AZ-900 January 2026 Update: Every New Exam Objective Explained
Microsoft updated the AZ-900 Azure Fundamentals exam objectives in January 2026. If you are studying with any material published before then — older Udemy courses, older Microsoft Learn paths, older PDF guides — you are missing content that will appear on your exam.
This page covers every new or significantly expanded objective from that update: what it is, why it matters, and what the exam actually tests on it.
Domain 1: Cloud Concepts — 3 new objectives
Serverless Computing
Previously, serverless was background context. It is now a formal objective. The exam definition: no server management, event-driven execution, scales to zero, pay per execution only. Azure Functions is the primary example — your code runs in response to a trigger, you pay only while it runs, and there are no idle costs when nothing is happening. Know how this differs from PaaS (where you manage the app but not the OS) and IaaS (where you manage both).
High Availability vs Disaster Recovery — and RTO vs RPO
HA (High Availability) means minimising downtime during normal operations and minor failures. Tools: load balancers, availability zones, redundancy. Goal: keep the service running.
DR (Disaster Recovery) means recovering from a catastrophic failure that has already taken the system offline. Tools: geo-replication, backup, site recovery. Goal: restore the service.
RTO (Recovery Time Objective): how long the business can tolerate the system being down. How quickly must it be restored?
RPO (Recovery Point Objective): how much data loss is acceptable. If RPO is 4 hours, backups must be taken at least every 4 hours.
Expect scenario questions that ask you to identify which metric a given requirement describes.
The 6 Rs of Cloud Migration
Microsoft now explicitly tests these six migration strategies. Know the name and one-sentence definition of each:
- Rehost — "lift and shift." Move the workload to the cloud as-is. Fastest, no code changes.
- Refactor — minor code changes to take advantage of cloud capabilities (e.g. move to PaaS).
- Rearchitect — significant code changes to modernise the application architecture.
- Rebuild — rewrite the application from scratch using cloud-native services.
- Replace (Retire to SaaS) — replace the existing application with an off-the-shelf SaaS product.
- Retire — decommission the application entirely. No migration needed.
Domain 2: Azure Architecture & Services — 7 new objectives
This is where the January 2026 update hit hardest. Seven new or significantly expanded areas in the already-heaviest domain.
Infrastructure as Code: ARM Templates and Bicep
IaC is now a formal exam objective. Both tools deploy Azure resources declaratively — you describe the desired state and Azure makes it happen.
ARM Templates are JSON files. Verbose but the original standard. Every Azure resource can be described in an ARM template.
Bicep is a cleaner domain-specific language that compiles to ARM JSON. It is the current Microsoft-recommended approach. Same capabilities, simpler syntax.
Key properties to know: both are idempotent (running them twice produces the same result), both are declarative (describe what you want, not how to create it), and both support version control.
Azure DNS — Public and Private Zones
Azure DNS is now explicitly in the networking objectives. Two types:
Public DNS zones resolve names on the public internet. If you own a domain (e.g. az900prep.com), you can host its DNS records in Azure DNS.
Private DNS zones resolve names internally within a virtual network. VMs can reach each other by name (e.g. api.internal) without those names being visible or resolvable on the public internet.
The exam will likely ask you to distinguish these two use cases.
Passwordless Authentication
Passwordless is now a co-equal authentication method alongside SSO and MFA. Three main implementations:
Windows Hello for Business — biometric or PIN, replaces passwords on Windows devices.
FIDO2 security keys — physical hardware keys (e.g. YubiKey) with cryptographic proof of identity.
Microsoft Authenticator app — approve sign-ins from a phone notification, no password entered.
The exam asks about this as a security improvement over passwords, not as a specific product feature.
Managed Identity — System-Assigned vs User-Assigned
Managed Identity solves the "secret zero" problem: how does your application authenticate to other Azure services without storing credentials in code?
System-Assigned Managed Identity: created and tied to a single Azure resource (e.g. a VM or App Service). Deleted automatically when the resource is deleted. One resource, one identity.
User-Assigned Managed Identity: created as a standalone Azure resource with its own lifecycle. Can be assigned to multiple resources. Persists when those resources are deleted.
The exam tests both the concept (no credentials in code) and the distinction between the two types.
Entra ID Roles vs Azure RBAC Roles
This is one of the most heavily tested new areas. These are two entirely separate systems that get confused constantly.
Microsoft Entra ID roles (formerly Azure AD roles) manage the directory: users, groups, applications, and service principals. Scope is the entire tenant. Example roles: Global Administrator, User Administrator, Application Administrator.
Azure RBAC roles manage Azure resources: VMs, storage accounts, key vaults, resource groups, subscriptions. Example roles: Owner, Contributor, Reader.
Critical exam fact: A Global Administrator has no Azure resource access by default. They must explicitly be granted an Azure RBAC role (or elevate access). The systems are separate.
Messaging Services: Service Bus vs Event Hubs vs Event Grid
All three are now explicitly in scope. Scenario questions will ask you to pick the right one.
Azure Service Bus — enterprise message broker. Use for: reliable message delivery between services, ordering guarantees (FIFO), duplicate detection, dead-letter queues, transactions. Classic use case: order processing, financial transactions.
Azure Event Hubs — big data streaming and event ingestion. Use for: millions of events per second, IoT telemetry, log streaming, real-time analytics pipelines. High throughput is the key differentiator.
Azure Event Grid — event routing. Use for: reacting to state changes in Azure resources (e.g. "a blob was uploaded" → trigger a function). Lightweight, push-based, designed for Azure service integration.
Azure AI Foundry (formerly Azure AI Studio)
The product was renamed from Azure AI Studio to Azure AI Foundry. It is the end-to-end platform for building, testing, and deploying AI models in Azure, including large language models like GPT-4.
At the AZ-900 level, know: what it does (build and deploy AI models), that it exists (you may be asked to identify the correct service for an AI scenario), and its relationship to Azure AI Services (pre-built APIs) and Azure Machine Learning (full MLOps platform for data scientists). The three are distinct services at different levels of abstraction.
Domain 3: Management & Governance — 1 new objective
Azure Savings Plans vs Azure Reservations
Both are cost-reduction commitment tools. Both save you money versus pay-as-you-go. The exam now distinguishes them.
Azure Savings Plans — commit to a fixed hourly spend (e.g. $5/hour) across any eligible compute, regardless of VM size, series, or region. More flexible. Up to 65% savings.
Azure Reservations — commit to a specific VM SKU in a specific region for 1 or 3 years. Less flexible (size and region are locked), but can save up to 72%.
The exam will give you a scenario and ask which fits better. If flexibility across compute types or regions is mentioned: Savings Plan. If the workload is stable and predictable and the specific VM is known: Reservation.
Frequently asked questions
All 11 January 2026 objectives are in the bundle
595 flashcards and 540 practice questions — every new objective covered, weighted to the real exam domains.
See the full bundle at az900prep.com →