Last updated on May 26, 2023
Skills measured
• Describe cloud concepts (25–30%)
• Describe Azure architecture and services (35–40%)
• Describe Azure management and governance (30–35%)
Exam AZ-900: Microsoft Azure Fundamentals – Certifications | Microsoft Learn
Tired of reading what you wrote? Check this out Notes From Azure Fundamentals: Necessary knowledge to take the AZ900 Microsoft Azure Fundamentals Exam. | by Jerry Okafor | Medium
1 Microsoft Azure Fundamentals: Describe cloud concepts
Describe cloud computing
Cloud computing is the delivery of computing services over the internet. Computing services include common IT infrastructure such as virtual machines, storage, databases, and networking.
Describe the shared responsibility model
Physical security, power, cooling, and network connectivity are the responsibility of the cloud provider.
Consumer is responsible for the data and information stored in the cloud.
With an on-premises datacenter, you’re responsible for everything. With cloud computing, those responsibilities shift.
Infrastructure as a service (IaaS)
platform as a service (PaaS)
software as a service (SaaS).
IaaS places the most responsibility on the consumer, with the cloud provider being responsible for the basics of physical security, power, and connectivity.
On the other end of the spectrum, SaaS places most of the responsibility with the cloud provider.
PaaS, being a middle ground between IaaS and SaaS, rests somewhere in the middle and evenly distributes responsibility between the cloud provider and the consumer.
You are responsible for:
Information and data
Devices that are allowed to connect
Accounts and identities
Cloud provider is responsible for:
Physical datacenter, physical network, physical hosts.
Define cloud models
Private cloud
Owned by organization, private availability.
Public cloud
Owned by cloud service, general availability.
Hybrid
Public and private
Multi-cloud
Multiple public cloud providers.
Azure Arc
Set of technologies that helps manage your cloud environment (all types above)
Describe the consumption-based model
CapEx is typically a one-time, up-front expenditure, buy now.
OpEx is spending money on services or products over time, rent.
Cloud computing falls under OpEx because cloud computing operates on a consumption-based model.
Pay-as-you-go pricing model.
Describe the benefits of using cloud services
Describe the benefits of high availability and scalability in the cloud
High availability with SLA’s
Scalability
Vertical scaling, up, more processing power, you could vertically scale up to add more CPUs or RAM to the virtual machine.
Horizontal scaling, resources could be scaled out (either automatically or manually).
Describe the benefits of reliability and predictability in the cloud
Reliability
To recover from failures and continue to function.
Predictability
Can be focused on performance (what do you need) predictability or cost predictability (what will it cost, forecast).
Describe the benefits of security and governance in the cloud
Deployed resources meet corporate standards and government regulatory requirements.
Update all your deployed resources to new standards as standards change.
Flag any resource that’s out of compliance with your corporate standards and provides mitigation strategies.
Describe the benefits of manageability in the cloud
Two types
Management of the cloud
Automatically scale
Deploy resources based on a preconfigured template
Monitor the health
Receive automatic alerts
Management in the cloud
Through portal
CLI
API Powershell
Describe cloud service types
Describe Infrastructure as a Service
Most flexible, maximum amount of control.
Cloud provider is responsible for maintaining the hardware, network connectivity (to the internet), and physical security.
You:operating system installation, configuration, and maintenance; network configuration; database and storage configuration.
Shared responsibility model, IaaS places the largest on you
Used for:
Lift-and-shift migration
Testing and development.
Describe Platform as a Service
Middel ground between renting and paying for complete solution.
Cloud provider: physical infrastructure, physical security,physical infrastructure, connection to internet, OS, middelware, dev tools and business intelligence services, license and patching.
Shared responsibility model, 50%-50% Identity and directory infrastructure, applications and network controls could be shared.
Used for:
Development framework
Analytics or business intelligence tools.
Describe Software as a Service
Renting or using a fully developed application.
Shared responsibility model as always you are responsible for:
Data, devices and users.
Used for:
Email and messaging.
Business productivity applications.
Finance and expense tracking.
2 Azure Fundamentals: Describe Azure architecture and services
Describe the core architectural components of Azure
Get started with Azure accounts
Azure subscription
What is the Microsoft Learn sandbox?
Use the PowerShell CLI
Use the BASH CLI, Enter
bash
to switch to the BASH CLI.
Use Azure CLI interactive mode, Use Azure CLI interactive mode
az interactive
Describe Azure physical infrastructure
Broken down into two main groupings: the physical infrastructure, and the management infrastructure.
Physical infrastructure starts with datacenters.
Datacenters are grouped into Azure Regions or Azure Availability Zones.
A region is a geographical area on the planet that contains at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network.
Availability zones are physically separate datacenters within an Azure region. Example VM in zone 1
Each availability zone is made up of one or more datacenters.
(not all Azure Regions currently support availability zones.)

Region pairs, if a region in a pair was affected by a natural disaster, services would automatically fall over to the other region in its region pair.
West US and East US.
Sovereign regions are instances of Azure that are isolated from the main instance of Azure. Used for compliance and legal.
Describe Azure management infrastructure
A resource is the basic building block of Azure.
Subscriptions are a unit of management, billing, and scale.
Subscription provides you with authenticated and authorized access to Azure products and services.
Subscription links to an Azure account, an account is an identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts.
Account can have multiple subscriptions.
Define boundaries around Azure products, services, and resources with two types:
Billing boundary: This subscription type determines how an Azure account is billed for.
Access control boundary: Separate subscriptions to reflect different organizational structures
Create additional Azure subscriptions
You might choose to create additional subscriptions to separate:
Environments
Organizational structures
Billing
Azure management groups

Organize subscriptions into containers called management groups and apply governance conditions to the management groups.
All subscriptions within a management group automatically inherit the conditions applied to the management group, the same way that resource groups inherit settings from subscriptions and resources inherit from resource groups.
Management groups give you enterprise-grade management at a large scale.

Management group, subscriptions, and resource group hierarchy
Possibility build a flexible structure of management groups and subscriptions to organize your resources into a hierarchy for unified policy and access management.
Examples
Create a hierarchy that applies a policy (Limit VM locations to the US West Region in group IT)
Provide user access to multiple subscriptions (multiple subscriptions in Human resources and have one Azure RBAC role on the group)

Describe Azure Virtual Machines
Infrastructure as a service (IaaS), still need to configure, update, and maintain the software that runs on the VM.
Virtual machine scale sets, number of VM instances can automatically increase or decrease in response to demand, or you can set it to scale based on a defined schedule.
Virtual machine availability sets, ensure that VMs stagger updates and have varied power and network connectivity, preventing you from losing all your VMs with a single network or power failure.
Done with:
Update domain, groups VMs that can be rebooted at the same time.
Fault domain, groups your VMs by common power source and network switch.
By default, an availability set will split your VMs across up to three fault domains.
Each availability set can be configured with up to three fault domains and twenty update domains.
Exercise – Create an Azure Virtual Machine
Task 1: Create a Linux virtual machine and install Nginx

az vm create \
--resource-group test-it4 \
--name vm-test-it4 \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys
quick guide
az-ps1 and cli reference – e-lo [IT Engineer life] (follow-e-lo.com)
Describe Azure Virtual Desktop
Azure Virtual Desktop is a desktop and application virtualization service that runs on the cloud.
Enhance security, Azure Virtual Desktop provides centralized security management for users’ desktops with Azure Active Directory (Azure AD).
Describe Azure Containers
If you want to run multiple instances of an application on a single host machine, containers are an excellent choice.
Containers are a virtualization environment.
Much like running multiple virtual machines on a single physical host, you can run multiple containers on a single physical or virtual host.
Example Docker
Azure Container Instances offer the fastest and simplest way to run a container in Azure; without having to manage any virtual machines or adopt any additional services.
Azure Container Instances are a platform as a service (PaaS) offering.
Containers are often used to create solutions by using a microservice architecture.
Describe Azure Functions
Azure Functions is an event-driven, serverless compute option that doesn’t require maintaining virtual machines or containers.
Only concerned about the code running your service and not about the underlying platform or infrastructure.
Azure Functions runs your code when it’s triggered and automatically deallocates resources when the function is finished.
In this model, you’re only charged for the CPU time used while your function runs.
Describe application hosting options
Describe application hosting options
If you need to host your application on Azure, you might initially turn to a virtual machine (VM) or containers.
Both VMs and containers provide excellent hosting solutions.
Azure App Service
App Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure.
Azure App Service lets you focus on building and maintaining your app, and Azure focuses on keeping the environment up and running.
Azure App Service is an HTTP-based service.
Web apps, ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python.
API apps, build REST-based web APIs.
WebJobs, use the WebJobs feature to run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app.
They can be scheduled or run by a trigger. WebJobs are often used to run background tasks as part of your application logic.
Mobile apps, quickly build a back end for iOS and Android apps.
Describe Azure Virtual Networking
Azure virtual networks provide the following key networking capabilities:
Isolation and segmentation
Internet communications
Communicate between Azure resources
Communicate with on-premises resources
Route network traffic
Filter network traffic
Connect virtual networks
Describe Azure Virtual Private Networks
Encrypted tunnel within another network.
VPNs are typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet).
VPN gateways
A VPN gateway is a type of virtual network gateway.
Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity:
Connect on-premises datacenters to virtual networks through a site-to-site connection.
Connect individual devices to virtual networks through a point-to-site connection.
Connect virtual networks to other virtual networks through a network-to-network connection.
High-availability scenarios
VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure.
Describe Azure ExpressRoute
Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection, with the help of a connectivity provider. This connection is called an ExpressRoute Circuit.
With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure and Microsoft 365. This allows you to connect offices, datacenters, or other facilities to the Microsoft cloud. Each location would have its own ExpressRoute circuit.
Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility.
ExpressRoute connections don’t go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, consistent latencies, and higher security than typical connections over the Internet.
Connectivity to Microsoft cloud services
ExpressRoute enables direct access to the following services in all regions:
Microsoft Office 365
Microsoft Dynamics 365
Azure compute services, such as Azure Virtual Machines
Azure cloud services, such as Azure Cosmos DB and Azure Storage
Dynamic routing
ExpressRoute uses the BGP. BGP is used to exchange routes between on-premises networks and resources running in Azure.
Describe Azure DNS
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure.
By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services.
Security
Azure DNS is based on Azure Resource Manager, which provides features such as:
Azure role-based access control (Azure RBAC)
Activity logs to monitor
Resource locking to lock a subscription, resource group, or resource.
Alias records
Azure DNS also supports alias record sets. You can use an alias record set to refer to an Azure resource, such as an Azure public IP address.
You can’t use Azure DNS to buy a domain name.
For an annual fee, you can buy a domain name by using App Service domains or a third-party domain name registrar. Once purchased, your domains can be hosted in Azure DNS for record management.
Describe Azure storage services
GPV 2 and Blob storage has more options: namespace and access tier.

A storage account provides a unique namespace for your Azure Storage data that’s accessible from anywhere in the world over HTTP or HTTPS.
Data in this account is secure, highly available, durable, and massively scalable.

The combination of the account name and the Azure Storage service endpoint forms the endpoints for your storage account.
Storage service Endpoint
Blob Storage https://<storage-account-name>.blob.core.windows.net
Data Lake Storage Gen2 https://<storage-account-name>.dfs.core.windows.net
Azure Files https://<storage-account-name>.file.core.windows.net
Queue Storage https://<storage-account-name>.queue.core.windows.net
Table Storage https://<storage-account-name>.table.core.windows.net
Describe Azure storage redundancy
Azure Storage always stores multiple copies of your data so that it’s protected from planned and unplanned events such as transient hardware failures, network or power outages, and natural disasters.
LRS
Locally redundant storage (LRS) replicates your data three times within a single data center in the primary region. LRS provides at least 11 nines of durability (99.999999999%) of objects over a given year.
ZRS
zone-redundant storage (ZRS) replicates your Azure Storage data synchronously across three Azure availability zones in the primary region. ZRS offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%) over a given year.
For applications requiring high durability, you can choose to additionally copy the data in your storage account to a secondary region that is hundreds of miles away from the primary region.
GRS, is similar to running LRS in two regions.
GZRS, is similar to running ZRS in the primary region and LRS in secondary.
GRS copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region (the region pair) using LRS. GRS offers durability for Azure Storage data objects of at least 16 nines (99.99999999999999%) over a given year.
GZRS storage account is copied across three Azure availability zones in the primary region (similar to ZRS) and is also replicated to a secondary geographic region, using LRS, for protection from regional disasters.
Describe Azure storage services
Azure Blobs: A massively scalable object store for text and binary data. Also includes support for big data analytics through Data Lake Storage Gen2.
Azure Storage offers different access tiers for your blob storage, helping you store object data in the most cost-effective manner. The available access tiers include:
Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your website).
Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (for example, invoices for your customers).
Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups).
The following considerations apply to the different access tiers:
Only the hot and cool access tiers can be set at the account level. The archive access tier isn’t available at the account level.
Hot, cool, and archive tiers can be set at the blob level, during or after upload.
Azure Files: Managed file shares for cloud or on-premises deployments, industry standard Server Message Block (SMB) or Network File System (NFS) protocols.
Azure Queues: A messaging store for reliable messaging between application components, storing large numbers of messages. Once stored, you can access the messages from anywhere in the world via authenticated calls using HTTP or HTTPS.

Azure Table storage is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design.

Azure Disks: Block-level storage volumes for Azure VMs, storage volumes managed by Azure for use with Azure VMs.

Identify Azure data migration options
Now that you understand the different storage options within Azure, it’s important to also understand how to get your data and information into Azure. Azure supports both real-time migration of infrastructure, applications, and data using Azure Migrate as well as asynchronous migration of data using Azure Data Box.
Azure Migrate is a service that helps you migrate from an on-premises environment to the cloud.
Unified migration platform
Range of tools: A range of tools for assessment and migration.
Azure Migrate tools include Azure Migrate: Discovery and assessment and Azure Migrate: Server Migration.
Assessment and migration, In the Azure Migrate hub, you can assess and migrate your on-premises infrastructure to Azure.
Integrated tools
Azure Migrate: Discovery and assessment.
Azure Migrate: Server Migration. Migrate VMware VMs, Hyper-V VMs, physical servers, other virtualized servers, and public cloud VMs to Azure.
Data Migration Assistant. Data Migration Assistant is a stand-alone tool to assess SQL Servers.
Azure Database Migration Service. Migrate on-premises databases to Azure VMs running SQL Server, Azure SQL Database, or SQL Managed Instances.
Web app migration assistant. Azure App Service Migration Assistant is a standalone tool to assess on-premises websites for migration to Azure App Service.
Azure Data Box. Use Azure Data Box products to move large amounts of offline data to Azure.
Identify Azure file movement options
AzCopy is a command-line utility that you can use to copy blobs or files to or from your storage account. With AzCopy, you can upload files, download files, copy files between storage accounts, and even synchronize files.
Azure Storage Explorer is a standalone app that provides a graphical interface to manage files and blobs in your Azure Storage Account.
Azure File Sync is a tool that lets you centralize your file shares in Azure Files and keep the flexibility, performance, and compatibility of a Windows file server.
Describe Azure identity, access, and security
Describe Azure directory services
Azure Active Directory (Azure AD) is a directory service that enables you to sign in and access both Microsoft cloud applications and cloud applications that you develop. Azure AD can also help you maintain your on-premises Active Directory deployment.
What does Azure AD do?
Authentication, Single sign-on, Application management, Device management.
Can I connect my on-premises AD with Azure AD?
One method of connecting Azure AD with your on-premises AD is using Azure AD Connect. Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure AD. Azure AD Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems.
Describe Azure authentication methods
Azure supports multiple authentication methods, including standard passwords, single sign-on (SSO), multifactor authentication (MFA), and passwordless.
Describe Azure external identities
An external identity is a person, device, service, etc. that is outside your organization. Azure AD External Identities refers to all the ways you can securely interact with users outside of your organization.
Business to business (B2B) collaboration, Collaborate with external users by letting them use their preferred identity to sign
B2B direct connect, Establish a mutual, two-way trust with another Azure AD organization for seamless collaboration.
Azure AD business to customer (B2C),
Describe Azure conditional access
Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.
Conditional Access also provides a more granular multifactor authentication experience for users. For example, a user might not be challenged for second authentication factor if they’re at a known location. However, they might be challenged for a second authentication factor if their sign-in signals are unusual or they’re at an unexpected location.
Describe Azure role-based access control
Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.
A management group (a collection of multiple subscriptions).
A single subscription.
A resource group.
A single resource.
Describe zero trust model
Zero Trust is a security model that assumes the worst case scenario and protects resources with that expectation.
To address this new world of computing, Microsoft highly recommends the Zero Trust security model, which is based on these guiding principles:
Verify explicitly – Always authenticate and authorize based on all available data points.
Use least privilege access – Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach – Minimize blast radius and segment access.
Verify end-to-end encryption. Use analytics to get visibility, drive threat detection, and improve defenses.

The Zero Trust model flips that scenario.
Instead of assuming that a device is safe because it’s within the corporate network, it requires everyone to authenticate. Then grants access based on authentication rather than location.
Describe defense-in-depth
The objective of defense-in-depth is to protect information and prevent it from being stolen by those who aren’t authorized to access it.
A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data.
The physical security layer is the first line of defense to protect computing hardware in the datacenter.
The identity and access layer controls access to infrastructure and change control.
The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
The network layer limits communication between resources through segmentation and access controls.
The compute layer secures access to virtual machines.
The application layer helps ensure that applications are secure and free of security vulnerabilities.
The data layer controls access to business and customer data that you need to protect.

Describe Microsoft Defender for Cloud
Defender for Cloud is a monitoring tool for security posture management and threat protection. It monitors your cloud, on-premises, hybrid, and multicloud environments to provide guidance and notifications aimed at strengthening your security posture.
Because Defender for Cloud is an Azure-native service, many Azure services are monitored and protected without needing any deployment.
Azure-native protections
Defender for Cloud helps you detect threats across:
Azure PaaS services, Detect threats targeting Azure services including Azure App Service, Azure SQL, Azure Storage Account, and more data services.
Azure data services, Defender for Cloud includes capabilities that help you automatically classify your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL and Storage services, and recommendations for how to mitigate them.
Networks, Defender for Cloud helps you limit exposure to brute force attacks.
Defend your hybrid resources
In addition to defending your Azure environment, you can add Defender for Cloud capabilities to your hybrid cloud environment to protect your non-Azure servers.
To extend protection to on-premises machines, deploy Azure Arc and enable Defender for Cloud’s enhanced security features.
Secure
Defender for Cloud groups the recommendations into security controls and adds a secure score value to each control.

3 Azure Fundamentals: Describe Azure management and governance
Describe cost management in Azure
Shifts development costs from the capital expense (CapEx) of building out and maintaining infrastructure and facilities to an operational expense (OpEx) of renting infrastructure.
A number of factors influence the cost of Azure resources.
The type of resources
The settings for the resource
Region will all have an impact on how much a resource costs.
Consumption
Pay-as-you-go has been a consistent theme throughout, and that’s the cloud payment model where you pay for the resources that you use during a billing cycle.
Also offers the ability to commit to using a set amount of cloud resources in advance and receiving discounts on those “reserved” resources. (in some cases up to 72 percent.)
Maintenance
Resource groups can help keep all of your resources organized and control cost.
Geography
The cost of power, labor, taxes, and fees vary depending on the location.
Network traffic is also impacted based on geography
Network Traffic
Bandwidth refers to data moving in and out of Azure datacenters. Some inbound data transfers (data going into Azure datacenters) are free.
For outbound data transfers (data leaving Azure datacenters), data transfer pricing is based on zones.
Compare the Pricing and Total Cost of Ownership calculators
The pricing calculator is designed to give you an estimated cost for provisioning resources in Azure.
The TCO calculator is designed to help you compare the costs for running an on-premises infrastructure compared to an Azure Cloud infrastructure.
https://azure.microsoft.com/en-us/pricing/calculator/

Total Cost of Ownership (TCO) Calculator | Microsoft Azure
Describe the Azure Cost Management tool
Cost Management provides the ability to quickly check Azure resource costs, create alerts based on resource spend, and create budgets that can be used to automate management of resources.
Budget alerts
Credit alerts
Department spending quota alerts.

Describe the purpose of tags
Resource management, Tags enable you to locate and act on resources that are associated with specific workloads, environments, business units, and owners.
Cost management and optimization, group and report on cost.
Operation management, criticality to business.
Security, classify based on level.
Governance and regulatory compliance, allign with requirements, i.e ISO 27001.
Describe features and tools in Azure for governance and compliance
Describe the purpose of Azure Blueprints
What happens when your cloud starts to grow beyond just one subscription or environment? How can you scale the configuration of features? How can you enforce settings and policies in new subscriptions?
Azure Blueprints lets you standardize cloud subscription or environment deployments. Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define repeatable settings and policies that are applied as new subscriptions are created.
What are artifacts?
Each component in the blueprint definition is known as an artifact.
Azure Blueprints deploy a new environment based on all of the requirements, settings, and configurations of the associated artifacts. Artifacts can include things such as:
Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups
How do Azure Blueprints help monitor deployments?
Azure Blueprints are version-able, allowing you to create an initial configuration and then make updates later on and assign a new version to the update.
With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved.
Describe the purpose of Azure Policy
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules across your resource configurations.
Azure Policies can be set at each level, enabling you to set policies on a specific resource, resource group, subscription….
Azure Policy comes with built-in policy and initiative definitions for Storage, Networking, Compute, Security Center, and Monitoring.
What are Azure Policy initiatives?
Way of grouping related policies together.
Example, Azure Policy includes an initiative named Enable Monitoring in Azure Security Center.
Monitor unencrypted SQL Database in Security Center
Monitor OS vulnerabilities in Security Center
Monitor missing Endpoint Protection in Security Center
Describe the purpose of resource locks
Even with Azure role-based access control (Azure RBAC) policies in place, there’s still a risk that people with the right level of access could delete critical cloud resources. Resource locks prevent resources from being deleted or updated, depending on the type of lock.
Types of Resource Locks
Delete means authorized users can still read and modify a resource, but they can’t delete the resource.
ReadOnly, The resource group is read only and tags on the resource group can’t be modified.

To modify a locked resource, you must first remove the lock. After you remove the lock, you can apply any action you have permissions to perform. Resource locks apply regardless of RBAC permissions.

No delete
Please remove the lock and try again. (Code: ScopeLocked)

Describe the purpose of the Service Trust portal
The Microsoft Service Trust Portal is a portal that provides access to various content, tools, and other resources about Microsoft security, privacy, and compliance practices.
https://servicetrust.microsoft.com/
The Service Trust Portal contains details about Microsoft’s implementation of controls and processes that protect our cloud services and the customer data therein.
Describe features and tools for managing and deploying Azure resources

Describe tools for interacting with Azure
Azure portal
Azure PowerShell
Azure Command Line Interface (CLI)
Describe the purpose of Azure Arc
Managing hybrid and multi-cloud environments can rapidly get complicated. Azure provides a host of tools to provision, configure, and monitor Azure resources. What about the on-premises resources in a hybrid configuration or the cloud resources in a multi-cloud configuration?
In utilizing Azure Resource Manager (ARM), Arc lets you extend your Azure compliance and monitoring to your hybrid and multi-cloud configurations. Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform.
What can Azure Arc do outside of Azure?
Currently, Azure Arc allows you to manage the following resource types hosted outside of Azure:
Servers
Kubernetes clusters
Azure data services
SQL Server
Virtual machines (preview)

Describe Azure Resource Manager and Azure ARM templates
Azure Resource Manager (ARM) is the deployment and management service for Azure.
Azure Resource Manager benefits
Declarative templates rather than scripts,JSON.
Deploy, manage, and monitor all the resources for your solution as a group.
Re-deploy.
Define the dependencies.
Apply access control to all services with RBAC.
Apply tags.
Clarify your organization’s billing.
ARM templates
Infrastructure as code.
Describe monitoring tools in Azure
Describe the purpose of Azure Advisor
Evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs.
The recommendations are available via the Azure portal and the API, and you can set up notifications to alert you to new recommendations.
The five recommendation categories for Azure Advisor are: Reliability, Security, Performance, Operational Excellence, and Cost.

Describe Azure Service Health
https://status.azure.com/en-us/status

Azure status reports on service problems that affect a broad set of Azure customers.

Resource Health gives you a personalized dashboard of the health of your resources. Resource Health shows all the times that your resources have been unavailable because of Azure service problems. This data makes it easy for you to see if an SLA was violated.
Describe Azure Monitor
Azure Monitor is a platform for collecting data on your resources, analyzing that data, visualizing the information, and even acting on the results.

Azure Log Analytics is the tool in the Azure portal where you’ll write and run log queries on the data gathered by Azure Monitor.
Azure Monitor Alerts are an automated way to stay informed when Azure Monitor detects a threshold being crossed.
Application Insights, an Azure Monitor feature, monitors your web applications. Application Insights is capable of monitoring applications that are running in Azure, on-premises, or in a different cloud environment.
Resource Health is a tailored view of your actual Azure resources. It provides information about the health of your individual cloud resources
AZ-900: Microsoft Azure Fundamentals Sample Questions | Microsoft Learn
