JANUARY 2026 OBJECTIVES

What's On the AZ-900 Exam in 2026

All three domains ยท Complete topic list Updated June 2026

Microsoft updates AZ-900 exam objectives periodically. The January 2026 update added several new topics and shifted emphasis in existing areas. This page covers every testable topic, what's new, and how heavily each area is weighted so you spend your study time in the right places.

Exam format: 40โ€“60 questions ยท 45โ€“60 minutes ยท 700 out of 1000 to pass ยท Question types include multiple-choice, drag-and-drop, scenario-based, and case studies ยท No penalty for wrong answers

Domain weights at a glance

DomainWeightYour study priority
Domain 1: Cloud Concepts25โ€“30%Study last โ€” most people already know the basics
Domain 2: Azure Architecture & Services35โ€“40%Study thoroughly โ€” most questions come from here
Domain 3: Management & Governance30โ€“35%Study deeply โ€” this is where most people fail
โš ๏ธ A common mistake: spending 60% of study time on Domain 1 because it's the most familiar. That's 60% of your time on at most 30% of the exam. Domains 2 and 3 together are 65โ€“75% of your score.

Domain 1: Cloud Concepts

Weight: 25โ€“30%

Cloud definition & NIST characteristics
5 characteristics, economies of scale, consumption model
Shared Responsibility Model
Who manages what in IaaS, PaaS, and SaaS โ€” high frequency
Service Models (IaaS/PaaS/SaaS)
Definitions, examples, management boundaries
Deployment Models
Public, private, hybrid, multi-cloud
8 Cloud Benefits
HA, scalability, elasticity, reliability, predictability, security, governance, manageability
CapEx vs OpEx
On-prem = CapEx. Cloud = OpEx. Scenario questions common.
NEW Serverless computing
Event-driven, scales to zero, pay per execution, no server management
NEW HA vs DR / RTO vs RPO
HA minimises downtime, DR recovers from catastrophic failure. Different tools.
NEW Cloud Migration โ€” 6 Rs
Rehost, Refactor, Rearchitect, Rebuild, Replace (SaaS), Retire

Domain 2: Azure Architecture & Services

Weight: 35โ€“40% ยท This is the widest domain โ€” prepare for breadth.

Core infrastructure

Regions & Availability Zones
AZs = 3+ DCs per region. AZs protect DC failure, Region Pairs protect regional failure.
Management hierarchy
Management Groups โ†’ Subscriptions โ†’ Resource Groups โ†’ Resources
NEW ARM Templates & Bicep
Declarative IaC. Bicep = cleaner syntax, compiles to ARM JSON. Same capabilities.

Compute

Virtual Machines
Deallocated โ‰  stopped. Stopped (from OS) still bills. Scale Sets for auto-scale.
Containers โ€” ACI vs AKS
ACI = fastest, no infra. AKS = managed Kubernetes for orchestration at scale.
App Service
PaaS web hosting. No OS management. Supports multiple languages.
Azure Functions
Serverless, event-driven, per-execution billing, scales to zero.

Networking

VNets, Subnets, NSGs
NSG rules: lower number = higher priority. Stateful firewall.
VPN Gateway vs ExpressRoute
VPN = over internet (encrypted). ExpressRoute = private line, NOT internet.
Azure Firewall vs DDoS
Firewall = L7 traffic filtering. DDoS Basic (free) vs Standard (paid, per-VNet).
NEW Azure DNS
Public zones (internet-facing) vs private zones (internal VNet resolution)

Storage

Redundancy tiers
LRS โ†’ ZRS โ†’ GRS โ†’ GZRS. GRS/GZRS replicate to paired region.
Blob access tiers
Hot โ†’ Cool (30d min) โ†’ Cold (90d min) โ†’ Archive (180d min, hrs to rehydrate)

Identity & Security

Entra ID (formerly Azure AD)
Cloud-based identity. SSO, MFA, Conditional Access, B2B/B2C.
NEW Managed Identity
System-Assigned (1 resource, deleted with it) vs User-Assigned (shared, independent). No credentials in code.
NEW Passwordless Authentication
Co-equal with MFA and SSO. Windows Hello, FIDO2, Microsoft Authenticator.
NEW Entra ID vs Azure RBAC roles
Entirely separate systems. Entra = directory. RBAC = resources. Global Admin โ‰  Owner.

Additional services

NEW Messaging Services
Service Bus (guaranteed delivery) vs Event Hubs (streaming, IoT) vs Event Grid (event routing)
NEW Azure AI Foundry
Renamed from Azure AI Studio. End-to-end AI model platform including GPT-4 deployment.
Azure SQL DB vs SQL MI vs Cosmos DB
SQL DB = new apps PaaS. SQL MI = lift-and-shift. Cosmos DB = globally distributed NoSQL.

Domain 3: Management & Governance

Weight: 30โ€“35% ยท Nearly as heavy as Domain 2. Study this as thoroughly.

Pricing Calculator
Use BEFORE deploying โ€” estimate future Azure costs. No login required.
TCO Calculator
Use to compare on-premises vs Azure cost. Builds the migration business case.
Cost Management + Billing
Use AFTER deploying โ€” track actual spend, set budgets and alerts.
Azure Advisor
Free AI recommendations: Cost, Security, Reliability, Performance, Operational Excellence.
NEW Savings Plans vs Reservations
Savings Plans = flexible (any compute, commit $/hr). Reservations = specific SKU + region. Both tested.
Azure Policy (all 7 effects)
Deny, Audit, Append, Modify, DeployIfNotExists, AuditIfNotExists, Disabled
Resource Locks
CanNotDelete and ReadOnly. Locks override RBAC โ€” even Owner can't delete a locked resource.
Tags
Max 50 per resource. NOT inherited by child resources by default. Enforce via Policy.
Azure Blueprints
Bundled, versioned RG + ARM + RBAC + Policy. Tracked assignments to subscriptions.
RBAC roles
Owner > Contributor > Reader. User Access Administrator manages RBAC only. Additive model.
Microsoft Defender for Cloud
CSPM + Secure Score + Regulatory Compliance. Works across Azure, AWS, GCP.
Microsoft Sentinel
SIEM + SOAR built on Log Analytics. Cloud-native threat detection + automated response.
Azure Monitor
Metrics (93 days) + Logs (2 years) + Activity Log (90 days) + Alerts + Action Groups
SLAs & Support Plans
99.9% = 43 min/month. Composite SLA = multiply individual SLAs. Free services have no SLA.
Trust Center vs Service Trust Portal
Trust Center = overview, public. Service Trust Portal = actual audit reports, login required.

What changed in January 2026 โ€” full list

All 11 of these topics are now formal exam objectives. If your prep material predates 2026, it likely doesn't cover them.

TopicDomainWhat you need to know
Serverless computingD1Event-driven, scales to zero, pay per execution. Azure Functions is the main example.
HA vs DR / RTO vs RPOD1HA minimises downtime. DR recovers from catastrophic failure. RTO = restore time, RPO = data loss window.
Cloud Migration 6 RsD1Rehost, Refactor, Rearchitect, Rebuild, Replace (SaaS), Retire.
ARM Templates & BicepD2Declarative IaC. Idempotent. Bicep is preferred newer syntax compiling to ARM JSON.
Azure DNSD2Public zones (internet) vs private zones (internal VNet). Both now explicitly in scope.
Passwordless authenticationD2Co-equal with MFA and SSO. Windows Hello, FIDO2, Microsoft Authenticator app.
Managed IdentityD2System-Assigned vs User-Assigned. Eliminates credential management. Authenticate to Azure services without secrets in code.
Entra ID vs Azure RBAC rolesD2Two entirely separate systems. Entra manages the directory. RBAC manages resources. Not interchangeable.
Messaging: Bus/Hubs/GridD2Service Bus = reliable delivery. Event Hubs = high-throughput streaming. Event Grid = event routing. Scenario questions expected.
Azure AI FoundryD2Renamed from Azure AI Studio. Platform for building and deploying AI models including GPT-4.
Savings Plans vs ReservationsD3Savings Plans = flexible ($/hr commitment, any eligible compute). Reservations = specific VM SKU + region, 1 or 3 years.

540 practice questions covering every topic on this page

Plus 595 flashcards filterable by domain and topic โ€” all weighted to the real exam proportions.

Start at az900prep.com โ†’