The AZ-900 Azure Fundamentals exam is Microsoft's entry-level cloud certification and the most popular starting point for professionals entering the Azure ecosystem. It validates foundational knowledge of cloud concepts, Azure services, security, privacy, compliance, pricing, and support. Unlike more advanced Azure certifications, AZ-900 does not require hands-on technical experience and is designed for candidates from any background, including business professionals, sales teams, and IT newcomers.
Microsoft reported that the Azure Fundamentals certification was taken by over 1 million candidates between 2020 and 2024, making it the most widely attempted cloud fundamentals exam in the industry. The exam costs $99 USD (with free attempts often available through Microsoft Learn training events), contains 40-60 questions, and requires a passing score of 700 out of 1000.
This guide covers every domain in the AZ-900 exam objectives, explains the core concepts you need to understand, and provides a structured study plan that has helped thousands of candidates pass on their first attempt.
Exam Overview and Structure
| Detail | Information |
|---|---|
| Exam Code | AZ-900 |
| Full Name | Microsoft Azure Fundamentals |
| Number of Questions | 40-60 |
| Time Limit | 45 minutes |
| Passing Score | 700/1000 |
| Cost | $99 USD |
| Prerequisites | None |
| Question Types | Multiple choice, drag-and-drop, yes/no scenario |
| Languages | English, Japanese, Chinese, Korean, and others |
The exam is divided into three main domains with the following weight distribution:
- Describe cloud concepts (25-30%)
- Describe Azure architecture and services (35-40%)
- Describe Azure management and governance (30-35%)
"The AZ-900 is not a technical deep-dive exam. It tests whether you understand what cloud computing is, why organizations use it, and how Azure implements core cloud services. Candidates who over-study the technical details and under-study the business and governance aspects are the ones who fail." -- Thomas Maurer, Microsoft Cloud Advocate
Domain 1: Cloud Concepts (25-30%)
What Is Cloud Computing
Cloud computing -- the delivery of computing services including servers, storage, databases, networking, software, and analytics over the internet, enabling flexible resources and economies of scale.
The exam tests your understanding of three fundamental cloud models:
IaaS (Infrastructure as a Service) -- a cloud model where the provider manages the physical hardware, networking, and virtualization, while the customer manages the operating system, applications, and data. Azure Virtual Machines is the primary example.
PaaS (Platform as a Service) -- a cloud model where the provider manages everything up to and including the runtime environment, and the customer manages only the application code and data. Azure App Service and Azure SQL Database are examples.
SaaS (Software as a Service) -- a cloud model where the provider manages the entire stack and the customer simply uses the software. Microsoft 365 and Dynamics 365 are examples.
Shared Responsibility Model
The shared responsibility model defines which security and management tasks are the customer's responsibility and which belong to the cloud provider. This shifts based on the service model:
- In IaaS: The customer is responsible for the OS, applications, data, network configuration, and identity management. Microsoft manages the physical infrastructure.
- In PaaS: Microsoft additionally manages the OS and runtime. The customer manages applications, data, and access control.
- In SaaS: Microsoft manages nearly everything. The customer manages data, devices, and user accounts.
Cloud Benefits
The exam expects you to describe specific benefits of cloud computing:
- High availability: Systems remain operational and accessible with minimal downtime, often expressed as a percentage (99.9% uptime = 8.7 hours of downtime per year)
- Scalability: The ability to increase or decrease resources based on demand. Vertical scaling means increasing the size of a resource (bigger VM). Horizontal scaling means adding more instances.
- Elasticity: The ability to automatically scale resources based on real-time demand, returning to baseline when demand decreases
- Agility: The ability to quickly deploy and configure cloud resources
- Geo-distribution: Deploying resources in data centers around the world to serve users with low latency
Cloud Deployment Models
- Public cloud: Resources owned and operated by a third-party provider (Microsoft Azure, AWS, Google Cloud) and delivered over the public internet
- Private cloud: Cloud resources used exclusively by a single organization, either on-premises or hosted by a third party
- Hybrid cloud: A combination of public and private cloud, allowing data and applications to move between them. Azure Arc is Microsoft's hybrid cloud management tool.
Domain 2: Azure Architecture and Services (35-40%)
This is the largest domain and covers the breadth of Azure services you need to know at a conceptual level.
Core Architectural Components
Azure Region -- a geographic area containing one or more data centers. Azure operates in 60+ regions across 140+ countries. Examples include East US, West Europe, and Southeast Asia.
Availability Zone -- physically separate data centers within an Azure region, each with independent power, cooling, and networking. Deploying across availability zones protects against single data center failures.
Resource Group -- a logical container that holds related Azure resources (VMs, databases, storage accounts) so they can be managed, monitored, and billed together.
Azure Subscription -- a billing and access control boundary. An organization can have multiple subscriptions to separate environments (development, staging, production) or departments.
The hierarchy is: Azure Active Directory (now Microsoft Entra ID) > Management Groups > Subscriptions > Resource Groups > Resources.
Compute Services
- Azure Virtual Machines: IaaS offering for running Windows or Linux VMs. You choose the size, OS, and configuration.
- Azure App Service: PaaS for hosting web applications, REST APIs, and mobile backends without managing infrastructure. Supports .NET, Java, Node.js, Python, and PHP.
- Azure Functions: Serverless compute that runs event-triggered code. You pay only for execution time. Ideal for microservices, scheduled tasks, and event processing.
- Azure Kubernetes Service (AKS): Managed Kubernetes for orchestrating containerized applications at scale.
- Azure Container Instances (ACI): The fastest way to run a container in Azure without managing servers or orchestrators.
Networking Services
- Azure Virtual Network (VNet): The fundamental building block for private networks in Azure. VNets enable Azure resources to communicate with each other, the internet, and on-premises networks.
- Azure Load Balancer: Distributes inbound traffic across multiple VMs for high availability.
- Azure Application Gateway: A web traffic load balancer with WAF (Web Application Firewall) capabilities.
- Azure VPN Gateway: Connects on-premises networks to Azure through encrypted VPN tunnels.
- Azure ExpressRoute: A private, dedicated connection between on-premises infrastructure and Azure that does not traverse the public internet. Used by enterprises requiring higher bandwidth and lower latency.
Storage Services
Azure offers four primary storage services:
| Storage Type | Use Case | Access |
|---|---|---|
| Blob Storage | Unstructured data (images, videos, backups) | REST API, SDKs |
| File Storage | Shared file systems (SMB/NFS protocol) | Mounted as network drive |
| Queue Storage | Message queuing between components | REST API |
| Table Storage | NoSQL key-value data | REST API, SDKs |
Azure Blob Storage tiers: Hot (frequently accessed), Cool (infrequently accessed, minimum 30-day storage), Cold (minimum 90-day storage), and Archive (minimum 180-day storage, offline access). Each tier has lower storage costs but higher access costs as you move from Hot to Archive.
Database Services
- Azure SQL Database: Managed relational database service based on Microsoft SQL Server
- Azure Cosmos DB: Globally distributed, multi-model NoSQL database with single-digit millisecond response times. Supports document, key-value, graph, and column-family models.
- Azure Database for PostgreSQL: Managed PostgreSQL service
- Azure Database for MySQL: Managed MySQL service
Gartner has consistently ranked Microsoft as a leader in its Cloud Infrastructure and Platform Services Magic Quadrant, noting in 2024 that Azure's database portfolio breadth is one of its strongest competitive advantages against AWS and Google Cloud.
Identity and Authentication
Microsoft Entra ID (formerly Azure Active Directory) is the identity platform at the center of Azure's security model. For the AZ-900 exam, understand these key concepts:
- Single Sign-On (SSO): Allows users to sign in once and access multiple applications without re-authenticating. Microsoft Entra ID supports SSO for thousands of SaaS applications including Salesforce, ServiceNow, and Workday.
- Multi-Factor Authentication (MFA): Requires two or more verification methods (something you know, something you have, something you are) to sign in. Microsoft reports that MFA blocks 99.9% of automated account compromise attacks.
- Conditional Access: Policies that evaluate signals like user location, device compliance, and risk level to determine whether to allow, deny, or require additional verification for a sign-in attempt. For example, a policy might require MFA when a user signs in from an unrecognized location but allow seamless access from a compliant corporate device.
- External Identities: Enables collaboration with users outside your organization. Azure AD B2B allows partner organizations to sign in with their own credentials, while Azure AD B2C supports consumer-facing applications with social login providers like Google and Facebook.
Understanding the difference between authentication (proving who you are) and authorization (determining what you can do) is fundamental. Microsoft Entra ID handles authentication, while Azure RBAC handles authorization.
Azure Marketplace and Solution Ecosystem
The Azure Marketplace is an online store for buying and deploying solutions certified to run on Azure. It includes virtual machine images, DevOps tools, security solutions, and complete SaaS applications from both Microsoft and third-party vendors. Over 17,000 listings are available as of 2025. Exam questions may test whether you know that Marketplace solutions are pre-configured for Azure deployment and can be managed alongside native Azure resources.
Domain 3: Azure Management and Governance (30-35%)
Cost Management
Understanding Azure pricing is critical for the exam. Key concepts:
- Pay-as-you-go: You pay for what you consume, billed per second or per hour depending on the resource
- Reserved Instances: Commit to 1 or 3 years of a specific VM size and region for up to 72% savings
- Spot VMs: Use unused Azure capacity at steep discounts (up to 90%) with the risk of eviction when Azure needs the capacity back
- Azure Cost Management + Billing: The built-in tool for monitoring, allocating, and optimizing cloud spending
The Azure Pricing Calculator at azure.microsoft.com/pricing/calculator allows you to estimate costs before deploying. The Azure TCO (Total Cost of Ownership) Calculator compares the cost of running workloads on-premises versus in Azure.
Governance Tools
- Azure Policy: Enforces organizational standards and compliance at scale. For example, a policy can prevent the creation of VMs in unauthorized regions.
- Azure Blueprints: Packages of policies, role assignments, and resource templates that can be applied to new subscriptions for consistent governance.
- Azure Role-Based Access Control (RBAC): Manages who has access to Azure resources, what they can do, and at what scope. Built-in roles include Owner, Contributor, and Reader.
- Resource locks: Prevent accidental deletion or modification of critical resources. Two lock types: Delete (prevents deletion) and ReadOnly (prevents all modifications).
Security and Compliance
- Microsoft Defender for Cloud: Unified security management system that provides threat protection across hybrid cloud workloads
- Azure DDoS Protection: Defends against distributed denial-of-service attacks at the network layer
- Azure Firewall: Managed, cloud-based network security service
- Microsoft Entra ID (formerly Azure Active Directory): Cloud-based identity and access management service. Supports single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies.
Zero trust -- a security model that assumes no user, device, or network is inherently trusted and requires continuous verification of every access request, regardless of location.
Microsoft has been a vocal advocate for the zero trust security model, and the AZ-900 exam tests your understanding of its three principles: verify explicitly, use least privilege access, and assume breach.
Monitoring and Management Tools
- Azure Monitor: Collects, analyzes, and acts on telemetry data from Azure resources
- Azure Service Health: Tracks the health of Azure services in the regions you use
- Azure Advisor: Provides personalized recommendations for improving reliability, security, performance, and cost
- Azure Resource Manager (ARM): The deployment and management layer for creating, updating, and deleting Azure resources. ARM templates (JSON or Bicep) enable infrastructure-as-code deployments.
Study Plan and Resources
Four-Week Study Plan
- Week 1: Complete the free Microsoft Learn path "Azure Fundamentals: Describe cloud concepts." Set up a free Azure account and explore the portal.
- Week 2: Complete the "Describe Azure architecture and services" Learn path. Create a VM, a storage account, and a VNet in the portal.
- Week 3: Complete the "Describe Azure management and governance" Learn path. Explore Azure Cost Management, Policy, and RBAC.
- Week 4: Take practice exams. Review weak areas. Focus on the areas where you scored below 80%.
Recommended Resources
- Microsoft Learn (free): The official learning paths are comprehensive and directly aligned with the exam objectives
- John Savill's AZ-900 Study Cram on YouTube (free): A widely recommended 3-hour video that covers the entire exam
- Whizlabs or MeasureUp practice exams: Paid practice tests with explanations that closely mirror the real exam format
- Azure Fundamentals Exam Ref AZ-900 by Jim Cheshire: The official Microsoft exam reference book
Scott Duffy, a cloud instructor whose Azure courses on Udemy have been completed by over 500,000 students, advises that "the AZ-900 exam is passable with 2-3 weeks of focused study for someone with basic IT knowledge. The key is to use the official Microsoft Learn paths as your primary resource and supplement with practice exams. Do not buy expensive bootcamps for a fundamentals exam."
Exam Day Tips
- Read each question carefully. Many questions include qualifiers like "most" or "best" that eliminate otherwise correct answers.
- The exam uses scenario-based questions. You might be given a business requirement and asked which Azure service best meets it.
- You can flag questions and return to them. Use this for questions you are unsure about.
- There is no penalty for guessing. Answer every question.
- Some question sets are grouped into case studies where you see a scenario description followed by multiple questions about that scenario. You cannot go back to previous case study question sets once you advance.
- The exam may include a brief unscored survey section about your testing experience. This does not count toward your score.
After Passing AZ-900
The AZ-900 serves as the foundation for more advanced Azure certifications. Your next step depends on your career direction:
- Cloud Administration: Pursue the
AZ-104Azure Administrator Associate certification, which covers identity management, storage, compute, and virtual networking administration. - Cloud Architecture: The
AZ-305Azure Solutions Architect Expert certification focuses on designing solutions for identity, governance, data storage, business continuity, and infrastructure. - Development: The
AZ-204Developing Solutions for Microsoft Azure certification covers building web apps, Azure Functions, storage solutions, and authentication integration. - Security: The
SC-900Security, Compliance, and Identity Fundamentals certification extends the security knowledge from AZ-900 into a dedicated security track.
Each of these role-based certifications requires hands-on experience and significant additional study beyond AZ-900, but having the fundamentals certification provides a verified foundation that makes subsequent study more efficient.
See also: AZ-104 Azure Administrator study guide, Cloud certification career roadmap, AWS vs Azure certification comparison
References
- Microsoft. "Exam AZ-900: Microsoft Azure Fundamentals." Microsoft Learn, 2025.
- Microsoft. "Azure Fundamentals Learning Path." Microsoft Learn, 2025.
- Gartner. "Magic Quadrant for Cloud Infrastructure and Platform Services." Gartner Research, 2024.
- Cheshire, Jim. Exam Ref AZ-900: Microsoft Azure Fundamentals. Microsoft Press, 2023.
- Maurer, Thomas. "AZ-900 Study Guide and Tips." ThomasMaurer.ch, 2024.
- Microsoft. "Azure Pricing Calculator and TCO Calculator." Microsoft Azure, 2025.
Frequently Asked Questions
How hard is the AZ-900 Azure Fundamentals exam?
The AZ-900 is considered an entry-level exam and is passable with 2-4 weeks of focused study. It does not require hands-on Azure experience and tests conceptual knowledge of cloud computing, Azure services, pricing, and governance.
What score do I need to pass AZ-900?
You need a score of 700 out of 1000 to pass the AZ-900 exam. The exam contains 40-60 questions and has a 45-minute time limit. There is no penalty for guessing, so answer every question.
Is AZ-900 worth getting in 2025?
Yes, AZ-900 is worth getting as a foundation for Azure career paths. It is often a prerequisite for employer-sponsored training programs, demonstrates cloud literacy to hiring managers, and serves as a stepping stone to role-based certifications like AZ-104 and AZ-305.