Microsoft Azure Fundamentals AZ-900 Certification

Earning the AZ-900 certification validates your foundational understanding of cloud services and how they are delivered through Microsoft Azure. It’s the critical first step for anyone pursuing a career in cloud architecture, administration, or development, serving as both a career differentiator and a structured learning path to demystify the cloud. This exam doesn't test deep technical skills but instead assesses your grasp of core concepts, services, and the principles of governance that underpin every successful cloud deployment.

Core Cloud Concepts

To understand Azure, you must first grasp the fundamental models of cloud computing, which is the delivery of computing services over the internet. These services include servers, storage, databases, and software, all offered on a pay-as-you-go basis. The primary service models are Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). IaaS provides the greatest control, offering virtualized computing resources like VMs over the internet. PaaS is a managed platform for developing and deploying applications without worrying about the underlying infrastructure. SaaS delivers fully functional, cloud-hosted applications to users, such as Microsoft 365.

The deployment models define how cloud resources are owned and managed. A public cloud like Azure is owned and operated by a third-party cloud provider, with resources shared among multiple organizations (tenants). A private cloud is for the exclusive use of a single organization, offering greater control and privacy. A hybrid cloud combines both, allowing data and applications to be shared between them, which provides flexibility and optimization of existing infrastructure.

A key financial benefit driving cloud adoption is the shift from Capital Expenditure (CapEx) to Operational Expenditure (OpEx). With CapEx, you make large upfront investments in physical hardware. In the OpEx cloud model, you pay only for the IT resources you consume, converting a capital expense into a predictable, scalable operating expense. This aligns cost directly with usage and business need.

Azure Architectural Components and Core Services

Azure operates from a global network of regions, which are geographical areas containing one or more datacenters. Choosing a region is a critical decision based on latency, data residency laws, and service availability. To ensure high availability and protect against regional failure, Azure offers Availability Zones, which are physically separate locations within a region, each with independent power, cooling, and networking. For even broader disaster recovery, services can be replicated across different geographies, which are distinct market areas typically containing two or more regions.

The core compute service is the Azure Virtual Machine (VM), an IaaS offering that provides on-demand, scalable computing resources. For PaaS scenarios, Azure App Service is a fully managed platform for building and hosting web apps and APIs. For modern, event-driven, serverless architectures, Azure Functions allows you to run small pieces of code without managing any infrastructure, paying only for the execution time.

Azure Virtual Network (VNet) is the fundamental building block for networking in Azure. It enables Azure resources, like VMs, to securely communicate with each other, the internet, and on-premises networks. VPN Gateway creates a secure, encrypted connection over the public internet between your Azure VNet and an on-premises network. For higher throughput and more stable private connections, Azure ExpressRoute establishes a dedicated, private network link from your premises to Azure.

For storage, Azure provides several core services. Azure Blob Storage is optimized for storing massive amounts of unstructured data, such as text or binary data (e.g., images, documents, video streams). Azure Disk Storage provides high-performance, durable block storage for Azure VMs, functioning like a physical disk. Azure Files offers fully managed file shares in the cloud, accessible via the standard Server Message Block (SMB) protocol.

Identity, Governance, and Cost Management

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It is not simply a cloud version of Windows Server AD; it’s a comprehensive service that manages identities for cloud applications. It enables Single Sign-On (SSO), Multi-Factor Authentication (MFA) for enhanced security, and conditional access policies. The Shared Responsibility Model is crucial here: Microsoft is responsible for the security of the cloud (the infrastructure), while you are responsible for security in the cloud (your data, identities, and access management).

Governance in Azure is enforced through three key tools. Azure Policy helps you enforce organizational standards and assess compliance at scale by creating, assigning, and managing policy definitions that control resource properties. Resource Tags are metadata elements you attach to resources (like "Department: Finance" or "Environment: Production") to logically organize them for management, cost tracking, and automation. Azure Blueprints allow you to define a repeatable set of governance tools and Azure resources that can be deployed together to speed up environment creation while ensuring compliance.

Managing costs is a foundational cloud skill. The Azure Pricing Calculator lets you estimate the cost of provisioning resources before you deploy them. Once resources are running, Azure Cost Management + Billing provides tools to monitor, allocate, and optimize your cloud spending. Key practices include setting spending limits and budgets, analyzing cost reports, and using the Azure Advisor service, which provides personalized recommendations to optimize your Azure resources for high availability, security, performance, and—importantly—cost.

Common Pitfalls

Confusing Service Models (IaaS vs. PaaS vs. SaaS): A classic exam trap is presenting a scenario where a development team needs to focus solely on application code and asks which service to use. The correct answer is often PaaS (like Azure App Service), not IaaS (VMs). Remember: IaaS = "You manage the OS, runtime, and apps." PaaS = "You manage only the apps and data." SaaS = "You just use the software."

Misunderstanding the Shared Responsibility Model: Many candidates incorrectly assume Azure is responsible for securing customer data or managing user identities by default. Always remember: the customer is always responsible for their data, access management, and endpoint devices. The division of responsibility shifts depending on the service model, but your data and identities are perpetually in your domain.

Overlooking Resource Organization and Governance: It’s easy to focus on the technical "how to create" and forget the operational "how to manage." Not using resource tags, failing to implement basic Azure Policy for compliance, or ignoring cost management tools are common operational failures. On the exam, expect questions where the correct answer involves implementing a governance tool (like a policy or tag) rather than a technical service.

Selecting the Wrong Redundancy Option: Choosing between Locally Redundant Storage (LRS), Zone-Redundant Storage (ZRS), or Geo-Redundant Storage (GRS) depends on the scenario's cost versus durability requirements. A common mistake is selecting the most expensive option (GRS) for a temporary, non-critical dev/test workload, or choosing LRS for business-critical backup data that must survive a regional outage. Match the redundancy to the data's importance and recovery requirements.

Summary

• Cloud Fundamentals: Understand the key differences between CapEx/OpEx, and the definitions and use cases for public, private, and hybrid cloud deployment models, as well as IaaS, PaaS, and SaaS service models.
• Azure Architecture: Know that resources are deployed within regions and geographies, with Availability Zones providing high availability. Core services span compute (Virtual Machines, App Service, Functions), networking (Virtual Network, VPN Gateway), and storage (Blobs, Disks, Files).
• Identity and Security: Azure Active Directory (Azure AD) manages identities and access. The Shared Responsibility Model dictates that security is a joint effort, with you always responsible for your data, identities, and access controls.
• Governance and Compliance: Use Azure Policy to enforce rules, Resource Tags for organization, and Azure Blueprints for standardized deployments to maintain control and compliance at scale.
• Cost Management: Proactively estimate costs with the Pricing Calculator and monitor/optimize spending with Azure Cost Management + Billing and the recommendations provided by Azure Advisor.