Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.

A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.

A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

An Azure region is a set of datacenters deployed within a specific geographic area, connected through a dedicated low-latency network.

What is Azure Policy?

Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

What is hybrid cloud?

A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.

Final Review and Exam Tactics: Practice Scenarios and Common Pitfalls — Microsoft Azure Fundamentals (AZ-900): Complete Exam-Ready Masterclass

Q: In Scenario 1, which combination best matches the startup’s needs?

Public cloud + Platform as a Service (PaaS). They want Microsoft to manage the OS and runtime but still deploy their own app. That matches PaaS. They are fine with shared infrastructure over the internet, which is public cloud. The other options either require OS management, remove custom code, or add unnecessary complexity.

Pulling It All Together: How AZ-900 Questions Are Built

What This Final Module Does

You will now practice thinking the way the AZ-900 exam thinks: connecting concepts across domains, spotting traps, and choosing the best answer under time pressure.

How AZ-900 Questions Are Built

Most questions are short scenarios that mix regions, service models, security/identity, and governance. Your task is to link the scenario’s key phrase to the correct Azure concept.

Core Exam Skills

You must extract key requirement phrases, map them to concepts like PaaS vs IaaS or shared responsibility, and eliminate answers that contradict the requirement.

Staying Current

The exam reflects current Azure terms as of 2026. Expect to see names like Microsoft Entra ID rather than older labels like Azure Active Directory.

Scenario 1: Deployment Model + Service Model + Responsibility

Scenario 1 Setup

A small startup wants to host a web app, has no IT staff, wants Microsoft to manage OS and runtime, needs quick scale-out, and is fine with public cloud.

Key Definitions

Recall: public cloud, IaaS, PaaS, and SaaS definitions. Focus on who manages infrastructure, OS, runtime, and the application itself.

Reasoning the Answer

Deployment: public cloud fits shared internet-based infrastructure. Service model: PaaS fits “no OS management but deploy our own app code”.

Spotting Distractors

Reject answers where the customer must manage the OS (IaaS) or cannot deploy custom code (SaaS), or where hybrid/private is added without any on-prem requirement.

Quick Check: Scenario 1

Test your understanding of the first scenario.

In Scenario 1, which combination best matches the startup’s needs?

Public cloud + Platform as a Service (PaaS)
Public cloud + Infrastructure as a Service (IaaS)
Hybrid cloud + Software as a Service (SaaS)
Private cloud + Platform as a Service (PaaS)

Show Answer

Answer: A) Public cloud + Platform as a Service (PaaS)

They want Microsoft to manage the OS and runtime but still deploy their own app. That matches PaaS. They are fine with shared infrastructure over the internet, which is public cloud. The other options either require OS management, remove custom code, or add unnecessary complexity.

Scenario 2: Regions, Resiliency, and Service Health

Scenario 2 Setup

You run a critical payment API. It must survive a single datacenter failure and you need to distinguish app problems from Azure platform incidents, with alerts.

Regions and Zones

Use availability zones within a region to survive a single datacenter failure. Region pairs are for broader resiliency but often beyond the minimal requirement.

Service Health vs Status

Azure Service Health gives a personalized, subscription-scoped view and can send alerts. The public status page is global and not resource-specific.

Common Pitfalls

Do not pick multi-region when the requirement is only single-datacenter failure. Do not pick Azure Monitor or Application Insights when the focus is platform outages.

Scenario 3: Identity, RBAC, and Governance Tools

Scenario 3 Setup

Many teams deploy resources in one subscription. You need central sign-in, restricted network changes, and enforced naming and region rules with audit.

Identity: Microsoft Entra ID

Use Microsoft Entra ID for cloud-based identity and access management, giving employees sign-in to Azure and SaaS apps.

Access Control: RBAC

Use RBAC roles like Network Contributor for the networking team so only they can modify virtual networks at the right scope.

Governance: Azure Policy

Use Azure Policy to enforce naming conventions, required tags, and allowed locations, and to audit or deny non-compliant resources.

Spot the Trap: Shared Responsibility and Service Models

Prompt 1: Who Patches the OS?

Question: In which scenario is the customer responsible for OS security updates? Mentally choose among App Service, Azure SQL Database, IaaS VM, and Microsoft 365.

Reasoning Prompt 1

On IaaS VMs you manage the OS; on PaaS and SaaS, Microsoft does. So the correct choice is the IaaS virtual machine scenario.

Prompt 2: Minimize Management

Which service model minimizes customer management but still lets you configure your application? Eliminate IaaS; compare PaaS vs SaaS.

Reasoning Prompt 2

SaaS has minimal management but you don’t deploy your own app. PaaS is the sweet spot: less management while still deploying your code.

Common Pitfalls Quiz: Governance and Health

Check that you can distinguish similar-sounding services.

Which pair best matches the described responsibilities?

Azure Policy: who can access resources; RBAC: enforce allowed locations
RBAC: who can perform actions on resources; Azure Policy: enforce allowed configurations and locations
Azure Service Health: application performance monitoring; Azure Monitor: platform incident alerts
Resource locks: enforce naming conventions; Azure Policy: prevent resource deletion

Show Answer

Answer: B) RBAC: who can perform actions on resources; Azure Policy: enforce allowed configurations and locations

RBAC controls *who* can perform actions on resources. Azure Policy enforces *what* configurations are allowed (e.g., allowed locations, required tags). Azure Service Health is for platform incidents, not app performance. Resource locks prevent deletion/modification, not naming rules.

Time Management and Guessing Strategy for AZ-900

First Pass Strategy

On your first pass, answer anything you’re 80% sure about, flag the rest, and avoid spending more than about a minute per question initially.

Use Elimination

When stuck, eliminate options that contradict the scenario. If you can remove two answers, your odds improve significantly even when guessing.

Key Words Matter

Pay attention to phrases like “minimize management”, “single datacenter failure”, or “predictable monthly cost”; they often determine the correct choice.

Review and Guessing

Use remaining time to revisit flagged questions, then ensure no question is left blank. There is no extra penalty for wrong answers.

Last-Week Revision Checklist: What to Lock In

Cloud and Deployment Models

Lock in the exact definition of cloud computing and recognize when public, private, or hybrid cloud is appropriate in a scenario.

Service Models and Responsibility

Be fluent with IaaS, PaaS, SaaS definitions and the shared responsibility model, especially who patches OS and manages data.

Resiliency and Health

Understand regions, availability zones, and how Azure Service Health helps you distinguish your app issues from platform incidents.

Identity, Governance, and Cost

Review Microsoft Entra ID, RBAC, Azure Policy, Defender for Cloud, plus basic ideas of cost, SLAs, and support options.

Key Terms Speed Review

Use these flashcards to reinforce must-know AZ-900 definitions. Try to answer from memory before flipping each card.

cloud computing: Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
public cloud: A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
private cloud: A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
hybrid cloud: A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
Infrastructure as a Service (IaaS): Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.
Platform as a Service (PaaS): Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS): Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
shared responsibility model: The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Microsoft Entra ID: Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
role-based access control (RBAC): Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Azure Policy: Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

Build Your Personal Final-Week Plan

Rate Your Domains

Quickly rate yourself 1–5 on: core concepts, service models, resiliency, identity/governance, and cost/SLAs to see where you’re weakest.

Pick Focus Areas

Circle your two lowest scores and write one specific confusion for each, like mixing RBAC vs Azure Policy or zones vs regions.

Align With Skarp Tools

Decide which Skarp lessons to revisit, when to take your next mock or diagnostic, and commit to clearing your spaced review queue.

Simulate Exam Conditions

Do a 20–30 minute timed question block using the first-pass and flagging strategy to rehearse how you’ll think on exam day.

Key Terms

region: An Azure region is a set of datacenters deployed within a specific geographic area, connected through a dedicated low-latency network.
Azure Policy: Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
hybrid cloud: A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
public cloud: A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
private cloud: A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
cloud computing: Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
availability zone: An availability zone is a physically separate location within an Azure region, with independent power, cooling, and networking, designed to protect applications from datacenter failures.
Microsoft Entra ID: Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Azure Service Health: Azure Service Health is a service that provides personalized alerts and guidance when Azure service issues affect your resources.
shared responsibility model: The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Microsoft Defender for Cloud: Microsoft Defender for Cloud is a cloud-native application protection platform that provides security posture management and threat protection across Azure and other environments.
Platform as a Service (PaaS): Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS): Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
role-based access control (RBAC): Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Infrastructure as a Service (IaaS): Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.