AZ-900 is the most widely held Azure certification—and the most underestimated.

Most candidates treat AZ-900 as a fast checkbox before AZ-104 or AZ-204. The candidates who do that tend to arrive at the Administrator exam without a mental model for how Azure’s resource hierarchy works, why availability zones matter for resilience design, or when a resource lock prevents an accidental deletion versus when Azure Policy enforces a compliance rule. AZ-900 is not a deep technical exam, but it tests whether you understand the shape of the Azure platform before you start configuring it.

The cert targets three audiences: professionals from outside IT who are moving into cloud roles and need a vendor-neutral foundation; IT professionals from on-premises environments (Windows Server admins, network engineers, help desk) who need to understand how their skills map to the cloud model; and decision-makers, project managers, and business analysts who work alongside Azure engineering teams and need enough vocabulary to participate in technical conversations. All three audiences share the same exam. The question style is scenario-based and conceptual—AZ-900 does not require you to write code, configure a portal setting, or memorise CLI commands. It requires you to reason about which Azure service, pricing model, or governance tool fits a described business requirement.

What AZ-900 tests: the three domains

Domain 1 — Cloud Concepts (25–30%)

The foundational domain that most candidates underinvest in. The exam question style here is often “which benefit of cloud describes this scenario?” or “which cloud model fits this business requirement?”—and a shallow reading of the definitions leads to wrong answers on subtly different scenarios.

  • Cloud computing benefits: The eight benefits Microsoft tests are high availability (services remain accessible even when components fail), scalability (capacity can be increased to handle growing demand), elasticity (capacity automatically adjusts up and down with demand in real time), reliability (the system recovers from failures), predictability (cost and performance can be forecast in advance), security (cloud providers offer tools and controls to protect resources), governance (policies and standards can be enforced across environments), and manageability (resources can be monitored, managed, and automated from a single control plane). The exam distinguishes between scalability (can you add capacity?) and elasticity (does it happen automatically?), and between reliability (can it recover?) and availability (is it accessible?). These pairs are frequently confused on first-attempt candidates.
  • Cloud service models: IaaS, PaaS, SaaS: Infrastructure as a Service (IaaS) provides raw compute, storage, and networking that the customer manages from the operating system up—Azure Virtual Machines is the canonical IaaS example. The customer is responsible for OS patching, runtime configuration, and application deployment. Platform as a Service (PaaS) provides a managed runtime environment where the customer deploys applications without managing the underlying infrastructure—Azure App Service and Azure SQL Database are examples. Software as a Service (SaaS) provides fully managed applications accessed over the internet—Microsoft 365 is the primary SaaS example on the exam. The exam tests which service model applies to a described workload and, critically, which party (Microsoft or the customer) is responsible for each layer under the shared responsibility model.
  • Cloud deployment models: Public cloud resources run on infrastructure owned by the cloud provider and shared across customers, accessed over the internet. Private cloud resources run on infrastructure dedicated to a single organisation, either on-premises or hosted exclusively for that organisation. Hybrid cloud connects on-premises infrastructure with public cloud, enabling workloads to move between environments—useful for organisations with data residency requirements or existing on-premises investments they cannot immediately migrate. Multi-cloud uses services from more than one public cloud provider simultaneously. The exam tests which deployment model satisfies a described business constraint: a regulatory requirement to keep data on-premises maps to private or hybrid; a startup with no existing infrastructure maps to public; an organisation using both AWS and Azure for different workloads maps to multi-cloud.
  • Consumption model and pricing: The cloud consumption model replaces capital expenditure (CapEx)—large upfront investments in physical hardware—with operational expenditure (OpEx)—ongoing costs that scale with usage and require no minimum commitments on standard pricing. The exam tests the business implications of this shift: CapEx requires predicting capacity years in advance; OpEx allows you to start small and scale as demand is confirmed. Azure Reserved Instances (1-year or 3-year commitments at up to 72% discount) exist as the middle ground between pure pay-as-you-go OpEx and upfront CapEx for stable, predictable workloads.
  • Shared responsibility model: The shared responsibility model defines which security and compliance obligations belong to Microsoft and which belong to the customer, varying by service type. For IaaS: Microsoft manages the physical datacenter, network hardware, and hypervisor; the customer manages the OS, runtime, application, data, identity, and network configuration. For PaaS: Microsoft additionally manages the OS and runtime; the customer manages application code, data, and identity. For SaaS: Microsoft manages everything except data ownership, identity configuration, and device access policies. This is one of the most reliably tested topics on AZ-900 and one of the most misunderstood by first-time candidates who assume Microsoft manages more than it does for IaaS workloads.

Domain 2 — Azure Architecture and Services (35–40%)

The heaviest domain and the one with the most memorisation required. The exam tests Azure’s global infrastructure, core resource hierarchy, and the service catalog across compute, networking, storage, and databases. Candidates who have used Azure hands-on will find this domain fastest; candidates approaching it purely from study materials need to build a mental map of how services relate to each other and when to use each one.

  • Global infrastructure: regions, availability zones, and region pairs: Azure organises its global infrastructure into regions—geographic areas containing one or more datacentres connected by a low-latency network (60+ regions globally in 2026). Within a region, availability zones are physically separate datacentre locations with independent power, cooling, and networking; most regions have at least three. Deploying resources across availability zones protects against datacentre-level failures while keeping latency low. Region pairs connect two Azure regions within the same geography for disaster recovery—Azure prioritises the paired region for rolling updates, preventing both regions from being updated simultaneously. Sovereign regions (Azure Government for US federal agencies, Azure China operated by 21Vianet) are isolated from the global Azure cloud for regulatory compliance. The exam tests when to use availability zones (single datacentre failure protection) versus region pairs (region-wide outage protection).
  • Azure resource hierarchy: Azure organises resources in a four-level hierarchy. Management groups sit at the top and can contain multiple subscriptions—used to apply governance policies and access permissions across groups of subscriptions in large organisations. Subscriptions are the billing and access control boundary, each associated with a Microsoft Entra ID tenant. Resource groups are logical containers for Azure resources within a subscription; all resources in a resource group share a lifecycle, a region tag, and a set of access control policies. Resources are the individual Azure services. Understanding this hierarchy is critical because governance tools (Azure Policy, RBAC, resource locks) apply at different levels, and exam questions frequently test which level is the correct place to apply a given control.
  • Core compute services: Azure Virtual Machines (VMs) provide IaaS compute with full OS control (Windows or Linux). VM Scale Sets automatically adjust the number of VM instances based on demand. Azure App Service is a fully managed PaaS platform for web applications and APIs without managing the underlying OS. Azure Functions is a serverless compute service for event-driven code execution with no servers to provision. Azure Kubernetes Service (AKS) is a managed Kubernetes service removing the operational complexity of running control plane components. Azure Container Instances (ACI) provides single-container execution without cluster management for short-lived workloads. Azure Virtual Desktop (AVD) delivers cloud-hosted Windows desktops to any device. The exam tests which compute service fits a described workload: auto-scaling web app without OS management maps to App Service; event-triggered function maps to Azure Functions; full OS control maps to VMs.
  • Core networking services: Azure Virtual Networks (VNets) are isolated private network environments where VMs and other resources communicate securely. VPN Gateway enables encrypted site-to-site connectivity between on-premises networks and Azure VNets over the public internet. ExpressRoute provides a dedicated private connection bypassing the public internet entirely—higher bandwidth, lower latency, more predictable performance, higher cost. Azure Load Balancer distributes TCP/UDP traffic across backend VMs at Layer 4. Azure Application Gateway provides Layer 7 HTTP/HTTPS load balancing with SSL termination and Web Application Firewall (WAF) capabilities. Azure DDoS Protection Basic (free, included with every subscription) provides automatic scrubbing for common volumetric attacks; DDoS Protection Standard adds ML-based adaptive tuning. The most common exam trap: confusing VPN Gateway (internet-based encrypted tunnel) with ExpressRoute (private dedicated line).
  • Core storage services: Azure Blob Storage is the object storage service for unstructured data. The four access tiers control cost versus access speed: Hot (frequent access, highest storage cost), Cool (infrequent access, at least 30 days), Cold (rare access, at least 90 days), and Archive (long-term retention, hours-long retrieval, lowest storage cost). Azure Files provides fully managed cloud file shares accessible via SMB and NFS protocols—a drop-in replacement for on-premises file servers. Azure Queue Storage provides asynchronous message queuing between distributed application components. Azure Managed Disks provide block storage for Azure VMs. The exam tests which storage tier or service matches a described access pattern and cost requirement.
  • Core database services: Azure SQL Database is a fully managed relational database compatible with Microsoft SQL Server, with automatic backups, patching, and high availability. Azure Cosmos DB is a globally distributed, multi-model NoSQL database supporting document, key-value, graph, and column-family APIs—designed for single-digit millisecond latency globally with horizontal scaling. Azure Database for MySQL and Azure Database for PostgreSQL provide fully managed open-source relational databases. The exam tests which database service satisfies a described workload: a globally distributed low-latency application maps to Cosmos DB; a migration of an existing SQL Server application maps to SQL Managed Instance; a new cloud-native relational application maps to SQL Database.

Domain 3 — Azure Management and Governance (30–35%)

The governance domain is consistently underweighted by first-time candidates who focus their study on the service catalog. Governance questions appear on every AZ-900 exam and test concrete distinctions: Azure Policy versus RBAC, resource locks versus soft delete, Azure Monitor versus Azure Advisor versus Azure Service Health. These are not subtle differences but they require knowing what each tool does at a precise level.

  • Cost management tools: Azure Pricing Calculator estimates the monthly cost of a specific Azure architecture before deployment—used for planning and budgeting. Azure Total Cost of Ownership (TCO) Calculator estimates the cost savings of migrating on-premises workloads to Azure by comparing total operational costs for each environment. Azure Cost Management + Billing provides post-deployment cost tracking, budget alerts, and cost analysis dashboards. The exam tests which tool is appropriate: estimating cost before deployment maps to Pricing Calculator; comparing on-premises vs. cloud costs maps to TCO Calculator; tracking and alerting on live spending maps to Cost Management. Key cost optimisation options: Azure Reservations (1- or 3-year commitments at up to 72% discount), Azure Hybrid Benefit (using existing Windows Server and SQL Server licences to reduce Azure compute costs), and Azure Spot VMs (unused Azure capacity at up to 90% discount, with the risk of eviction when Azure needs the capacity back).
  • Governance tools: Azure Policy defines rules that Azure resources must comply with and evaluates compliance automatically—for example, requiring all storage accounts to use HTTPS-only access, or preventing VM deployment in unapproved regions. Policies can audit (log non-compliant resources) or deny (block creation of non-compliant resources). Resource locks prevent accidental modification or deletion of critical resources regardless of RBAC permissions: a ReadOnly lock prevents any changes; a Delete lock prevents deletion but allows modifications. Role-Based Access Control (RBAC) controls who can perform what actions on which resources—granting permissions to users, groups, or service principals at any level of the resource hierarchy. The most important exam distinction: RBAC controls who can act; Azure Policy controls what configuration is allowed. If a user has Contributor RBAC but a Policy blocks their action, the Policy wins. Microsoft Purview provides data governance and compliance management across Azure, on-premises, and multi-cloud environments.
  • Monitoring tools: Azure Monitor collects and analyses metrics (numerical time-series data like CPU utilisation) and logs (structured event records) from Azure resources and applications, powering dashboards, alerts, and automated responses. Azure Service Health provides personalised alerts when Azure service outages, planned maintenance, or health advisories affect the resources in your subscription. Azure Advisor analyses deployed resources and provides actionable recommendations across five categories: reliability, security, performance, operational excellence, and cost. The exam tests which tool answers a specific operational question: tracking CPU utilisation over time maps to Azure Monitor; receiving alerts about planned Azure maintenance maps to Service Health; identifying idle VMs to reduce costs maps to Azure Advisor.
  • Security tools: Microsoft Defender for Cloud provides unified security management and threat protection across Azure, on-premises, and multi-cloud environments—it calculates a Secure Score and provides prioritised remediation recommendations. Azure Key Vault securely stores cryptographic keys, secrets (connection strings, API keys, passwords), and certificates, removing the need to store sensitive values in application code. Microsoft Entra ID (formerly Azure Active Directory) is Azure’s cloud-based identity and access management service providing authentication and authorisation for Azure resources, Microsoft 365, and custom applications. Key Entra features tested on AZ-900: Multi-Factor Authentication (MFA), Conditional Access policies (granting or blocking access based on user, device, location, and risk signal), and Single Sign-On (SSO). The exam tests which security tool addresses a described scenario: protecting against volumetric network attacks maps to DDoS Protection; storing a database connection string securely maps to Key Vault; requiring MFA for all admin sign-ins maps to Entra ID Conditional Access.
  • Compliance and trust documentation: Microsoft Service Trust Portal (STP) is the central repository of compliance documentation, audit reports, and certifications—SOC reports, ISO 27001 certificates, GDPR documentation, and FedRAMP authorisations for Azure are all available here. The Regulatory Compliance dashboard in Defender for Cloud shows the compliance status of Azure resources against standards like ISO 27001, PCI DSS, and NIST SP 800-53. The Online Services Terms (OST) and Data Protection Addendum (DPA) define Microsoft’s contractual data handling obligations. The exam tests where to find specific compliance documentation: an auditor requesting Azure’s SOC 2 Type II report uses the Service Trust Portal; a question about Microsoft’s contractual obligations for processing customer data maps to the DPA.
The most commonly failed AZ-900 question type is the shared responsibility model applied to a specific PaaS service. Many candidates memorise the general rule but cannot apply it to a named Azure service: who patches the OS in Azure App Service? (Microsoft.) Who is responsible for application vulnerabilities in an App Service web app? (The customer.) Who manages SSL certificate renewal for an App Service custom domain with Azure-managed certificates? (Microsoft.) Practice applying the shared responsibility model to specific named services, not just the abstract IaaS/PaaS/SaaS layers.

Exam format and what to expect

AZ-900 consists of approximately 40–60 questions delivered in 85 minutes via Pearson VUE at a testing centre or via online proctoring. The passing score is 700 out of 1000. Question types include multiple-choice (one correct answer), multiple-select (choose two or more), drag-and-drop matching, and scenario-based questions presenting a business context followed by 2–3 questions. The exam does not include live lab tasks. The 85-minute window is generous; the primary challenge is the precision required to distinguish between similar-sounding services or governance tools.

Microsoft updates the AZ-900 exam objectives periodically. Recent additions include Azure Arc (managing non-Azure resources from the Azure control plane), Microsoft Entra ID (the renamed Azure Active Directory), Azure Confidential Computing concepts, and expanded coverage of governance tooling. Candidates using study materials older than 12 months should verify coverage against the current skills outline on the official Microsoft certification exam page before sitting.

Certification stack and career paths

Where AZ-900 fits in the Microsoft Azure certification map

  • Microsoft AZ-104 Azure Administrator Associate — The natural next step for IT operations and infrastructure professionals. AZ-104 tests deep Azure administration: virtual network configuration, Entra ID identity and access management, VM management, Azure Storage, and monitoring at implementation depth. AZ-104 holders earn $110k–$135k in 2026 and are required before sitting AZ-305.
  • Microsoft AZ-204 Azure Developer Associate — The developer path from AZ-900. AZ-204 tests building and deploying cloud applications on Azure: Azure Functions, Cosmos DB, Azure Service Bus, API Management, and infrastructure-as-code with Bicep. Developers with AZ-204 earn $115k–$140k.
  • Microsoft AZ-305 Azure Solutions Architect Expert — The expert-level design credential, requiring AZ-104 as a prerequisite. AZ-305 tests enterprise-level architecture decisions across identity governance, data storage strategy, and business continuity design. AZ-305 holders earn $145k–$175k in 2026.
  • Microsoft DP-900 Azure Data Fundamentals — A peer entry credential to AZ-900 for the data path, covering relational and non-relational data concepts and Azure data services at a conceptual level. DP-900 leads to DP-100 (data scientist), DP-203 (data engineer), or DP-300 (database administrator).
  • Microsoft AI-900 Azure AI Fundamentals — The AI entry credential covering Azure AI services and responsible AI concepts at the foundational level. AI-900 leads to AI-102 (Azure AI Engineer Associate) for professionals building production AI solutions.
  • Microsoft SC-900 Security, Compliance, and Identity Fundamentals — Security and compliance entry credential covering Microsoft’s security, compliance, and identity portfolio conceptually. SC-900 leads to SC-200 (Security Operations), SC-300 (Identity Administrator), or SC-400 (Information Protection).

AZ-900 salary data and job market (2026)

AZ-900 alone does not command premium salaries because it is an entry-level conceptual credential. Its value is as a signal and a pathway: it opens the door to AZ-104, AZ-204, or AZ-305 progression that does command premium compensation. Entry cloud support and help desk roles where AZ-900 appears in job descriptions pay $55k–$85k in 2026. Cloud pre-sales engineers, business analysts working on Azure migration projects, and project managers overseeing Azure deployments frequently require AZ-900 at $70k–$100k depending on total experience. The cert’s primary monetary return comes from progression: candidates who earn AZ-900, then AZ-104 within 6–12 months, and then a specialty within 18–24 months of starting, reach the $140k–$175k range in Associate-to-Expert tier roles.

Microsoft Azure continues to hold the second-largest cloud market share globally in 2026 at roughly 22%, growing faster than AWS. Enterprise Microsoft 365 and hybrid on-premises Windows Server adoption give Azure a structural advantage in large enterprise accounts where the Microsoft licensing relationship already exists. For IT professionals supporting Microsoft-heavy environments—Windows Server, Exchange, Active Directory, Teams, SharePoint—Azure is the natural cloud path, and AZ-900 is the entry credential into that ecosystem.

How to prepare for AZ-900

AZ-900 is achievable with 2–4 weeks of focused preparation using free resources. Microsoft’s own Microsoft Learn path covers every exam objective with interactive modules, knowledge checks, and sandbox exercises that let you deploy actual Azure resources at no cost. The exam favours conceptual understanding over technical implementation—you will not be asked to write ARM templates or configure a VNet, but you will be asked to identify which service satisfies a described business scenario, which governance tool prevents a specific misconfiguration, or which pricing model applies to a described cost optimisation scenario.

Study time estimate for AZ-900

Candidates with existing Azure experience typically need 1–2 weeks to fill conceptual gaps and practice governance vocabulary. Candidates from a non-Azure IT background (Windows Server admin, network engineer) typically need 2–4 weeks to cover the service catalog and governance tooling. Candidates from a non-technical background (project manager, business analyst) typically need 4–6 weeks, spending more time on compute and networking concepts before governance. The Microsoft Learn free path is sufficient preparation for all three audiences if completed thoroughly.

Practice Azure and IT certification questions with CertQuests — scenario-based quizzing built for Azure, AWS, CompTIA, and more.

Browse Practice Packs →