Here's the thing about AZ-900. It's labeled "fundamentals" but the exam writers expect you to know why a service model exists โ not just memorize that VMs are IaaS. The questions probe scenarios. You'll see a small company picking between Azure SQL Database and a SQL Server VM, and you'll need to know which model lines up with their staffing.
The official name is Microsoft Azure Fundamentals. One exam. One certification. No prerequisites. The az-900 certification validates that you understand cloud concepts, the core Azure architecture, and how Microsoft handles governance, identity, and pricing. That's it. No coding. No infrastructure design. No PowerShell trivia.
Short answer on difficulty: passable in two weeks if you study daily. Most candidates clear it on a first attempt when they treat the az 900 study guide as a checklist instead of a textbook. The trap? Reading without practice. You can read the entire Microsoft Learn path and still fail because the questions are written to test application, not recall.
This guide walks through every subject area on the AZ-900 outline โ what gets tested, how Microsoft phrases the questions, and which free resources actually map to the exam objectives. Skip what you already know. The shared responsibility section and the IaaS/PaaS/SaaS breakdown are the two highest-value chunks for first-time candidates. The latter is where most candidates lose easy points.
One more thing. The exam was updated. The current version emphasizes governance and security more than the original 2020 release. If you're studying from a course recorded before 2024, you'll miss content on Microsoft Defender for Cloud, Microsoft Entra ID (the new name for Azure AD), and the latest cost management tools. Always cross-check your study material against the live Microsoft Learn collection โ names and features shift.
If you remember one thing for the AZ-900: customer always owns identity, accounts, and data โ no matter which service model. Microsoft owns physical hosts, network, and datacenters in every model. Everything else shifts depending on whether you're running IaaS, PaaS, or SaaS. Expect 3-5 questions on this exact split.
Definitions, benefits, and high-level architecture choices. Public vs. private vs. hybrid. Capex vs. opex. IaaS, PaaS, SaaS distinctions. The most conceptual domain โ easiest to study, but easy to get tripped up on scenario wording.
The biggest domain. Regions, availability zones, resource groups, subscriptions, management groups. Plus the actual service catalog โ compute, storage, networking, databases. You need to know what each service does at a one-sentence level, not how to configure it.
Cost tools, SLAs, policies, role-based access control, and Microsoft Defender for Cloud. This domain grew in the latest exam update. If you're using older study materials, this is the section to recheck against the current Microsoft Learn modules.
The microsoft azure shared responsibility model security fundamentals concept is the single most tested idea on the AZ-900. Microsoft puts at least 3-5 questions on this exact framework โ usually disguised inside other scenarios. You'll see a question about a SQL injection attack and have to know who's responsible. Or a question about a misconfigured storage container. The answers always trace back to the model.
Here's the split. You โ the customer โ always own three things: your identities, your account credentials, and your data. Always. Microsoft cannot see your data, cannot reset your passwords, cannot recover deleted accounts in most cases. That's by design.
Microsoft always owns the physical layer. Datacenter security, host hardware, the network fabric between racks โ none of that is your problem. You can't audit it. You don't patch it. Microsoft does.
The middle layers โ operating system, applications, network controls, identity infrastructure โ shift based on service model. With IaaS (a VM), you patch the OS, configure the firewall, install antivirus. With PaaS (Azure SQL Database), Microsoft patches the OS and the database engine. With SaaS (Microsoft 365), Microsoft handles everything except your data and how you give people access to it.
The exam writers love scenarios like: "A company stores customer records in Azure Blob Storage. An employee misconfigures the container to public access. Who is responsible for the breach?" The answer is always the customer. Microsoft built the storage service. The customer chose the settings on the data they own.
Past the exam, the shared responsibility model shapes every real-world Azure conversation. Compliance auditors ask about it. Cloud architects build around it. Security teams write policies that reference it directly. Knowing the model isn't just exam trivia โ it's the vocabulary you'll use whenever you talk about cloud security, governance, or breach response.
The framework also explains why some breaches make headlines and others don't. A misconfigured Azure storage container leaking data isn't a Microsoft failure โ it's a customer configuration error. A datacenter intrusion would be a Microsoft failure. The model draws the line.
Customer owns: Operating system patches, antivirus, firewall rules inside the VM, applications running on it, all data, all identities accessing the VM, and any compliance configuration on the operating system layer.
Microsoft owns: Hypervisor, physical host, network fabric, datacenter security, hardware lifecycle, regional power and cooling, and the redundant connectivity into each datacenter.
Exam clue: If the question mentions a Linux VM, Windows Server VM, or any "unmanaged compute," the customer carries the most responsibility. Expect a question framed as: "Who patches the Windows updates on an Azure VM?" โ answer: the customer. The Azure Update Manager helps automate it but does not shift responsibility.
Customer owns: Data, schema design, user accounts in the database, application code that uses the database, and the network rules that determine who can connect to the database server endpoint.
Microsoft owns: OS patches, database engine updates, host hardware, network, physical security. Plus high-availability behind the scenes and automatic backup retention policies.
Exam clue: PaaS questions usually involve App Service, Azure SQL Database, or Azure Functions. The phrase "managed service" is the giveaway โ Microsoft handles patching and platform; you handle data, application code, and the bits you wrote. Look for scenario words like "managed" or "serverless" to identify PaaS.
Customer owns: User identities, the data inside (emails, files, calendars), access permissions, sharing settings, multi-factor authentication policies, and conditional access rules that govern when users can sign in.
Microsoft owns: Application code, OS, database, networking, hardware โ the entire stack except for the data and the people you let in. Microsoft also runs the global content delivery infrastructure that backs the SaaS application.
Exam clue: Questions about Microsoft 365, Dynamics 365, or Power Platform fall here. If the scenario describes a finished application that users just log into, it's SaaS โ customer responsibility shrinks to identity, data, and access policies. The customer never patches anything. The customer still decides who gets in.
Memorizing service-model definitions from a textbook doesn't work. The exam tests recognition โ can you read a scenario and identify the model? The trick is to focus on what the customer manages, not what Microsoft sells the service as.
Start with this question: "What is the customer responsible for installing or patching?" If the answer includes an operating system, it's IaaS. If the answer stops at the application and data, it's PaaS. If the answer is just "who logs in," it's SaaS. That one filter handles maybe 80% of the az-900 practice test scenarios you'll encounter.
The az 900 iaas paas saas questions often slip in a tricky example. Azure Kubernetes Service is technically PaaS โ Microsoft manages the control plane โ but you still configure node pools and patch nodes in some configurations. Azure Functions is pure PaaS (serverless), even though it feels like SaaS. Power BI is SaaS, even though developers can extend it. Microsoft uses these edge cases to separate candidates who memorized from candidates who understand.
Worth knowing: there's a fourth model creeping into newer exam versions โ serverless. It's technically a PaaS subcategory but Microsoft sometimes presents it as its own thing. Azure Functions, Logic Apps, and Event Grid all fit here. You pay only for execution time. You never see the underlying VM. Treat it as "PaaS with no idle cost" and you'll answer correctly on most questions.
The other concept that overlaps with service models: shared vs. dedicated tenancy. Most SaaS is multi-tenant (your data sits alongside other customers, logically separated). Some Azure services let you pay extra for dedicated hosts. The exam may ask which model applies to a customer with strict compliance needs โ the answer is usually IaaS on dedicated hosts, or a hybrid setup.
The exam touches lightly on hybrid cloud and Azure Arc. Hybrid means you run some workloads on-premises and some in Azure, with networking that connects them. Azure Arc extends Azure management to servers running anywhere โ on-premises, on AWS, on Google Cloud. It's not the same as running Azure on-premises. It's a management plane that reaches out and pulls inventory and policy enforcement to your existing infrastructure.
You'll see one or two questions on Azure Arc. Know that it's a governance and visibility tool, not a virtualization product. Azure Stack is the actual on-premises Azure-in-a-box option โ different product, smaller scope on the exam.
Microsoft maintains a free study path for the AZ-900 at learn.microsoft.com. It's broken into three learning paths matching the exam domains. Each path has 4-7 modules, and each module takes roughly 30-60 minutes. Total time investment: about 15-20 hours if you read carefully and do the knowledge checks. The official Microsoft Learn collection is the closest thing to a guaranteed-relevant study source โ Microsoft writes the exam and the modules, so the language matches.
The first learning path covers cloud concepts. It's short. Knock it out in a single sitting. The second path โ Azure architecture and services โ is where most candidates spend their time. There are modules for each Azure service category: compute, networking, storage, databases. Don't skip the knowledge check questions. They're worded like exam questions, and getting them right is the closest free indicator of readiness you'll find.
The third learning path covers management and governance. This is the section that grew in recent exam revisions. Pay attention to the modules on Microsoft Entra ID, role-based access control, Azure Policy, and Microsoft Defender for Cloud. If you came from older study material, treat this learning path as new content โ there's a real chance you'll see exam questions on topics that didn't exist when older courses were filmed.
Beyond the structured paths, Microsoft Learn also publishes standalone modules and a sample question bank. The sample questions are limited โ maybe 50 across all domains โ but they're worth running through twice. They reveal the wording patterns the exam uses. Pair them with the az-900 exam prep guides on this site for broader coverage.
One efficiency tip. Microsoft Learn lets you bookmark modules and track completion. Use it. Aim to complete 2-3 modules per study session and review the previous session's notes before starting new content. That spaced-repetition pattern produces better retention than binge-watching course videos.
Microsoft Docs (now folded into learn.microsoft.com) carries the deeper service documentation. You don't need to read it cover-to-cover for AZ-900. Use it as a reference. When a Microsoft Learn module mentions a service you can't picture, search the docs for that service name and read the first paragraph of the overview page. That's usually enough context to answer related exam questions.
One smart workflow: keep a single document open while you study. Jot down service names with one-line definitions as you encounter them. By exam day, you'll have a personalized service catalog summary โ useful for last-minute review and a sanity check against your weakest areas.
You don't need deep hands-on for AZ-900 โ it's not a configuration exam. But you do need to have seen the Azure portal. Logged into it. Clicked through to a resource group, glanced at the cost analysis blade, opened a virtual machine page. Without that visual familiarity, scenario questions feel abstract and you'll burn time trying to picture what the question is describing.
The free way in: create an Azure free account at azure.microsoft.com/free. You get $200 in credits for 30 days and a permanent free tier on a dozen services. Set up a resource group. Deploy a B1s VM (cheapest tier). Look around. Delete it. Total cost: zero if you stay inside the free tier.
If you'd rather skip the credit card requirement, Microsoft Learn has guided sandbox labs built into many modules. These spin up a temporary Azure environment Microsoft pays for. You can practice deploying resources, configuring RBAC, and checking pricing without touching your own account.
For the GitHub side: search "AZ-900 study notes" on github.com. The community maintains several well-organized repositories with summary notes, flashcards, mind maps, and exam-style questions. The repository quality varies. Look for repos updated within the last 12 months โ anything older is using outdated service names (Azure AD vs. Microsoft Entra ID, for example). The MicrosoftLearning organization on GitHub also hosts the official lab guides for adjacent certifications, which can fill gaps in your understanding.
One warning. Avoid "dump" sites. Material that claims to have actual exam questions is a violation of Microsoft's certification agreement โ using it can void your certification. The community-maintained study notes on GitHub are different; they paraphrase concepts and create original questions. Stick to that side of the line.
Cloud concepts learning path on Microsoft Learn. Read every module. Do every knowledge check. Skip nothing โ this is the easiest domain and you want a full understanding before moving on.
Azure architecture and services learning path. Deploy a free-tier VM. Browse the portal. Make notes on regions, availability zones, resource groups. This domain has the most points.
Management and governance learning path. Focus on Microsoft Entra ID, RBAC, Azure Policy, Defender for Cloud. This section grew in the latest exam update.
Run through Microsoft Learn sample questions. Take two practice tests. Re-read any module where you scored under 75 percent. Make a one-page cheat sheet by hand.
Two practice tests per day. Time yourself โ 45 minutes for full-length. Focus on weak domains. Stop adding new material; consolidate what you know.
Light review of your cheat sheet only. No new content. Eat well. Sleep eight hours. Take the exam fresh, not exhausted.
Forty-five minutes. Forty to sixty questions. The math says you have roughly 45-60 seconds per question if you're getting the longer form. That's enough to read carefully and answer โ but not enough to read each option three times and second-guess yourself.
The first ten questions are scenario-based. Read the scenario. Read the question. Then read the answer choices. Reading the choices first will bias your interpretation of the scenario. Microsoft writes the distractors to sound plausible at a glance โ the only way to spot the wrong ones is to know what the right answer should look like before you see the options.
Watch for negative phrasing. "Which is NOT a benefit of cloud computing?" or "Which service does NOT belong in the storage category?" Microsoft uses these sparingly but they catch out tired candidates. Underline the NOT mentally before scanning options. microsoft azure fundamentals az-900 questions also love the word "BEST" โ three answers might technically work, but one fits the scenario better.
The scoring is scaled. 700 out of 1000 passes. That's not 70% โ some questions are weighted more heavily than others, and a few are unscored beta questions thrown in to test the question pool. You won't know which are which. Answer everything. Don't leave anything blank. There's no penalty for guessing.
If you're testing online from home, the proctor checks your room before starting. Clear desk. No phone visible. No second monitor. You'll be asked to show all four walls via webcam. The process adds maybe 15 minutes to your total exam time, but it doesn't eat into the 45 minutes of actual test time.
One last tip from candidates who passed. The exam has a flag-for-review feature. Use it. Flag any question where you're not 100% confident. Answer it anyway with your best guess. Move on. If you finish with time left, return to the flagged questions. Don't sit on a hard question for three minutes โ you'll burn time you need at the end.
Three patterns trip up first-time candidates more than anything else. The first: confusing scaling concepts. Vertical scaling means a bigger box. Horizontal scaling means more boxes. Elasticity means automatic scale-out based on demand. Scalability means the system can grow. They sound similar. Microsoft tests the difference directly.
The second pattern: mixing up Azure service categories. Azure SQL Database is a database. Azure SQL Managed Instance is also a database, but more SQL Server-compatible. Cosmos DB is NoSQL. Synapse Analytics is for data warehousing. Each lives in the catalog for a different reason. Memorize what each one is for, not how they work.
The third pattern: assuming "managed" means "customer has zero responsibility." Managed services still require you to configure access, secure your data, and pay attention to backups. Microsoft manages the platform, not your decisions about who gets in. Several exam questions hinge on this distinction โ get it wrong and you'll lose easy points.