This cheat sheet is a fast, exam-focused review of everything on AZ-900 (Microsoft Azure Fundamentals). It is built for your final days of prep — skim it, test yourself, and drill anything that feels unfamiliar. It is a memory aid, not a replacement for understanding: AZ-900 questions are scenario-based, so know when to use each service.
Exam Snapshot
Passing Score
700 / 1000
Cost
$99 USD
Questions
40–60
Time
45 minutes
Cloud Concepts
25–30%
Architecture & Services
35–40%
Management & Governance
30–35%
1. Cloud Concepts
Service Models (who manages what)
| Model | You manage | Example |
|---|---|---|
| IaaS | OS, runtime, apps, data (most control) | Azure Virtual Machines |
| PaaS | Apps and data only (provider manages OS/platform) | Azure App Service, Azure SQL Database |
| SaaS | Just your data/usage (least control) | Microsoft 365 |
Deployment Models
- Public cloud: Owned by a provider (Azure), shared infrastructure, pay-as-you-go, no CapEx.
- Private cloud: Dedicated to one organization, more control and compliance, higher cost.
- Hybrid cloud: Combines public + private; flexibility, e.g., burst to cloud, keep sensitive data on-prem.
CapEx vs OpEx
- CapEx (Capital Expenditure): Big upfront purchase of physical assets (on-prem servers). Depreciates over time.
- OpEx (Operational Expenditure): Pay-as-you-go for services you consume (cloud). The Azure consumption model is OpEx.
Cloud Benefits — know the exact terms
| High availability | Keep services running with minimal downtime (SLAs). |
| Scalability | Add resources to meet demand. Vertical = bigger; Horizontal = more instances. |
| Elasticity | Automatically scale out/in based on real-time demand. |
| Reliability | Recover from failures and continue operating (resiliency). |
| Agility | Deploy and change resources quickly. |
Shared Responsibility Model: The customer is ALWAYS responsible for their data, devices, and accounts/identities. The cloud provider is always responsible for the physical datacenter, hosts, and network. The split in between depends on IaaS/PaaS/SaaS.
2. Core Architectural Components
| Term | What it is |
|---|---|
| Region | A geographic set of datacenters (e.g., East US). You deploy resources to a region. |
| Availability Zone | Physically separate datacenter within a region (own power/cooling/network). Protects against datacenter failure. |
| Region pair | Two regions paired for replication/DR, usually 300+ miles apart. |
| Resource | A single manageable item (a VM, a storage account). |
| Resource Group | Logical container for resources. A resource lives in exactly one group. |
| Subscription | Billing and access boundary that holds resource groups. |
| Management Group | Container above subscriptions for applying policy/RBAC at scale (inherits downward). |
Hierarchy (top → bottom): Management Group → Subscription → Resource Group → Resource.
Test the concepts you just reviewed
Try 40 Free AZ-900 Practice Questions
Scenario-based questions with detailed explanations. No credit card required.
Start Free Practice →3. Compute Services
| Service | Use when… |
|---|---|
| Virtual Machines (VMs) | You need full control over the OS (IaaS); lift-and-shift. |
| Virtual Machine Scale Sets | You need identical VMs that autoscale. |
| App Service | Host web apps/APIs without managing servers (PaaS). |
| Azure Functions | Event-driven, serverless code; pay per execution. |
| Container Instances (ACI) | Run a single container quickly, no orchestration. |
| Azure Kubernetes Service (AKS) | Orchestrate many containers at scale. |
| Azure Virtual Desktop | Deliver Windows desktops/apps from the cloud. |
4. Networking
| Service | Purpose |
|---|---|
| Virtual Network (VNet) | Private network in Azure for your resources to communicate securely. |
| VPN Gateway | Encrypted connection over the public internet (site-to-site, point-to-site). |
| ExpressRoute | Private, dedicated connection to Azure (does NOT traverse the public internet). |
| Load Balancer | Distribute network traffic across VMs (Layer 4). |
| Application Gateway | Web traffic load balancing with WAF (Layer 7). |
| Azure DNS | Host and resolve domain names. |
| Content Delivery Network (CDN) | Cache content close to users for faster delivery. |
5. Storage
Storage Services
| Blob Storage | Unstructured object data (images, backups, logs). |
| Azure Files | Managed file shares (SMB/NFS). |
| Queue Storage | Message queue for decoupling app components. |
| Table Storage | NoSQL key-value store. |
Access Tiers (cost vs access frequency)
- Hot: Frequent access. Highest storage cost, lowest access cost.
- Cool: Infrequent (30+ days). Lower storage, higher access cost.
- Cold: Rarely accessed (90+ days). Even cheaper storage.
- Archive: Offline, rarely accessed (180+ days). Cheapest storage, retrieval delay (rehydration).
Redundancy
| LRS | 3 copies in one datacenter (cheapest, least durable). |
| ZRS | 3 copies across availability zones in one region. |
| GRS | Copies in a second region (secondary not readable until failover). |
| RA-GRS | GRS plus read access to the secondary region. |
6. Identity & Security
| Term | What it does |
|---|---|
| Microsoft Entra ID | Cloud identity and access management (formerly Azure Active Directory). |
| Authentication (AuthN) | Proving who you are. |
| Authorization (AuthZ) | What you are allowed to do. |
| MFA | Multi-factor authentication: two or more verification methods. |
| Conditional Access | Grant/block access based on signals (location, device, risk). |
| SSO | Sign in once, access many apps. |
| Zero Trust | Never trust, always verify; assume breach; least privilege. |
| Defender for Cloud | Cloud security posture management and workload protection. |
| Microsoft Sentinel | Cloud-native SIEM/SOAR for threat detection and response. |
| Key Vault | Securely store secrets, keys, and certificates. |
7. Management & Governance
Most-tested distinction: Azure Policy = enforce rules about resources (what is allowed). RBAC = control who can do what (access). Resource locks = prevent accidental delete/change (CanNotDelete or ReadOnly).
Cost Management Tools
- Pricing Calculator: Estimate the cost of Azure services before deploying.
- TCO Calculator: Compare on-premises costs vs Azure (total cost of ownership).
- Cost Management + Billing: Track, analyze, and budget actual spend.
- Tags: Metadata on resources for organizing and cost reporting.
Monitoring & Tools
| Azure Monitor | Collect and analyze metrics and logs across resources. |
| Log Analytics | Query log data with KQL. |
| Application Insights | Application performance monitoring (APM). |
| Azure Advisor | Personalized recommendations (cost, security, reliability, performance). |
| Service Health | Status of Azure services affecting you. |
Deployment & Management Tools
- Azure Portal: Web GUI.
- Azure CLI / PowerShell: Command-line management.
- ARM templates / Bicep: Infrastructure as Code (declarative).
- Cloud Shell: Browser-based CLI/PowerShell.
- Azure Arc: Manage on-prem and multi-cloud resources from Azure.
8. Acronym Quick List
IaaS — Infrastructure as a Service
PaaS — Platform as a Service
SaaS — Software as a Service
SLA — Service Level Agreement
VNet — Virtual Network
NSG — Network Security Group
RBAC — Role-Based Access Control
MFA — Multi-Factor Authentication
SSO — Single Sign-On
AKS — Azure Kubernetes Service
ACI — Azure Container Instances
CDN — Content Delivery Network
LRS/ZRS/GRS — Storage redundancy options
TCO — Total Cost of Ownership
SIEM — Security Information & Event Management
KQL — Kusto Query Language
Reviewed the cheat sheet? Now prove you're ready.
Take the free 5-minute AZ-900 readiness quiz — no signup required — or jump into 40 free practice questions calibrated harder than the real exam.
Common Questions
Is a cheat sheet enough to pass AZ-900?
A cheat sheet is a fast review and memory aid, not a substitute for understanding. Use it to consolidate concepts after working through Microsoft Learn and practice questions. AZ-900 questions are scenario-based, so you need to know when to use each service, not just recognize its name.
What is the difference between Azure Policy and RBAC?
Azure Policy enforces rules about what resources can be created and how they must be configured (governance). RBAC controls who can access resources and what actions they can perform (access). Policy = what is allowed; RBAC = who is allowed.
What is the passing score for AZ-900?
700 out of 1000 on a scaled scoring system (roughly 70%). The exam has 40–60 questions and a 45-minute time limit.
What is the difference between a VPN Gateway and ExpressRoute?
A VPN Gateway creates an encrypted tunnel over the public internet. ExpressRoute is a private, dedicated connection that does not traverse the public internet — higher reliability, bandwidth, and security.
About MSCertQuiz
MSCertQuiz provides 500 practice questions per certification, calibrated harder than the real exam so test day feels easier. Questions are built by certified professionals and updated for 2026 exam objectives. Start with 40 free questions — no credit card required.