JANUARY 2026 OBJECTIVES
What's On the AZ-900 Exam in 2026
Microsoft updates AZ-900 exam objectives periodically. The January 2026 update added several new topics and shifted emphasis in existing areas. This page covers every testable topic, what's new, and how heavily each area is weighted so you spend your study time in the right places.
Exam format: 40โ60 questions ยท 45โ60 minutes ยท 700 out of 1000 to pass ยท Question types include multiple-choice, drag-and-drop, scenario-based, and case studies ยท No penalty for wrong answers
Domain weights at a glance
| Domain | Weight | Your study priority |
|---|---|---|
| Domain 1: Cloud Concepts | 25โ30% | Study last โ most people already know the basics |
| Domain 2: Azure Architecture & Services | 35โ40% | Study thoroughly โ most questions come from here |
| Domain 3: Management & Governance | 30โ35% | Study deeply โ this is where most people fail |
โ ๏ธ A common mistake: spending 60% of study time on Domain 1 because it's the most familiar. That's 60% of your time on at most 30% of the exam. Domains 2 and 3 together are 65โ75% of your score.
Domain 1: Cloud Concepts
Weight: 25โ30%
Cloud definition & NIST characteristics
5 characteristics, economies of scale, consumption model
Shared Responsibility Model
Who manages what in IaaS, PaaS, and SaaS โ high frequency
Service Models (IaaS/PaaS/SaaS)
Definitions, examples, management boundaries
Deployment Models
Public, private, hybrid, multi-cloud
8 Cloud Benefits
HA, scalability, elasticity, reliability, predictability, security, governance, manageability
CapEx vs OpEx
On-prem = CapEx. Cloud = OpEx. Scenario questions common.
NEW Serverless computing
Event-driven, scales to zero, pay per execution, no server management
NEW HA vs DR / RTO vs RPO
HA minimises downtime, DR recovers from catastrophic failure. Different tools.
NEW Cloud Migration โ 6 Rs
Rehost, Refactor, Rearchitect, Rebuild, Replace (SaaS), Retire
Domain 2: Azure Architecture & Services
Weight: 35โ40% ยท This is the widest domain โ prepare for breadth.
Core infrastructure
Regions & Availability Zones
AZs = 3+ DCs per region. AZs protect DC failure, Region Pairs protect regional failure.
Management hierarchy
Management Groups โ Subscriptions โ Resource Groups โ Resources
NEW ARM Templates & Bicep
Declarative IaC. Bicep = cleaner syntax, compiles to ARM JSON. Same capabilities.
Compute
Virtual Machines
Deallocated โ stopped. Stopped (from OS) still bills. Scale Sets for auto-scale.
Containers โ ACI vs AKS
ACI = fastest, no infra. AKS = managed Kubernetes for orchestration at scale.
App Service
PaaS web hosting. No OS management. Supports multiple languages.
Azure Functions
Serverless, event-driven, per-execution billing, scales to zero.
Networking
VNets, Subnets, NSGs
NSG rules: lower number = higher priority. Stateful firewall.
VPN Gateway vs ExpressRoute
VPN = over internet (encrypted). ExpressRoute = private line, NOT internet.
Azure Firewall vs DDoS
Firewall = L7 traffic filtering. DDoS Basic (free) vs Standard (paid, per-VNet).
NEW Azure DNS
Public zones (internet-facing) vs private zones (internal VNet resolution)
Storage
Redundancy tiers
LRS โ ZRS โ GRS โ GZRS. GRS/GZRS replicate to paired region.
Blob access tiers
Hot โ Cool (30d min) โ Cold (90d min) โ Archive (180d min, hrs to rehydrate)
Identity & Security
Entra ID (formerly Azure AD)
Cloud-based identity. SSO, MFA, Conditional Access, B2B/B2C.
NEW Managed Identity
System-Assigned (1 resource, deleted with it) vs User-Assigned (shared, independent). No credentials in code.
NEW Passwordless Authentication
Co-equal with MFA and SSO. Windows Hello, FIDO2, Microsoft Authenticator.
NEW Entra ID vs Azure RBAC roles
Entirely separate systems. Entra = directory. RBAC = resources. Global Admin โ Owner.
Additional services
NEW Messaging Services
Service Bus (guaranteed delivery) vs Event Hubs (streaming, IoT) vs Event Grid (event routing)
NEW Azure AI Foundry
Renamed from Azure AI Studio. End-to-end AI model platform including GPT-4 deployment.
Azure SQL DB vs SQL MI vs Cosmos DB
SQL DB = new apps PaaS. SQL MI = lift-and-shift. Cosmos DB = globally distributed NoSQL.
Domain 3: Management & Governance
Weight: 30โ35% ยท Nearly as heavy as Domain 2. Study this as thoroughly.
Pricing Calculator
Use BEFORE deploying โ estimate future Azure costs. No login required.
TCO Calculator
Use to compare on-premises vs Azure cost. Builds the migration business case.
Cost Management + Billing
Use AFTER deploying โ track actual spend, set budgets and alerts.
Azure Advisor
Free AI recommendations: Cost, Security, Reliability, Performance, Operational Excellence.
NEW Savings Plans vs Reservations
Savings Plans = flexible (any compute, commit $/hr). Reservations = specific SKU + region. Both tested.
Azure Policy (all 7 effects)
Deny, Audit, Append, Modify, DeployIfNotExists, AuditIfNotExists, Disabled
Resource Locks
CanNotDelete and ReadOnly. Locks override RBAC โ even Owner can't delete a locked resource.
Tags
Max 50 per resource. NOT inherited by child resources by default. Enforce via Policy.
Azure Blueprints
Bundled, versioned RG + ARM + RBAC + Policy. Tracked assignments to subscriptions.
RBAC roles
Owner > Contributor > Reader. User Access Administrator manages RBAC only. Additive model.
Microsoft Defender for Cloud
CSPM + Secure Score + Regulatory Compliance. Works across Azure, AWS, GCP.
Microsoft Sentinel
SIEM + SOAR built on Log Analytics. Cloud-native threat detection + automated response.
Azure Monitor
Metrics (93 days) + Logs (2 years) + Activity Log (90 days) + Alerts + Action Groups
SLAs & Support Plans
99.9% = 43 min/month. Composite SLA = multiply individual SLAs. Free services have no SLA.
Trust Center vs Service Trust Portal
Trust Center = overview, public. Service Trust Portal = actual audit reports, login required.
What changed in January 2026 โ full list
All 11 of these topics are now formal exam objectives. If your prep material predates 2026, it likely doesn't cover them.
| Topic | Domain | What you need to know |
|---|---|---|
| Serverless computing | D1 | Event-driven, scales to zero, pay per execution. Azure Functions is the main example. |
| HA vs DR / RTO vs RPO | D1 | HA minimises downtime. DR recovers from catastrophic failure. RTO = restore time, RPO = data loss window. |
| Cloud Migration 6 Rs | D1 | Rehost, Refactor, Rearchitect, Rebuild, Replace (SaaS), Retire. |
| ARM Templates & Bicep | D2 | Declarative IaC. Idempotent. Bicep is preferred newer syntax compiling to ARM JSON. |
| Azure DNS | D2 | Public zones (internet) vs private zones (internal VNet). Both now explicitly in scope. |
| Passwordless authentication | D2 | Co-equal with MFA and SSO. Windows Hello, FIDO2, Microsoft Authenticator app. |
| Managed Identity | D2 | System-Assigned vs User-Assigned. Eliminates credential management. Authenticate to Azure services without secrets in code. |
| Entra ID vs Azure RBAC roles | D2 | Two entirely separate systems. Entra manages the directory. RBAC manages resources. Not interchangeable. |
| Messaging: Bus/Hubs/Grid | D2 | Service Bus = reliable delivery. Event Hubs = high-throughput streaming. Event Grid = event routing. Scenario questions expected. |
| Azure AI Foundry | D2 | Renamed from Azure AI Studio. Platform for building and deploying AI models including GPT-4. |
| Savings Plans vs Reservations | D3 | Savings Plans = flexible ($/hr commitment, any eligible compute). Reservations = specific VM SKU + region, 1 or 3 years. |
540 practice questions covering every topic on this page
Plus 595 flashcards filterable by domain and topic โ all weighted to the real exam proportions.
Start at az900prep.com โ