UPDATED JAN 2026

AZ-900 Study Guide 2026

Azure Fundamentals ยท All three domains ~15 min read Updated June 2026

The AZ-900 Microsoft Azure Fundamentals exam tests your knowledge across three domains weighted very differently. Most people who fail study equal amounts of each โ€” that's a mistake. This guide shows you exactly what's on the exam, how much each domain counts, and what changed in the January 2026 update so you're not studying outdated material.

Exam fast facts: 40โ€“60 questions ยท 45โ€“60 minutes ยท 700/1000 to pass ยท Offered online (proctored) or at a testing centre ยท AZ-900 never expires once you pass.

The domain weight problem

The single most actionable thing in this guide: the three exam domains are not equally weighted. Before you plan any study schedule, look at this bar:

25โ€“30%
35โ€“40%
30โ€“35%
DomainWeightWhat this means
Domain 1 Cloud Concepts25โ€“30%The shortest domain. Most people over-study this one.
Domain 2 Azure Architecture & Services35โ€“40%The heaviest domain. More questions than any other.
Domain 3 Management & Governance30โ€“35%Nearly tied with Domain 2 โ€” and the most under-studied.
โš ๏ธ Domain 3 warning: More candidates fail because of Domain 3 than any other reason. It covers cost management, Azure Policy, RBAC, monitoring, and SLAs โ€” less exciting topics that people skim. The exam doesn't.

Domain 1: Cloud Concepts (25โ€“30%)

Domain 1

Cloud definition and characteristics

The NIST definition is what Microsoft tests: cloud computing delivers five essential characteristics โ€” on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Know these cold. Economies of scale matter too: Microsoft buys compute at such volume that it can pass savings on to customers โ€” this is why cloud is often cheaper than on-premises hardware.

Shared Responsibility Model

One of the highest-frequency topics. The model defines what Microsoft manages and what you manage, and it shifts by service type:

The one constant: customers always own their data. Microsoft always owns physical security.

Service models vs deployment models

These are different concepts that the exam frequently mixes. Service models describe what is managed: IaaS (virtual machines, raw infrastructure), PaaS (App Service, Azure SQL DB, AKS โ€” you manage app and data only), SaaS (Microsoft 365 โ€” just use it). Deployment models describe where it runs: public cloud (shared, OpEx), private cloud (dedicated, CapEx), hybrid (connected public and private), multi-cloud (two or more providers simultaneously).

The 8 cloud benefits

Microsoft lists exactly eight benefits in their objectives. Know all eight by name and definition:

  1. High Availability โ€” SLAs, load balancers, availability zones keep services running
  2. Scalability โ€” vertical (bigger VM) or horizontal (more instances)
  3. Elasticity โ€” automatic scaling up AND down; only pay for what you use
  4. Reliability โ€” auto-healing, geo-redundancy, design for failure
  5. Predictability โ€” consistent performance and accurate cost forecasting
  6. Security โ€” physical security, cyber protection, compliance certifications
  7. Governance โ€” Policy, Blueprints, RBAC, Management Groups
  8. Manageability โ€” Portal, CLI, PowerShell, REST API, ARM Templates

CapEx vs OpEx

Capital expenditure (CapEx) is upfront hardware purchasing โ€” you buy servers, depreciate them over years, and own fixed costs. Operational expenditure (OpEx) is pay-as-you-go โ€” variable costs that scale with usage. Cloud = OpEx. On-premises data centre = CapEx. The exam will give you scenarios and ask which applies.

NEW JAN 2026 Serverless computing is now a formal Domain 1 objective. Key definition: no server management, event-driven, scales to zero, pay per execution only. Azure Functions is the primary example. Also new: HA vs DR distinction โ€” High Availability minimises downtime during failures; Disaster Recovery recovers from catastrophic events. RTO (how long before systems recover) and RPO (how much data can be lost) are now tested. The 6 Rs of cloud migration are also new: Rehost (lift and shift), Refactor, Rearchitect, Rebuild, Replace (move to SaaS), Retire.

Domain 2: Azure Architecture & Services (35โ€“40%)

Domain 2

This is the largest domain by question count. Breadth matters here โ€” the exam tests across every area below, not just one or two.

Global infrastructure

Azure is organised into regions, availability zones, and region pairs. A region is a geographic area with at least one (usually multiple) data centres. Availability Zones are physically separate data centres within a region โ€” 3+ per region, each with independent power, cooling, and networking. Azure Zones protect against data centre failure. Region pairs protect against regional failure. Region pairs are at least 300 miles apart, same geography. Only one region in a pair is updated at a time.

SLA tiers to memorise: Single VM = 99.9%, Availability Set = 99.95%, Availability Zones = 99.99%.

Management hierarchy

Management Groups โ†’ Subscriptions โ†’ Resource Groups โ†’ Resources. Governance rules and cost assignments flow down this hierarchy. A resource must be in exactly one resource group. Deleting a resource group deletes everything inside it. Resource groups can contain resources from multiple regions.

Compute

Networking

NEW JAN 2026 Azure DNS is now explicitly in the networking objectives. Know the difference: public DNS zones resolve internet-facing names. Private DNS zones resolve internal names within a VNet.

Storage

Redundancy tiers in order of resilience (and cost): LRS โ†’ ZRS โ†’ GRS โ†’ GZRS. LRS replicates within one data centre (cheapest). ZRS replicates across three availability zones. GRS replicates to a paired region. GZRS combines zone redundancy and geo-replication (most resilient).

Blob access tiers: Hot (frequent access), Cool (infrequent, 30-day minimum), Cold (90-day minimum), Archive (rarely accessed, 180-day minimum, hours to rehydrate). Blob types: Block Blobs (files, images), Page Blobs (VM disks/VHDs), Append Blobs (logs).

Identity

NEW JAN 2026 Managed Identity is now a formal objective. A managed identity is an automatically-managed Entra ID identity that lets your app authenticate to Azure services without storing credentials in code. System-Assigned is tied to one resource and deleted with it. User-Assigned has an independent lifecycle and can be shared across multiple resources.

Passwordless authentication is now co-equal with SSO and MFA as a core authentication method. Windows Hello, FIDO2 keys, and the Microsoft Authenticator app are the main implementations.

Entra ID roles vs Azure RBAC roles โ€” these are entirely separate systems. Entra ID roles manage the directory (users, groups, apps). Azure RBAC roles manage Azure resources (VMs, storage accounts, etc.). A Global Admin does NOT automatically have Azure resource access.
NEW JAN 2026 Messaging services: Service Bus = enterprise message broker, guaranteed delivery, transactions, dead-letter queue. Event Hubs = big data streaming, millions of events/second, IoT ingestion. Event Grid = event routing, reacts to Azure resource state changes (blob upload, resource deletion). Choosing between them is now a tested scenario.

Azure AI Foundry (renamed from Azure AI Studio) = the end-to-end AI platform for building and deploying models including GPT-4.

ARM Templates and Bicep are now formal IaC objectives. Both produce the same result (deploy Azure resources declaratively); Bicep is cleaner syntax that compiles to ARM JSON.

Domain 3: Management & Governance (30โ€“35%)

Domain 3
โš ๏ธ This is the domain most people under-study. It's 30โ€“35% of your score. Give it at least as much time as Domain 1.

Cost management tools โ€” a critical three-way distinction

The exam will give you scenarios and ask which tool to use. The distinction matters:

ToolWhen to use it
Pricing CalculatorBEFORE deploying โ€” estimate what something will cost
TCO CalculatorBEFORE migrating โ€” compare on-premises cost vs Azure
Cost Management + BillingAFTER deploying โ€” track actual spend, set budgets and alerts
Azure AdvisorAnytime โ€” free AI recommendations across Cost, Security, Reliability, Performance, and Operational Excellence
NEW JAN 2026 Savings Plans vs Azure Reservations: Savings Plans commit to a fixed hourly spend rate; savings apply to any eligible compute regardless of size or region (more flexible). Azure Reservations commit to a specific resource SKU and region for 1 or 3 years (less flexible, potentially larger discount, up to 72%). Know which offers more flexibility โ€” the exam tests this distinction.

Azure Policy

Azure Policy enforces rules on resource creation and configuration. There are exactly seven effects โ€” the exam may ask you to pick the right one for a scenario:

  1. Deny โ€” blocks non-compliant resource creation
  2. Audit โ€” logs non-compliance without blocking
  3. Append โ€” adds fields to the resource
  4. Modify โ€” adds or modifies tags and properties
  5. DeployIfNotExists โ€” auto-deploys a companion resource if one is missing
  6. AuditIfNotExists โ€” audits if a companion resource is missing
  7. Disabled โ€” policy definition exists but is turned off

Resource Locks

Two lock types: CanNotDelete (read and modify are allowed, delete is blocked) and ReadOnly (view only, no modify or delete). Critical exam fact: locks override RBAC. Even an Owner cannot delete a locked resource โ€” they must remove the lock first.

RBAC roles

The four built-in role hierarchy: Owner (all permissions including managing access), Contributor (all resource actions but cannot manage access), Reader (view only), User Access Administrator (manage access only, no resource actions). RBAC is additive โ€” if you have Contributor on a resource group and Reader on a subscription, you have Contributor access on that resource group.

Monitoring

SLAs and composite SLAs

Know these numbers: 99% = 7.3 hours/month downtime, 99.9% = 43 minutes, 99.95% = 22 minutes, 99.99% = 4 minutes. Composite SLAs for services in series are calculated by multiplying: 99.9% ร— 99.9% = 99.8%. Services with redundant parallel paths use: 1 โˆ’ ((1 โˆ’ A) ร— (1 โˆ’ B)) โ€” always much higher. Free and Preview services have no SLA.

Study strategy

Allocate time to match the weights

If you have 4 weeks: spend roughly 1 week on Domain 1, 1.5 weeks on Domain 2, 1 week on Domain 3, and the last few days on timed practice tests. Don't let the "excitement" of Domain 2 topics crowd out Domain 3.

Practice questions over passive reading

Read a topic once, then do practice questions immediately. Don't re-read the same material repeatedly โ€” use wrong answers to identify gaps and go back to those specific sections. Scoring consistently above 80% on practice tests is a reliable indicator you're ready.

Prioritise the January 2026 updates

If you're using any prep material that's more than 6 months old, it likely doesn't cover the new objectives โ€” Serverless, HA/DR, Managed Identity, Passwordless Auth, ARM/Bicep, Messaging Services, AI Foundry, and Savings Plans vs Reservations. These will appear on your exam.

Ready to practice?

This guide covers what to study. Our full bundle gives you 595 flashcards and 540 practice questions โ€” all weighted to these exact domain proportions, all updated for January 2026.

Start studying at az900prep.com โ†’