AZ-900 Study Guide 2026
The AZ-900 Microsoft Azure Fundamentals exam tests your knowledge across three domains weighted very differently. Most people who fail study equal amounts of each โ that's a mistake. This guide shows you exactly what's on the exam, how much each domain counts, and what changed in the January 2026 update so you're not studying outdated material.
The domain weight problem
The single most actionable thing in this guide: the three exam domains are not equally weighted. Before you plan any study schedule, look at this bar:
| Domain | Weight | What this means |
|---|---|---|
| Domain 1 Cloud Concepts | 25โ30% | The shortest domain. Most people over-study this one. |
| Domain 2 Azure Architecture & Services | 35โ40% | The heaviest domain. More questions than any other. |
| Domain 3 Management & Governance | 30โ35% | Nearly tied with Domain 2 โ and the most under-studied. |
Domain 1: Cloud Concepts (25โ30%)
Cloud definition and characteristics
The NIST definition is what Microsoft tests: cloud computing delivers five essential characteristics โ on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Know these cold. Economies of scale matter too: Microsoft buys compute at such volume that it can pass savings on to customers โ this is why cloud is often cheaper than on-premises hardware.
Shared Responsibility Model
One of the highest-frequency topics. The model defines what Microsoft manages and what you manage, and it shifts by service type:
- IaaS: You manage the OS, middleware, runtime, applications, and data. Microsoft manages the physical hardware and hypervisor.
- PaaS: You manage applications and data only. Microsoft manages OS, runtime, and middleware. Identity and network controls are shared.
- SaaS: You manage data and access only. Microsoft manages everything else.
The one constant: customers always own their data. Microsoft always owns physical security.
Service models vs deployment models
These are different concepts that the exam frequently mixes. Service models describe what is managed: IaaS (virtual machines, raw infrastructure), PaaS (App Service, Azure SQL DB, AKS โ you manage app and data only), SaaS (Microsoft 365 โ just use it). Deployment models describe where it runs: public cloud (shared, OpEx), private cloud (dedicated, CapEx), hybrid (connected public and private), multi-cloud (two or more providers simultaneously).
The 8 cloud benefits
Microsoft lists exactly eight benefits in their objectives. Know all eight by name and definition:
- High Availability โ SLAs, load balancers, availability zones keep services running
- Scalability โ vertical (bigger VM) or horizontal (more instances)
- Elasticity โ automatic scaling up AND down; only pay for what you use
- Reliability โ auto-healing, geo-redundancy, design for failure
- Predictability โ consistent performance and accurate cost forecasting
- Security โ physical security, cyber protection, compliance certifications
- Governance โ Policy, Blueprints, RBAC, Management Groups
- Manageability โ Portal, CLI, PowerShell, REST API, ARM Templates
CapEx vs OpEx
Capital expenditure (CapEx) is upfront hardware purchasing โ you buy servers, depreciate them over years, and own fixed costs. Operational expenditure (OpEx) is pay-as-you-go โ variable costs that scale with usage. Cloud = OpEx. On-premises data centre = CapEx. The exam will give you scenarios and ask which applies.
Domain 2: Azure Architecture & Services (35โ40%)
This is the largest domain by question count. Breadth matters here โ the exam tests across every area below, not just one or two.
Global infrastructure
Azure is organised into regions, availability zones, and region pairs. A region is a geographic area with at least one (usually multiple) data centres. Availability Zones are physically separate data centres within a region โ 3+ per region, each with independent power, cooling, and networking. Azure Zones protect against data centre failure. Region pairs protect against regional failure. Region pairs are at least 300 miles apart, same geography. Only one region in a pair is updated at a time.
SLA tiers to memorise: Single VM = 99.9%, Availability Set = 99.95%, Availability Zones = 99.99%.
Management hierarchy
Management Groups โ Subscriptions โ Resource Groups โ Resources. Governance rules and cost assignments flow down this hierarchy. A resource must be in exactly one resource group. Deleting a resource group deletes everything inside it. Resource groups can contain resources from multiple regions.
Compute
- Virtual Machines: IaaS, you manage the OS. A stopped VM (from inside the OS) is still billed. A deallocated VM is not billed. Requires NIC, VNet, OS Disk, and NSG.
- VM Scale Sets (VMSS): Identical VMs that auto-scale. Supports load balancers.
- App Service: PaaS web hosting โ no OS management. Supports .NET, Java, Python, Node, PHP.
- Azure Functions: Serverless, event-driven, per-execution billing, scales to zero.
- Azure Container Instances (ACI): Fastest way to run a container, no cluster management.
- Azure Kubernetes Service (AKS): Managed Kubernetes for orchestrating containers at scale.
- Azure Virtual Desktop (AVD): Cloud-hosted Windows desktop, multi-session Windows 10/11.
Networking
- Virtual Networks (VNets): Private network using RFC 1918 addresses. One region per VNet. Divided into subnets. VNet peering connects VNets.
- NSGs: Layer 4 stateful firewall rules. Lower priority number = higher precedence.
- Azure Firewall: Layer 7, FQDN-based rules, requires its own subnet (AzureFirewallSubnet).
- VPN Gateway: Encrypted tunnel over the public internet to on-premises networks.
- ExpressRoute: Private connection โ NOT over the public internet. Higher cost, higher reliability, lower latency.
- Azure DDoS Protection: Basic is free (always on). Standard is per-VNet, paid, with ML-tuned mitigation.
Storage
Redundancy tiers in order of resilience (and cost): LRS โ ZRS โ GRS โ GZRS. LRS replicates within one data centre (cheapest). ZRS replicates across three availability zones. GRS replicates to a paired region. GZRS combines zone redundancy and geo-replication (most resilient).
Blob access tiers: Hot (frequent access), Cool (infrequent, 30-day minimum), Cold (90-day minimum), Archive (rarely accessed, 180-day minimum, hours to rehydrate). Blob types: Block Blobs (files, images), Page Blobs (VM disks/VHDs), Append Blobs (logs).
Identity
Passwordless authentication is now co-equal with SSO and MFA as a core authentication method. Windows Hello, FIDO2 keys, and the Microsoft Authenticator app are the main implementations.
Entra ID roles vs Azure RBAC roles โ these are entirely separate systems. Entra ID roles manage the directory (users, groups, apps). Azure RBAC roles manage Azure resources (VMs, storage accounts, etc.). A Global Admin does NOT automatically have Azure resource access.
Azure AI Foundry (renamed from Azure AI Studio) = the end-to-end AI platform for building and deploying models including GPT-4.
ARM Templates and Bicep are now formal IaC objectives. Both produce the same result (deploy Azure resources declaratively); Bicep is cleaner syntax that compiles to ARM JSON.
Domain 3: Management & Governance (30โ35%)
Cost management tools โ a critical three-way distinction
The exam will give you scenarios and ask which tool to use. The distinction matters:
| Tool | When to use it |
|---|---|
| Pricing Calculator | BEFORE deploying โ estimate what something will cost |
| TCO Calculator | BEFORE migrating โ compare on-premises cost vs Azure |
| Cost Management + Billing | AFTER deploying โ track actual spend, set budgets and alerts |
| Azure Advisor | Anytime โ free AI recommendations across Cost, Security, Reliability, Performance, and Operational Excellence |
Azure Policy
Azure Policy enforces rules on resource creation and configuration. There are exactly seven effects โ the exam may ask you to pick the right one for a scenario:
- Deny โ blocks non-compliant resource creation
- Audit โ logs non-compliance without blocking
- Append โ adds fields to the resource
- Modify โ adds or modifies tags and properties
- DeployIfNotExists โ auto-deploys a companion resource if one is missing
- AuditIfNotExists โ audits if a companion resource is missing
- Disabled โ policy definition exists but is turned off
Resource Locks
Two lock types: CanNotDelete (read and modify are allowed, delete is blocked) and ReadOnly (view only, no modify or delete). Critical exam fact: locks override RBAC. Even an Owner cannot delete a locked resource โ they must remove the lock first.
RBAC roles
The four built-in role hierarchy: Owner (all permissions including managing access), Contributor (all resource actions but cannot manage access), Reader (view only), User Access Administrator (manage access only, no resource actions). RBAC is additive โ if you have Contributor on a resource group and Reader on a subscription, you have Contributor access on that resource group.
Monitoring
- Azure Monitor: Umbrella for all monitoring โ Metrics (93 days retention), Logs (up to 2 years), Activity Log (90 days), Alerts, Action Groups
- Azure Service Health: Personalised alerts about outages and planned maintenance affecting your resources and regions
- Azure Status page: Global, public-facing status of all Azure services (not personalised)
- Resource Health: Health of your specific resource instance
SLAs and composite SLAs
Know these numbers: 99% = 7.3 hours/month downtime, 99.9% = 43 minutes, 99.95% = 22 minutes, 99.99% = 4 minutes. Composite SLAs for services in series are calculated by multiplying: 99.9% ร 99.9% = 99.8%. Services with redundant parallel paths use: 1 โ ((1 โ A) ร (1 โ B)) โ always much higher. Free and Preview services have no SLA.
Study strategy
Allocate time to match the weights
If you have 4 weeks: spend roughly 1 week on Domain 1, 1.5 weeks on Domain 2, 1 week on Domain 3, and the last few days on timed practice tests. Don't let the "excitement" of Domain 2 topics crowd out Domain 3.
Practice questions over passive reading
Read a topic once, then do practice questions immediately. Don't re-read the same material repeatedly โ use wrong answers to identify gaps and go back to those specific sections. Scoring consistently above 80% on practice tests is a reliable indicator you're ready.
Prioritise the January 2026 updates
If you're using any prep material that's more than 6 months old, it likely doesn't cover the new objectives โ Serverless, HA/DR, Managed Identity, Passwordless Auth, ARM/Bicep, Messaging Services, AI Foundry, and Savings Plans vs Reservations. These will appear on your exam.
Ready to practice?
This guide covers what to study. Our full bundle gives you 595 flashcards and 540 practice questions โ all weighted to these exact domain proportions, all updated for January 2026.
Start studying at az900prep.com โ