Mastering Microsoft Azure Fundamentals (AZ-900): Complete Exam-Ready Course

cloud computing

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

public cloud

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

private cloud

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

hybrid cloud

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

State the canonical definition of cloud computing.

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

What is meant by on-demand self-service in cloud computing?

On-demand self-service means you can provision and manage computing resources yourself, typically through a portal or API, without needing manual intervention from the cloud provider.

Define elasticity in the context of cloud computing.

Elasticity is the ability of a cloud system to automatically expand and contract resources to match workload demand as closely as possible, often using autoscaling rules.

How is scalability different from elasticity?

Scalability is the ability to handle more or less work by adding or removing resources (scale up or out). Elasticity is a special case where this scaling happens automatically in response to demand.

What are economies of scale in cloud computing?

Economies of scale refer to cost advantages cloud providers achieve by operating at large scale, allowing them to deliver computing resources at a lower per-unit cost than most individual organizations.

In simple terms, how does consumption-based pricing work?

With consumption-based pricing, you pay based on how much of each resource you actually use, such as compute time, storage capacity, and network traffic, instead of paying a large upfront hardware cost.

Public cloud (definition)

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

Private cloud (definition)

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

Hybrid cloud (definition)

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Shared responsibility model (definition)

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

IaaS (definition)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

PaaS (definition)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Infrastructure as a Service (IaaS) – canonical definition

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS) – canonical definition

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Software as a Service (SaaS) – canonical definition

Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.

Canonical list of cloud service models (in order)

1. Infrastructure as a Service (IaaS) 2. Platform as a Service (PaaS) 3. Software as a Service (SaaS)

Azure examples of IaaS

Typical IaaS in Azure: Azure Virtual Machines, Azure Virtual Network, Azure Load Balancer, Azure Disk Storage, Azure Blob Storage used as raw storage.

Azure examples of PaaS

Typical PaaS in Azure: Azure App Service, Azure Functions, Azure SQL Database, and often Azure Container Apps or AKS in managed scenarios.

Azure datacenters

Physical facilities that house Azure’s servers, storage, networking, power, cooling, and physical security. They are grouped into Azure regions; you do not select individual datacenters directly.

Azure regions

Sets of Azure datacenters in a specific geographic area, connected by low-latency networking and exposed as a single deployment location (for example, East US, West Europe). Most resources are created in a specific region.

region pairs

Pairs of Azure regions in the same geography that are linked to support disaster recovery. They are physically separated, receive staggered updates, and are prioritized so at least one region in the pair recovers first in a major outage.

Availability Zones

Physically separate locations within a single Azure region, each with independent power, cooling, and networking. They provide high availability against datacenter-level failures inside a region.

Azure resources

Manageable items you create and use in Azure, such as virtual machines, storage accounts, databases, and web apps. Each resource has a type, a location (usually a region), a resource group, and a subscription.

resource groups

Logical containers that hold related Azure resources for management and organization. Every resource belongs to exactly one resource group, and each resource group belongs to one subscription.

Azure Virtual Machine (VM)

An IaaS compute resource in Azure that provides a virtualized server (Windows or Linux) where you manage the operating system, runtime, and applications.

Availability set

A logical grouping of VMs that distributes them across fault domains and update domains within a datacenter to reduce the impact of hardware failures and planned maintenance.

Availability Zone

A physically separate location within an Azure region, with independent power, cooling, and networking. Deploying resources across zones increases resilience to datacenter-level failures.

Virtual Machine Scale Set (VMSS)

An Azure compute resource that lets you deploy and manage a set of identical, autoscaling VMs as a single resource, often used for stateless workloads.

Container

A lightweight, portable unit that packages an application and its dependencies, sharing the host OS kernel and enabling consistent execution across environments.

Azure Kubernetes Service (AKS)

A managed Kubernetes service in Azure where Microsoft manages the control plane while you manage worker nodes and containerized applications, enabling orchestration, scaling, and rolling updates.

Azure Virtual Network (VNet)

A logically isolated private network in Azure where you place resources like virtual machines and some PaaS services, using a private IP address space you control.

Subnet

A smaller IP range within a VNet used to organize and isolate resources, often aligning with application tiers or security boundaries.

Network Security Group (NSG)

A set of inbound and outbound security rules that act like a basic firewall for subnets or network interfaces, controlling traffic based on IP, port, and protocol.

VNet peering

An Azure feature that connects two VNets so resources can communicate using private IP addresses over the Microsoft backbone network.

VPN Gateway

An Azure service that provides secure, encrypted connectivity over the public internet between an on-premises VPN device and an Azure VNet.

ExpressRoute

An Azure service that provides a private, dedicated connection between your on-premises network and Azure through a connectivity provider, bypassing the public internet.

Azure Storage account

A top-level Azure resource that provides a namespace and configuration (region, redundancy, performance, access) for data services such as blobs, files, queues, and tables.

Azure Blob Storage

Azure’s object storage for unstructured data like images, videos, backups, and logs, organized as blobs inside containers within a storage account.

Access tiers (hot, cool, archive)

Cost and performance levels for block blobs: hot for frequently accessed data, cool for infrequently accessed but still online data, and archive for rarely accessed, long-term storage with higher retrieval latency.

Azure Files

A service that provides fully managed file shares in the cloud, accessible over SMB (and in some cases NFS), behaving like a traditional network file share.

Azure Queue Storage

A simple message queue service used to decouple application components and enable asynchronous background processing.

Azure Table Storage

A NoSQL key/attribute data store for semi-structured data, storing entities in tables within a storage account.

Microsoft Entra ID (canonical definition)

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Identity vs Authentication

Identity is the digital representation of a user, app, or device (for example, a user account in Entra ID). Authentication is the process of verifying that identity, such as entering a password and completing MFA.

Authentication vs Authorization

Authentication answers “Who are you?” and verifies your identity. Authorization answers “What are you allowed to do?” and determines your permissions on resources.

Single Sign-On (SSO)

A capability that lets users sign in once with Microsoft Entra ID and then access multiple applications without re-entering their credentials, by reusing security tokens.

Multifactor Authentication (MFA)

A security feature requiring at least two types of verification (something you know, have, or are) to reduce the risk of account compromise, even if a password is stolen.

RBAC (role-based access control) in Azure

role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Microsoft Entra ID (canonical definition)

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Role-based access control (RBAC) (canonical definition)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Authentication vs Authorization

Authentication verifies identity (who you are), typically handled by Microsoft Entra ID. Authorization decides what you are allowed to do with resources, typically enforced by Azure RBAC via role assignments.

RBAC Scope Levels (AZ-900 focus)

Subscription (top-level container for resources and billing), Resource group (logical container for related resources), Resource (individual service instance like a VM or storage account). Role assignments can be made at any of these scopes.

Permission Inheritance in RBAC

Role assignments at a higher scope (for example, subscription) are inherited by all child scopes (resource groups and resources) beneath it.

Built-in Role: Owner

Owner has full access to all resources at the assigned scope, including the ability to delegate access by managing role assignments.

Consumption-based (pay-as-you-go) pricing

A pricing model where you pay only for the resources you actually use, such as VM hours, GB stored, or data transfer, with no long-term commitment.

Reserved capacity / reserved instances

An option where you commit to using specific Azure resources (such as a VM family in a region) for 1 or 3 years in exchange for a significant discount over pay-as-you-go.

Azure savings plan for compute

A flexible discount model where you commit to a certain hourly spend on compute for 1 or 3 years, and Azure automatically applies discounts to eligible compute services.

Azure pricing calculator

A web-based tool used to estimate the cost of Azure services and configurations before deployment by selecting services, regions, tiers, and usage assumptions.

Azure TCO calculator

A tool that compares the total cost of ownership of running workloads on-premises versus in Azure over a multi-year period.

Azure Cost Management and Billing

The built-in Azure service used to analyze, monitor, and optimize actual cloud spend, including cost analysis, budgets, and alerts.

Azure Policy (canonical definition)

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

role-based access control (RBAC) (canonical definition)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Management group

A top-level Azure container above subscriptions used to group subscriptions for unified governance. Policies and RBAC applied here inherit to all child subscriptions.

Subscription

An Azure boundary for billing and access control that contains resource groups and resources. Often mapped to environments or business units.

Resource group

A logical container within a subscription that holds related resources that share a lifecycle, such as an app and its database and storage.

Policy definition vs policy assignment

A policy definition describes the rule and effect. A policy assignment applies that definition to a specific scope, optionally with parameters.

shared responsibility model

The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.

Microsoft Defender for Cloud (high-level purpose)

Azure's cloud-native service that continuously assesses the security posture of your resources, provides a secure score, gives prioritized recommendations, and enables threat protection for supported workloads.

Azure Policy (definition)

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

role-based access control (RBAC)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Microsoft Entra ID (definition)

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

Zero Trust (fundamentals-level idea)

A security philosophy of 'never trust, always verify' that emphasizes explicit verification, least-privilege access, and assuming breach, implemented in Azure using Entra ID, MFA, Conditional Access, RBAC, and continuous monitoring.

Canonical Azure management tools (4 items, in order)

1) Azure portal 2) Azure PowerShell 3) Azure Command-Line Interface (CLI) 4) Azure Resource Manager templates

Azure portal – primary characteristics

Web-based graphical interface; great for learning, exploration, dashboards, monitoring, and one-off or small configuration changes.

Azure PowerShell – when to use

Best for automation and scripting in environments where PowerShell is already used, especially by Windows administrators.

Azure Command-Line Interface (CLI) – when to use

Best for cross-platform automation (Windows, macOS, Linux), especially in bash or shell scripts using `az` commands.

Azure Resource Manager templates – core idea

JSON-based definitions of Azure resources that implement infrastructure as code for repeatable, consistent deployments.

Infrastructure as code (IaC) – exam-level idea

Managing and provisioning infrastructure through machine-readable definition files (like ARM templates) instead of manual configuration.

Azure Monitor

A centralized Azure platform service that collects, analyzes, and acts on telemetry (metrics and logs) from Azure and hybrid resources, supporting visualization, alerting, and integration with other tools.

Metric (Azure Monitor)

A numeric, time-series value (such as CPU percentage or requests per second) optimized for fast querying and charting, commonly used for real-time performance monitoring and threshold-based alerts.

Log (Azure Monitor)

A detailed record of events or data points, often text or structured data, stored in a Log Analytics workspace and queried using Kusto Query Language (KQL) for troubleshooting, auditing, and analysis.

Log Analytics workspace

A special Azure resource used by Azure Monitor to store log data from many sources, enabling centralized querying and analysis with Kusto Query Language (KQL).

Application Insights

An application performance monitoring (APM) feature of Azure Monitor that collects application-level telemetry such as requests, dependencies, exceptions, and user behavior for end-to-end app monitoring.

Azure Service Health

An Azure experience that informs you about Azure service issues, planned maintenance, and health advisories that specifically impact your subscriptions and regions.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Platform as a Service (PaaS)

Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.

Software as a Service (SaaS)

Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.

Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

role-based access control (RBAC)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Azure Policy

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

Azure portal

A web-based unified console that provides a graphical user interface for managing Azure resources through Azure Resource Manager, alongside tools like Azure PowerShell, Azure CLI, and ARM templates.

Azure management tools (complete list)

Azure portal, Azure PowerShell, Azure Command-Line Interface (CLI), Azure Resource Manager templates.

Azure core architectural components (complete list)

Azure regions, region pairs, Availability Zones, Azure datacenters, Azure resources, resource groups, subscriptions.

Where to configure RBAC in the portal

On the Access control (IAM) blade of a subscription, resource group, or individual resource, where you assign roles at the chosen scope.

Where to view recent changes to a resource

The Activity log blade for that resource, resource group, or subscription, which shows operations, who performed them, and their status.

Where to see and configure performance monitoring

Under the Monitoring section of a resource blade, including Metrics and Alerts, which are backed by Azure Monitor.

Cloud computing (definition)

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

Public cloud (definition)

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

Private cloud (definition)

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

Hybrid cloud (definition)

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Cloud service models (canonical list)

Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS).

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Azure core architectural components (canonical list)

The canonical list is: **Azure regions**, **region pairs**, **Availability Zones**, **Azure datacenters**, **Azure resources**, **resource groups**, **subscriptions**.

Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.

role-based access control (RBAC)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Azure Policy

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

When to use Availability Zones vs region pairs

Use **Availability Zones** to protect against datacenter failure **within a region**. Use **region pairs** and cross-region replication to protect against **entire region** failures and for disaster recovery.

Best compute choice: lift-and-shift legacy app

**Azure Virtual Machines** (IaaS) – full OS control, good for migrating existing on-premises apps with minimal changes.

Azure management tools (canonical list)

Azure portal, Azure PowerShell, Azure Command-Line Interface (CLI), Azure Resource Manager templates.

role-based access control (RBAC)

Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.

Azure Policy

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

Resource lock types

Two main types: CanNotDelete (cannot delete but can read/modify) and ReadOnly (can only read; no changes or deletes).

Azure pricing calculator vs Azure Cost Management and Billing

Pricing calculator: estimates future costs before deployment. Azure Cost Management and Billing: analyzes and controls actual spending after deployment, supports budgets and cost analysis.

Azure Monitor

Azure Monitor is the platform service that collects and analyzes telemetry (metrics and logs) from Azure resources and applications, enabling dashboards, alerts, and insights.

Define cloud computing.

Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

List the 3 cloud deployment models (in order).

public cloud, private cloud, hybrid cloud

Define public cloud.

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

Define private cloud.

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

Define hybrid cloud.

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

List the 3 cloud service models (in order).

Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS)