What is Azure Fundamentals AZ-900?

Skills measured
• Describe cloud concepts (25–30%)
• Describe Azure architecture and services (35–40%)
• Describe Azure management and governance (30–35%)

Exam AZ-900: Microsoft Azure Fundamentals – Certifications | Microsoft Learn

Tired of reading what you wrote? Check this out Notes From Azure Fundamentals: Necessary knowledge to take the AZ900 Microsoft Azure Fundamentals Exam. | by Jerry Okafor | Medium

1 Microsoft Azure Fundamentals: Describe cloud concepts

Describe cloud computing

Cloud computing is the delivery of computing services over the internet. Computing services include common IT infrastructure such as virtual machines, storage, databases, and networking.

Describe the shared responsibility model

Physical security, power, cooling, and network connectivity are the responsibility of the cloud provider.
Consumer is responsible for the data and information stored in the cloud.

With an on-premises datacenter, you’re responsible for everything. With cloud computing, those responsibilities shift.

Infrastructure as a service (IaaS)

platform as a service (PaaS)

software as a service (SaaS).

IaaS places the most responsibility on the consumer, with the cloud provider being responsible for the basics of physical security, power, and connectivity.

On the other end of the spectrum, SaaS places most of the responsibility with the cloud provider.

PaaS, being a middle ground between IaaS and SaaS, rests somewhere in the middle and evenly distributes responsibility between the cloud provider and the consumer.

You are responsible for:

Information and data
Devices that are allowed to connect
Accounts and identities

Cloud provider is responsible for:
Physical datacenter, physical network, physical hosts.

Define cloud models

Private cloud
Owned by organization, private availability.

Public cloud
Owned by cloud service, general availability.

Public and private

Multiple public cloud providers.

Azure Arc
Set of technologies that helps manage your cloud environment (all types above)

Describe the consumption-based model

CapEx is typically a one-time, up-front expenditure, buy now.

OpEx is spending money on services or products over time, rent.

Cloud computing falls under OpEx because cloud computing operates on a consumption-based model.

Pay-as-you-go pricing model.

Describe the benefits of using cloud services

Describe the benefits of high availability and scalability in the cloud

High availability with SLA’s


Vertical scaling, up, more processing power, you could vertically scale up to add more CPUs or RAM to the virtual machine.

Horizontal scaling, resources could be scaled out (either automatically or manually).

Describe the benefits of reliability and predictability in the cloud

To recover from failures and continue to function.


Can be focused on performance (what do you need) predictability or cost predictability (what will it cost, forecast).

Describe the benefits of security and governance in the cloud

Deployed resources meet corporate standards and government regulatory requirements.
Update all your deployed resources to new standards as standards change.
Flag any resource that’s out of compliance with your corporate standards and provides mitigation strategies.

Describe the benefits of manageability in the cloud

Two types

Management of the cloud

Automatically scale
Deploy resources based on a preconfigured template
Monitor the health
Receive automatic alerts

Management in the cloud

Through portal
API Powershell

Describe cloud service types

Describe Infrastructure as a Service

Most flexible, maximum amount of control.
Cloud provider is responsible for maintaining the hardware, network connectivity (to the internet), and physical security.
You:operating system installation, configuration, and maintenance; network configuration; database and storage configuration.
Shared responsibility model, IaaS places the largest on you
Used for:
Lift-and-shift migration
Testing and development.

Describe Platform as a Service

Middel ground between renting and paying for complete solution.
Cloud provider: physical infrastructure, physical security,physical infrastructure, connection to internet, OS, middelware, dev tools and business intelligence services, license and patching.
Shared responsibility model, 50%-50% Identity and directory infrastructure, applications and network controls could be shared.
Used for:
Development framework
Analytics or business intelligence tools.

Describe Software as a Service

Renting or using a fully developed application.
Shared responsibility model as always you are responsible for:
Data, devices and users.
Used for:
Email and messaging.
Business productivity applications.
Finance and expense tracking.

2 Azure Fundamentals: Describe Azure architecture and services

Describe the core architectural components of Azure

Get started with Azure accounts

Azure subscription
What is the Microsoft Learn sandbox?
Use the PowerShell CLI
Use the BASH CLI, Enter
to switch to the BASH CLI.
Use Azure CLI interactive mode, Use Azure CLI interactive mode
az interactive

Describe Azure physical infrastructure

Broken down into two main groupings: the physical infrastructure, and the management infrastructure.

Physical infrastructure starts with datacenters.
Datacenters are grouped into Azure Regions or Azure Availability Zones.

A region is a geographical area on the planet that contains at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network.

Availability zones are physically separate datacenters within an Azure region. Example VM in zone 1
Each availability zone is made up of one or more datacenters.

(not all Azure Regions currently support availability zones.)

Region pairs, if a region in a pair was affected by a natural disaster, services would automatically fall over to the other region in its region pair.

West US and East US.

Sovereign regions are instances of Azure that are isolated from the main instance of Azure. Used for compliance and legal.

Describe Azure management infrastructure

A resource is the basic building block of Azure.
Subscriptions are a unit of management, billing, and scale.
Subscription provides you with authenticated and authorized access to Azure products and services.

Subscription links to an Azure account, an account is an identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts.
Account can have multiple subscriptions.

Define boundaries around Azure products, services, and resources with two types:

Billing boundary: This subscription type determines how an Azure account is billed for.

Access control boundary: Separate subscriptions to reflect different organizational structures

Create additional Azure subscriptions
You might choose to create additional subscriptions to separate:
Organizational structures

Azure management groups

Organize subscriptions into containers called management groups and apply governance conditions to the management groups.

All subscriptions within a management group automatically inherit the conditions applied to the management group, the same way that resource groups inherit settings from subscriptions and resources inherit from resource groups.

Management groups give you enterprise-grade management at a large scale.

Management group, subscriptions, and resource group hierarchy

Possibility build a flexible structure of management groups and subscriptions to organize your resources into a hierarchy for unified policy and access management.

Create a hierarchy that applies a policy (Limit VM locations to the US West Region in group IT)
Provide user access to multiple subscriptions (multiple subscriptions in Human resources and have one Azure RBAC role on the group)

Describe Azure Virtual Machines

Infrastructure as a service (IaaS), still need to configure, update, and maintain the software that runs on the VM.

Virtual machine scale sets, number of VM instances can automatically increase or decrease in response to demand, or you can set it to scale based on a defined schedule.

Virtual machine availability sets, ensure that VMs stagger updates and have varied power and network connectivity, preventing you from losing all your VMs with a single network or power failure.
Done with:

Update domain, groups VMs that can be rebooted at the same time.
Fault domain, groups your VMs by common power source and network switch.

By default, an availability set will split your VMs across up to three fault domains.

Each availability set can be configured with up to three fault domains and twenty update domains.

Exercise – Create an Azure Virtual Machine

Task 1: Create a Linux virtual machine and install Nginx

az vm create \
  --resource-group test-it4 \
  --name vm-test-it4 \
  --image UbuntuLTS \
  --admin-username azureuser \

quick guide

az-ps1 and cli reference – e-lo [IT Engineer life] (follow-e-lo.com)

Describe Azure Virtual Desktop

Azure Virtual Desktop is a desktop and application virtualization service that runs on the cloud.
Enhance security, Azure Virtual Desktop provides centralized security management for users’ desktops with Azure Active Directory (Azure AD).

Describe Azure Containers

If you want to run multiple instances of an application on a single host machine, containers are an excellent choice.
Containers are a virtualization environment.
Much like running multiple virtual machines on a single physical host, you can run multiple containers on a single physical or virtual host.
Example Docker

Azure Container Instances offer the fastest and simplest way to run a container in Azure; without having to manage any virtual machines or adopt any additional services.
Azure Container Instances are a platform as a service (PaaS) offering.

Containers are often used to create solutions by using a microservice architecture.

Describe Azure Functions

Azure Functions is an event-driven, serverless compute option that doesn’t require maintaining virtual machines or containers.
Only concerned about the code running your service and not about the underlying platform or infrastructure.

Azure Functions runs your code when it’s triggered and automatically deallocates resources when the function is finished.
In this model, you’re only charged for the CPU time used while your function runs.

Describe application hosting options

Describe application hosting options
If you need to host your application on Azure, you might initially turn to a virtual machine (VM) or containers.
Both VMs and containers provide excellent hosting solutions.

Azure App Service
App Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure.
Azure App Service lets you focus on building and maintaining your app, and Azure focuses on keeping the environment up and running.

Azure App Service is an HTTP-based service.
Web apps, ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python.
API apps, build REST-based web APIs.

WebJobs, use the WebJobs feature to run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app.
They can be scheduled or run by a trigger. WebJobs are often used to run background tasks as part of your application logic.
Mobile apps, quickly build a back end for iOS and Android apps.

Describe Azure Virtual Networking

Azure virtual networks provide the following key networking capabilities:

Isolation and segmentation
Internet communications
Communicate between Azure resources
Communicate with on-premises resources
Route network traffic
Filter network traffic
Connect virtual networks

Describe Azure Virtual Private Networks

Encrypted tunnel within another network.
VPNs are typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet).

VPN gateways

A VPN gateway is a type of virtual network gateway.

Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity:

Connect on-premises datacenters to virtual networks through a site-to-site connection.
Connect individual devices to virtual networks through a point-to-site connection.
Connect virtual networks to other virtual networks through a network-to-network connection.

High-availability scenarios
VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure.

Describe Azure ExpressRoute

Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection, with the help of a connectivity provider. This connection is called an ExpressRoute Circuit.

With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365. This allows you to connect offices, datacenters, or other facilities to the Microsoft cloud. Each location would have its own ExpressRoute circuit.

Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility.

ExpressRoute connections don’t go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet.

Connectivity to Microsoft cloud services
ExpressRoute enables direct access to the following services in all regions:

Microsoft Office 365
Microsoft Dynamics 365
Azure compute services, such as Azure Virtual Machines
Azure cloud services, such as Azure Cosmos DB and Azure Storage

Dynamic routing
ExpressRoute uses the BGP. BGP is used to exchange routes between on-premises networks and resources running in Azure.

Describe Azure DNS

Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.
By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services.

Azure DNS is based on Azure Resource Manager, which provides features such as:
Azure role-based access control (Azure RBAC)
Activity logs to monitor
Resource locking to lock a subscription, resource group, or resource.

Alias records
Azure DNS also supports alias record sets. You can use an alias record set to refer to an Azure resource, such as an Azure public IP address.

You can’t use Azure DNS to buy a domain name.

For an annual fee, you can buy a domain name by using App Service domains or a third-party domain name registrar. Once purchased, your domains can be hosted in Azure DNS for record management.

Describe Azure storage services

GPV 2 and Blob storage has more options: namespace and access tier.

A storage account provides a unique namespace for your Azure Storage data that’s accessible from anywhere in the world over HTTP or HTTPS.
Data in this account is secure, highly available, durable, and massively scalable.

The combination of the account name and the Azure Storage service endpoint forms the endpoints for your storage account.

Storage service	Endpoint
Blob Storage	https://<storage-account-name>.blob.core.windows.net
Data Lake Storage Gen2	https://<storage-account-name>.dfs.core.windows.net
Azure Files	https://<storage-account-name>.file.core.windows.net
Queue Storage	https://<storage-account-name>.queue.core.windows.net
Table Storage	https://<storage-account-name>.table.core.windows.net

Describe Azure storage redundancy

Azure Storage always stores multiple copies of your data so that it’s protected from planned and unplanned events such as transient hardware failures, network or power outages, and natural disasters.

Locally redundant storage (LRS) replicates your data three times within a single data center in the primary region. LRS provides at least 11 nines of durability (99.999999999%) of objects over a given year.

zone-redundant storage (ZRS) replicates your Azure Storage data synchronously across three Azure availability zones in the primary region. ZRS offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%) over a given year.

For applications requiring high durability, you can choose to additionally copy the data in your storage account to a secondary region that is hundreds of miles away from the primary region.
GRS, is similar to running LRS in two regions.
GZRS, is similar to running ZRS in the primary region and LRS in secondary.

GRS copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region (the region pair) using LRS. GRS offers durability for Azure Storage data objects of at least 16 nines (99.99999999999999%) over a given year.

GZRS storage account is copied across three Azure availability zones in the primary region (similar to ZRS) and is also replicated to a secondary geographic region, using LRS, for protection from regional disasters.

Describe Azure storage services

Azure Blobs: A massively scalable object store for text and binary data. Also includes support for big data analytics through Data Lake Storage Gen2.

Azure Storage offers different access tiers for your blob storage, helping you store object data in the most cost-effective manner. The available access tiers include:

Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your website).
Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (for example, invoices for your customers).
Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups).

The following considerations apply to the different access tiers:

Only the hot and cool access tiers can be set at the account level. The archive access tier isn’t available at the account level.
Hot, cool, and archive tiers can be set at the blob level, during or after upload.

Azure Files: Managed file shares for cloud or on-premises deployments, industry standard Server Message Block (SMB) or Network File System (NFS) protocols.

Azure Queues: A messaging store for reliable messaging between application components, storing large numbers of messages. Once stored, you can access the messages from anywhere in the world via authenticated calls using HTTP or HTTPS.

Azure Table storage is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design.

Azure Disks: Block-level storage volumes for Azure VMs, storage volumes managed by Azure for use with Azure VMs.

Identify Azure data migration options

Now that you understand the different storage options within Azure, it’s important to also understand how to get your data and information into Azure. Azure supports both real-time migration of infrastructure, applications, and data using Azure Migrate as well as asynchronous migration of data using Azure Data Box.

Azure Migrate is a service that helps you migrate from an on-premises environment to the cloud.

Unified migration platform
Range of tools: A range of tools for assessment and migration.
Azure Migrate tools include Azure Migrate: Discovery and assessment and Azure Migrate: Server Migration.
Assessment and migration, In the Azure Migrate hub, you can assess and migrate your on-premises infrastructure to Azure.

Integrated tools

Azure Migrate: Discovery and assessment.
Azure Migrate: Server Migration. Migrate VMware VMs, Hyper-V VMs, physical servers, other virtualized servers, and public cloud VMs to Azure.

Data Migration Assistant. Data Migration Assistant is a stand-alone tool to assess SQL Servers.

Azure Database Migration Service. Migrate on-premises databases to Azure VMs running SQL Server, Azure SQL Database, or SQL Managed Instances.

Web app migration assistant. Azure App Service Migration Assistant is a standalone tool to assess on-premises websites for migration to Azure App Service.

Azure Data Box. Use Azure Data Box products to move large amounts of offline data to Azure.

Identify Azure file movement options

AzCopy is a command-line utility that you can use to copy blobs or files to or from your storage account. With AzCopy, you can upload files, download files, copy files between storage accounts, and even synchronize files.
Azure Storage Explorer is a standalone app that provides a graphical interface to manage files and blobs in your Azure Storage Account.
Azure File Sync is a tool that lets you centralize your file shares in Azure Files and keep the flexibility, performance, and compatibility of a Windows file server.

Describe Azure identity, access, and security

Describe Azure directory services

Azure Active Directory (Azure AD) is a directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop. Azure AD can also help you maintain your on-premises Active Directory deployment.

What does Azure AD do?

Authentication, Single sign-on, Application management, Device management.

Can I connect my on-premises AD with Azure AD?

One method of connecting Azure AD with your on-premises AD is using Azure AD Connect. Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure AD. Azure AD Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems.

Describe Azure authentication methods

Azure supports multiple authentication methods, including standard passwords, single sign-on (SSO), multifactor authentication (MFA), and passwordless.

Describe Azure external identities

An external identity is a person, device, service, etc. that is outside your organization. Azure AD External Identities refers to all the ways you can securely interact with users outside of your organization.

Business to business (B2B) collaboration, Collaborate with external users by letting them use their preferred identity to sign

B2B direct connect, Establish a mutual, two-way trust with another Azure AD organization for seamless collaboration.

Azure AD business to customer (B2C),

Describe Azure conditional access

Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.

Conditional Access also provides a more granular multifactor authentication experience for users. For example, a user might not be challenged for second authentication factor if they’re at a known location. However, they might be challenged for a second authentication factor if their sign-in signals are unusual or they’re at an unexpected location.

Describe Azure role-based access control

Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.

A management group (a collection of multiple subscriptions).
A single subscription.
A resource group.
A single resource.

Describe zero trust model

Zero Trust is a security model that assumes the worst case scenario and protects resources with that expectation.

To address this new world of computing, Microsoft highly recommends the Zero Trust security model, which is based on these guiding principles:

Verify explicitly – Always authenticate and authorize based on all available data points.

Use least privilege access – Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.

Assume breach – Minimize blast radius and segment access.

Verify end-to-end encryption. Use analytics to get visibility, drive threat detection, and improve defenses.

The Zero Trust model flips that scenario.

Instead of assuming that a device is safe because it’s within the corporate network, it requires everyone to authenticate. Then grants access based on authentication rather than location.

Describe defense-in-depth

The objective of defense-in-depth is to protect information and prevent it from being stolen by those who aren’t authorized to access it.

A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data.

The physical security layer is the first line of defense to protect computing hardware in the datacenter.
The identity and access layer controls access to infrastructure and change control.
The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
The network layer limits communication between resources through segmentation and access controls.
The compute layer secures access to virtual machines.
The application layer helps ensure that applications are secure and free of security vulnerabilities.
The data layer controls access to business and customer data that you need to protect.

Describe Microsoft Defender for Cloud

Defender for Cloud is a monitoring tool for security posture management and threat protection. It monitors your cloud, on-premises, hybrid, and multicloud environments to provide guidance and notifications aimed at strengthening your security posture.

Because Defender for Cloud is an Azure-native service, many Azure services are monitored and protected without needing any deployment.

Azure-native protections
Defender for Cloud helps you detect threats across:

Azure PaaS services, Detect threats targeting Azure services including Azure App Service, Azure SQL, Azure Storage Account, and more data services.
Azure data services, Defender for Cloud includes capabilities that help you automatically classify your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL and Storage services, and recommendations for how to mitigate them.
Networks, Defender for Cloud helps you limit exposure to brute force attacks.

Defend your hybrid resources

In addition to defending your Azure environment, you can add Defender for Cloud capabilities to your hybrid cloud environment to protect your non-Azure servers.
To extend protection to on-premises machines, deploy Azure Arc and enable Defender for Cloud’s enhanced security features.


Defender for Cloud groups the recommendations into security controls and adds a secure score value to each control.

3 Azure Fundamentals: Describe Azure management and governance

Describe cost management in Azure

Shifts development costs from the capital expense (CapEx) of building out and maintaining infrastructure and facilities to an operational expense (OpEx) of renting infrastructure.

A number of factors influence the cost of Azure resources.
The type of resources
The settings for the resource
Region will all have an impact on how much a resource costs.


Pay-as-you-go has been a consistent theme throughout, and that’s the cloud payment model where you pay for the resources that you use during a billing cycle.

Also offers the ability to commit to using a set amount of cloud resources in advance and receiving discounts on those “reserved” resources. (in some cases up to 72 percent.)


Resource groups can help keep all of your resources organized and control cost.


The cost of power, labor, taxes, and fees vary depending on the location.
Network traffic is also impacted based on geography

Network Traffic

Bandwidth refers to data moving in and out of Azure datacenters. Some inbound data transfers (data going into Azure datacenters) are free.
For outbound data transfers (data leaving Azure datacenters), data transfer pricing is based on zones.

Compare the Pricing and Total Cost of Ownership calculators

The pricing calculator is designed to give you an estimated cost for provisioning resources in Azure.

The TCO calculator is designed to help you compare the costs for running an on-premises infrastructure compared to an Azure Cloud infrastructure.


Total Cost of Ownership (TCO) Calculator | Microsoft Azure

Describe the Azure Cost Management tool

Cost Management provides the ability to quickly check Azure resource costs, create alerts based on resource spend, and create budgets that can be used to automate management of resources.

Budget alerts
Credit alerts
Department spending quota alerts.

Describe the purpose of tags

Resource management, Tags enable you to locate and act on resources that are associated with specific workloads, environments, business units, and owners.
Cost management and optimization, group and report on cost.
Operation management, criticality to business.
Security, classify based on level.
Governance and regulatory compliance, allign with requirements, i.e ISO 27001.

Describe features and tools in Azure for governance and compliance

Describe the purpose of Azure Blueprints

What happens when your cloud starts to grow beyond just one subscription or environment? How can you scale the configuration of features? How can you enforce settings and policies in new subscriptions?

Azure Blueprints lets you standardize cloud subscription or environment deployments. Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define repeatable settings and policies that are applied as new subscriptions are created.

What are artifacts?

Each component in the blueprint definition is known as an artifact.

Azure Blueprints deploy a new environment based on all of the requirements, settings, and configurations of the associated artifacts. Artifacts can include things such as:

Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups

How do Azure Blueprints help monitor deployments?

Azure Blueprints are version-able, allowing you to create an initial configuration and then make updates later on and assign a new version to the update.
With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved.

Describe the purpose of Azure Policy

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules across your resource configurations.

Azure Policies can be set at each level, enabling you to set policies on a specific resource, resource group, subscription….

Azure Policy comes with built-in policy and initiative definitions for Storage, Networking, Compute, Security Center, and Monitoring.

What are Azure Policy initiatives?

Way of grouping related policies together.

Example, Azure Policy includes an initiative named Enable Monitoring in Azure Security Center.

Monitor unencrypted SQL Database in Security Center
Monitor OS vulnerabilities in Security Center
Monitor missing Endpoint Protection in Security Center

Describe the purpose of resource locks

Even with Azure role-based access control (Azure RBAC) policies in place, there’s still a risk that people with the right level of access could delete critical cloud resources. Resource locks prevent resources from being deleted or updated, depending on the type of lock.

Types of Resource Locks

Delete means authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly, The resource group is read only and tags on the resource group can’t be modified.

To modify a locked resource, you must first remove the lock. After you remove the lock, you can apply any action you have permissions to perform. Resource locks apply regardless of RBAC permissions.

No delete

Please remove the lock and try again. (Code: ScopeLocked)

Describe the purpose of the Service Trust portal

The Microsoft Service Trust Portal is a portal that provides access to various content, tools, and other resources about Microsoft security, privacy, and compliance practices.


The Service Trust Portal contains details about Microsoft’s implementation of controls and processes that protect our cloud services and the customer data therein.

Describe features and tools for managing and deploying Azure resources

Describe tools for interacting with Azure

Azure portal
Azure PowerShell
Azure Command Line Interface (CLI)

Describe the purpose of Azure Arc

Managing hybrid and multi-cloud environments can rapidly get complicated. Azure provides a host of tools to provision, configure, and monitor Azure resources. What about the on-premises resources in a hybrid configuration or the cloud resources in a multi-cloud configuration?

In utilizing Azure Resource Manager (ARM), Arc lets you extend your Azure compliance and monitoring to your hybrid and multi-cloud configurations. Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform.

What can Azure Arc do outside of Azure?

Currently, Azure Arc allows you to manage the following resource types hosted outside of Azure:

Kubernetes clusters
Azure data services
SQL Server
Virtual machines (preview)

Describe Azure Resource Manager and Azure ARM templates

Azure Resource Manager (ARM) is the deployment and management service for Azure.

Azure Resource Manager benefits

Declarative templates rather than scripts,JSON.
Deploy, manage, and monitor all the resources for your solution as a group.
Define the dependencies.
Apply access control to all services with RBAC.
Apply tags.
Clarify your organization’s billing.

ARM templates

Infrastructure as code.

Describe monitoring tools in Azure

Describe the purpose of Azure Advisor

Evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs.
The recommendations are available via the Azure portal and the API, and you can set up notifications to alert you to new recommendations.

The five recommendation categories for Azure Advisor are: Reliability, Security, Performance, Operational Excellence, and Cost.

Describe Azure Service Health


Azure status reports on service problems that affect a broad set of Azure customers.

Resource Health gives you a personalized dashboard of the health of your resources. Resource Health shows all the times that your resources have been unavailable because of Azure service problems. This data makes it easy for you to see if an SLA was violated.

Describe Azure Monitor

Azure Monitor is a platform for collecting data on your resources, analyzing that data, visualizing the information, and even acting on the results.

Azure Log Analytics is the tool in the Azure portal where you’ll write and run log queries on the data gathered by Azure Monitor.

Azure Monitor Alerts are an automated way to stay informed when Azure Monitor detects a threshold being crossed. 

Application Insights, an Azure Monitor feature, monitors your web applications. Application Insights is capable of monitoring applications that are running in Azure, on-premises, or in a different cloud environment.

Resource Health is a tailored view of your actual Azure resources. It provides information about the health of your individual cloud resources

AZ-900: Microsoft Azure Fundamentals Sample Questions | Microsoft Learn