worked example from the AZ-900 bank
lock_openFree sampleDescribe Azure Management and Governancemedium
An admin assigns a new policy today that allows only approved VM sizes. Several oversized virtual machines were deployed last year, long before this policy existed. What does Azure Policy do with those older virtual machines?
AIt ignores them because they were created before the policy was assigned
BIt deletes them automatically so only compliant sizes remain in place
CIt locks them so nobody can change their size without removing the lock
DIt evaluates them and highlights the oversized ones as non-compliantcheck_circle Correct
Azure Policy evaluates resources created before the policy existed and flags non-compliant ones. Azure Policy evaluates existing resources, including ones created before the policy was assigned, and highlights any that do not meet the rule as non-compliant rather than ignoring them.
Why A is wrong: Assuming older resources are grandfathered out feels intuitive, but Azure Policy does evaluate existing resources, so pre-existing machines are not skipped.
Why B is wrong: A candidate may expect strong enforcement to remove offenders, but Azure Policy evaluates and reports rather than deleting non-compliant resources on its own.
Why C is wrong: Locking against change is the job of resource locks, not Azure Policy, so this confuses two distinct governance tools and is wrong here.
Why D is correct: Correct. Azure Policy evaluates existing resources, including ones created before the policy was assigned, and highlights any that do not meet the rule as non-compliant rather than ignoring them.
A study plan that works
Map the blueprint and book a date
Day 1
Read the three domains and their weights so you know where the marks are. Architecture and Services is the largest single block, with Cloud Concepts and Management and Governance close behind, so none can be skipped. Book a provisional exam date now: a fixed date turns vague study into a plan and is the strongest predictor of actually sitting.
Lock the shared responsibility model and service types
Week 1
Start with Cloud Concepts because everything else leans on it. Learn the shared responsibility model cold, especially that data and identities are always yours, and drill the IaaS, PaaS, and SaaS split by who manages what. Then pin each cloud benefit word to its exact definition so scalability, availability, reliability, and cost predictability cannot be swapped.
Build the Azure architecture hierarchy
Week 2
Learn the nesting ladder from management groups down to resources, and the location terms (region, region pair, availability zone) until they cannot be confused. Spend a few hours in the Azure portal creating a resource group and a virtual machine so the names become concrete rather than abstract. This is the heaviest domain, so give it the most time.
Drill compute, storage, identity, and security services
Weeks 2 to 3
Within Architecture and Services, learn each service by the one job it is named for: virtual machines and containers and Functions for compute, the storage account types and redundancy options for storage, Entra ID for identity, and Defender for Cloud for security posture. Practise the close-pair calls, such as Entra ID versus Defender for Cloud, until the need alone picks the answer.
Cover cost, governance, and monitoring tools
Week 3
Work through Management and Governance by grouping tools by job: the two calculators for cost, Azure Policy and locks for governance, the portal and CLI and Arc for deployment, and Advisor, Service Health, and Monitor for observability. The marks here come from telling the close neighbours apart, so drill the discriminators inside each group rather than memorising lists.
Practise on scenario questions and review the misses
Week 4
Move to mixed practice questions across all three domains and read the worked explanation on every one, including the ones you got right, watching for the close-sounding distractor you nearly chose. Use your per-domain accuracy to attack the weakest area rather than re-reading what you already know, then revisit the recall prompts after a few days to space the review.
Sit a timed mock and calibrate
Week 4
Take at least one full timed mock under exam conditions to rehearse pacing and the flag-and-return habit. Treat the result as a per-domain readiness signal rather than a single number, and review every missed question, naming the discriminator you misread, before you book or sit the real exam.
Know when you're ready
Readiness for AZ-900 is a measured score on practice questions you have not seen before, not a feeling that the service names look familiar. Re-reading study notes builds recognition, and recognition feels like knowledge, so confidence rises while real recall lags behind. The honest test is whether you can read a fresh one-line need, name the single Azure service or concept that fits, and say why the close-sounding neighbour is wrong. If you can only nod along once the explanation is shown, you are not there yet. Aim to clear every one of the three domains comfortably on unseen questions across more than one sitting, not to scrape a single pass, and trust your per-domain accuracy over your gut. When all three domains read comfortably above the bar on questions you have never seen, you are ready to book.
Ready to put this into practice?
Free AZ-900 questions with worked explanations. No sign-up.
Read the need first, then the options. AZ-900 questions are short and the wording usually names the exact job, so identify what is required before you weigh any service.
Beat the close-pair traps on scope. When two services overlap, ask who or what each one governs: identity (Entra ID) versus security posture (Defender for Cloud), configuration rules (Policy) versus a single resource lock.
Map benefit words to definitions, not feelings. Scalability is sizing to demand, high availability is staying up through failure, cost predictability is forecasting spend; do not pick the answer that merely sounds reassuring.
Anchor service-type questions to the shared responsibility model. Data and identities are always yours; if the scenario needs operating-system control it is IaaS, and if it wants a ready-made application it is SaaS.
Watch multiple-response questions. Some items ask you to select more than one correct answer, so read the instruction and pick every option that fits, not just the first good one.
Flag and move on. Cover every question once and collect the clear marks first, then return to the few that need thought rather than stalling early and losing easy points.
Frequently asked questions
Is AZ-900 hard?
It is a foundational exam and the least technical Azure certification, so it is among the more approachable in the catalogue. The difficulty is breadth rather than depth: you must recognise a wide range of services and concepts and tell close-sounding ones apart, but you are never asked to configure or build anything.
Do I need Azure experience before taking AZ-900?
No experience is required and there are no prerequisites. That said, a few hours in the Azure portal creating a free-tier resource group and a virtual machine makes the service names concrete and sticks far better than reading alone, so it is worth doing even though it is optional.
How long should I study for AZ-900?
Most newcomers are ready in two to four weeks of steady part-time study, and those with some IT background often need less. The time is best spent on the matching skill, learning to pick the one right service for a stated need, rather than on memorising long feature lists.
What kinds of questions does AZ-900 ask?
Expect mostly multiple-choice and multiple-response questions framed as short scenarios or definitions. Many give a one-line need and four similar services, where three are plausible neighbours and only one is built for the job, so reading carefully and rejecting the near-miss options is the core skill.
Is AZ-900 worth it, and what comes after?
It is a recognised baseline that proves cloud and Azure literacy, which is useful for non-engineering roles and as a foundation before the role-based associate exams such as the Azure Administrator or Developer certifications. Many people use it as the first rung on the Microsoft certification ladder.
How should I judge when I am ready to book?
Use a measured score on practice questions you have not seen before, not a feeling of familiarity. When you can clear all three domains comfortably on unseen questions across more than one session, and a timed mock feels comfortable on pacing, you are ready; before that, keep drilling the close-pair discriminators.
Examworthy is not affiliated with or endorsed by Microsoft. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. AZ-900 and related marks belong to their respective owners.
