ExpertCheat Sheet
AZ-900
AZ-900AZ-900 Cheat Sheet 2026: Azure Fundamentals Exam Reference
The essential AZ-900 reference — cloud service models, Azure core services, security, governance, and pricing concepts you need to know before exam day.
ExpertMinds Editorial·7 January 2026·7 min read
The AZ-900 tests breadth, not depth. You need to know what each Azure service does and when to use it — not how to configure it. Questions are scenario-based with straightforward constraints. The exam rewards candidates who understand the purpose of each service and the shared responsibility model clearly.
Key fact:40–60 questions · 45 minutes · Pass score approximately 700/1000. Available in multiple languages; online proctored and test-centre options.
Cloud Service Models
| Model | You manage | Azure manages | Example |
|---|---|---|---|
| IaaS | OS, middleware, runtime, app, data | Servers, storage, networking | Azure Virtual Machines |
| PaaS | App, data | Everything below the app | Azure App Service, Azure SQL Database |
| SaaS | Nothing (just use it) | Everything | Microsoft 365, Dynamics 365 |
Tip:Shared Responsibility Model: security of the cloud (hardware, physical datacentres) is always Azure's responsibility. Security in the cloud (your data, identities, endpoints) is always yours. The middle layers shift based on IaaS/PaaS/SaaS.
Core Compute Services
| Service | What it is | Exam trigger phrase |
|---|---|---|
| Azure Virtual Machines | IaaS VMs — full OS control | "lift and shift", "full control", "custom OS" |
| Azure App Service | PaaS for web apps and APIs | "host web app without managing servers" |
| Azure Container Instances (ACI) | Run containers without managing a cluster | "simple container", "quick startup", "no orchestration needed" |
| Azure Kubernetes Service (AKS) | Managed Kubernetes | "container orchestration", "microservices at scale" |
| Azure Functions | Event-driven serverless code execution | "serverless", "event-triggered", "pay per execution" |
| Azure Virtual Desktop | Cloud-hosted desktop environments | "remote desktop", "virtualise Windows for users" |
Core Storage Services
| Service / Type | What it stores | Exam trigger phrase |
|---|---|---|
| Blob Storage | Unstructured data — files, images, videos, backups | "unstructured", "object storage", "files at scale" |
| Azure Files | Managed file shares (SMB/NFS) | "file share", "mount on VMs", "replace on-premises file server" |
| Azure Queues | Message queue for decoupled apps | "async messaging", "decouple", "queue" |
| Azure Table Storage | NoSQL key-value store | "structured NoSQL", "simple lookup" |
| Azure Managed Disks | Block storage for VMs | "VM disk", "persistent disk attached to VM" |
Key fact:Storage redundancy options: LRS (3 copies, 1 datacentre) → ZRS (3 copies, 3 zones) → GRS (6 copies, 2 regions) → GZRS (zone-redundant + geo-redundant). Higher redundancy = higher cost = higher durability.
Core Networking Services
| Service | What it does | Exam trigger phrase |
|---|---|---|
| Azure Virtual Network (VNet) | Private network in Azure — isolate and segment resources | "private network", "isolate", "connect VMs" |
| Azure VPN Gateway | Encrypted tunnel from on-premises to Azure over internet | "on-premises to Azure", "encrypted", "over internet" |
| Azure ExpressRoute | Private dedicated connection from on-premises (not internet) | "dedicated", "private circuit", "not over public internet" |
| Azure Load Balancer | Distribute traffic across VMs (Layer 4) | "distribute traffic", "high availability", "TCP/UDP" |
| Azure Application Gateway | Layer 7 load balancer with WAF option | "HTTP/HTTPS routing", "WAF", "SSL offload" |
| Azure CDN | Cache content at edge nodes globally | "static content", "reduce latency globally", "cache" |
| Azure DNS | Host DNS domains in Azure | "DNS", "domain name resolution" |
Test your AZ-900 knowledge
Scenario questions for AZ-900 test your ability to match a business need to the right Azure service.
Identity, Security & Governance
| Service | What it does | Key exam concept |
|---|---|---|
| Microsoft Entra ID (Azure AD) | Cloud identity — users, groups, authentication | SSO, MFA, Conditional Access; not the same as on-premises AD |
| Azure RBAC | Control who can do what to which Azure resources | Owner > Contributor > Reader; least privilege principle |
| Azure Policy | Enforce rules across resources (e.g. allowed regions) | Compliance and governance; can deny or audit deployments |
| Microsoft Defender for Cloud | Security posture management + threat protection | Secure Score; recommendations; across hybrid environments |
| Azure Key Vault | Store secrets, keys, and certificates securely | "store secrets", "rotate keys", "certificates" |
| Azure DDoS Protection | Protect against distributed denial-of-service attacks | Basic (free, always on) vs Standard (advanced mitigation) |
Cost Management & SLAs
| Concept | Key facts |
|---|---|
| Azure Pricing Calculator | Estimate costs before deploying |
| TCO Calculator | Compare on-premises costs to Azure — used to justify migration |
| Azure Cost Management + Billing | Monitor and optimise actual spend; set budgets and alerts |
| Reserved Instances | 1 or 3 year commitment — up to 72% savings vs pay-as-you-go |
| Spot VMs | Use unused Azure capacity at up to 90% discount; can be evicted |
| SLA 99.9% | ~8.7 hours downtime/year — single VM with Premium SSD |
| SLA 99.95% | ~4.4 hours/year — Availability Set (2+ VMs, 2+ fault domains) |
| SLA 99.99% | ~52 minutes/year — Availability Zones (VMs across 3 zones) |
Tip:Free services in Azure: Azure Active Directory Free tier, Azure Advisor, Azure Policy, VNet peering within the same region (no data transfer charge between VNets in the same region).
Ready to Practice the full AZ-900?
Graded results, exam simulation, and detailed guidance on every question.