AZ-900 Practice Questions: 20 Free Microsoft Azure Fundamentals Questions with Answers (2026)

How to Use These Practice Questions

Read each question carefully and choose your answer before scrolling to the explanation. Each question includes a domain label so you can track which areas need more study. The 20 questions below cover all three AZ-900 domains: Describe Cloud Concepts (20%), Describe Azure Architecture and Services (45%), and Describe Azure Management and Governance (35%).

These 20 questions are just 5% of the full AZ-900 question bank. The complete ReadRoost pack includes 400 questions and 200 flashcards with spaced repetition that tracks exactly which concepts you need to review. Start your free preview at readroo.st/marketplace/az-900-azure-fundamentals.

Questions 1-5: Cloud Concepts and Azure Architecture

Domain: Describe cloud concepts | Difficulty: Moderate 1. A manufacturing company needs consistent, predictable performance for mission-critical systems and plans significant capital investment in infrastructure. Which cloud pricing model should they consider? A) Pay-as-you-go consumption pricing B) Reserved instances with long-term commitment discounts C) Spot instances for cost optimization D) Serverless pay-per-execution pricing

Correct Answer: B Reserved instances provide discounts for long-term commitments (1-3 years), making them ideal when workload requirements are predictable and consistent. The upfront investment and discounted rates align with the company's capital investment strategy. Pay-as-you-go offers flexibility but higher per-unit costs, spot instances are for fault-tolerant workloads, and serverless suits variable workloads.

Domain: Describe cloud concepts | Difficulty: Foundation 2. Your company previously purchased three-year software licenses for productivity tools that sit unused during off-peak seasons. Which cloud pricing model would provide better cost efficiency? A) Purchasing perpetual licenses upfront B) Pay-per-use consumption-based pricing C) Long-term reserved capacity contracts D) Dedicated server leasing

Correct Answer: B Consumption-based pricing charges only for resources used, eliminating waste during off-peak seasons. This is much more efficient than upfront license purchases or reserved capacity contracts which charge regardless of usage. Long-term contracts also require upfront commitment similar to traditional licensing.

Domain: Describe cloud concepts | Difficulty: Foundation 3. A mid-size business wants to minimize changes to their current application architecture while reducing infrastructure maintenance. Which service model supports a gradual transition? A) PaaS - requires application redesign B) SaaS - only for standalone applications C) IaaS - allows lift-and-shift migration with minimal changes D) Serverless - requires complete rewrite

Correct Answer: C IaaS enables lift-and-shift migration where existing applications run on virtual machines with minimal or no code changes. The business retains control over the operating system, middleware, and runtime while offloading hardware maintenance to the cloud provider. PaaS and serverless would require application redesign, and SaaS provides finished applications rather than infrastructure.

Domain: Describe cloud concepts | Difficulty: Challenging 4. An organization discovers that its security team lacks expertise in managing infrastructure but needs to deploy secure systems quickly. Which cloud benefit addresses this gap? A) Managed PaaS services with built-in security controls and compliance baselines B) IaaS with full control allowing custom security implementation C) SaaS for all applications eliminating security concerns entirely D) Hybrid cloud maintaining some on-premises control

Correct Answer: A Managed PaaS services embed security controls and compliance frameworks, reducing the expertise and effort required from internal teams. Azure App Service and Azure SQL Database are examples where Microsoft handles OS patching, firewall rules, and compliance baselines. IaaS still requires the organisation to manage OS and network security, while SaaS does not eliminate all security concerns since you still manage data and user access.

Domain: Describe Azure architecture and services | Difficulty: Moderate 5. What is the primary difference between a public endpoint and a private endpoint in Azure networking? A) Public endpoints support higher bandwidth B) Public endpoints are accessible from the internet; private endpoints are accessible only from within a VNet C) Public endpoints use TCP/IP while private endpoints use UDP D) Public endpoints require a VPN

Correct Answer: B Public endpoints expose resources to the internet with public IPs; private endpoints create private connections within a VNet using private IPs.

Questions 6-10: Azure Architecture and Services

Domain: Describe Azure architecture and services | Difficulty: Foundation 6. What does Single Sign-On (SSO) enable users to do? A) Sign in once and access multiple applications without re-entering credentials B) Sign in to multiple accounts simultaneously C) Bypass all security requirements D) Create their own authentication methods

Correct Answer: A Single Sign-On allows users to authenticate once and gain access to multiple applications and resources without needing to log in separately to each one. This improves user experience while maintaining security.

Domain: Describe Azure architecture and services | Difficulty: Foundation 7. Which storage tier would you choose for data that is accessed only a few times per year? A) Hot tier B) Cool tier C) Archive tier D) Premium tier

Correct Answer: C The Archive tier is designed for rarely accessed data with acceptable high retrieval latency. It offers the lowest storage cost but has longer retrieval times, making it ideal for infrequently accessed data.

Domain: Describe Azure architecture and services | Difficulty: Challenging 8. Your organization spans multiple countries and uses both sovereign and standard Azure regions. What is the most important architectural consideration? A) Sovereign and standard regions can freely replicate data B) Network latency is identical between region types C) Service availability differences must be carefully evaluated, as sovereign regions offer limited services D) All subscriptions must be in the same tenant

Correct Answer: C Sovereign cloud regions such as Azure Government and Azure China 21Vianet often have limited service availability compared to standard Azure regions due to regulatory and compliance requirements. Architects must verify which services are available in sovereign regions before designing solutions that span both region types. Data replication between sovereign and standard regions is restricted, and not all subscriptions can share a tenant.

Domain: Describe Azure architecture and services | Difficulty: Challenging 9. A particular Azure region doesn't support availability zones. Which provides the best protection against datacenter-level failures? A) Use the paired region with geo-redundant storage B) Deploy VMs in an availability set within the region C) Use multiple subscriptions in the same region D) Deploy resources across multiple resource groups

Correct Answer: A If a region doesn't support availability zones, the best protection against datacentre-level failures is to use the paired region with geo-redundant storage (GRS). Azure paired regions are at least 300 miles apart and are used for disaster recovery. Availability sets protect against rack-level failures within a single datacentre but not against an entire datacentre going offline. Multiple subscriptions or resource groups do not provide geographic redundancy.

Domain: Describe Azure architecture and services | Difficulty: Moderate 10. Which of the following is a key component of the defense-in-depth security strategy? A) Using multiple layers of security controls to protect resources B) Relying on a single firewall for all security C) Using only one authentication method D) Avoiding encryption to reduce complexity

Correct Answer: A Defense-in-depth is a security strategy that uses multiple layers of protection to defend against threats. If one layer is compromised, other layers remain in place to continue protecting the system. This includes physical security, network security, identity and access, data protection, and monitoring.

Questions 11-15: Azure Architecture and Services (Continued)

Domain: Describe Azure architecture and services | Difficulty: Moderate 11. What are external identities in Azure used for? A) Managing access for users outside your organization to your applications and resources B) Storing backup copies of user data C) Creating internal user accounts only D) Blocking all external access to the network

Correct Answer: A Azure external identities allow you to securely share your applications and services with guest users, partners, and customers from other organizations. This includes B2B collaboration, B2C scenarios, and guest access management.

Domain: Describe Azure architecture and services | Difficulty: Foundation 12. What is the key advantage of using subnets within an Azure Virtual Network? A) Subnets increase network bandwidth automatically B) Subnets allow you to organize resources logically and apply security rules at the subnet level C) Subnets eliminate the need for Network Security Groups D) Subnets provide encryption for all traffic

Correct Answer: B Subnets divide a Virtual Network into smaller logical segments, allowing you to group resources by function (web servers, databases, application servers) and apply Network Security Groups (NSGs) at the subnet level. This enables granular traffic control without requiring changes to individual resources. Subnets do not increase bandwidth automatically, do not replace NSGs, and do not encrypt traffic on their own.

Domain: Describe Azure architecture and services | Difficulty: Foundation 13. What is Azure Migrate primarily used for? A) Moving individual files between Azure regions B) Assessing and migrating entire on-premises infrastructure to Azure C) Syncing on-premises databases with Azure D) Backing up local storage devices

Correct Answer: B Azure Migrate is a comprehensive service that helps organizations assess their on-premises environment and migrate servers, databases, web applications, and data to Azure.

Domain: Describe Azure management and governance | Difficulty: Foundation 14. How does resource type affect Azure costs? A) Different resource types have different pricing models based on their capabilities B) All Azure resources cost the same regardless of type C) Resource type only affects performance, not cost D) Only virtual machines incur costs in Azure

Correct Answer: A Each Azure resource type has its own pricing structure based on factors like computational power, storage capacity, and included features.

Domain: Describe Azure management and governance | Difficulty: Moderate 15. How does Microsoft Purview help organizations meet regulatory compliance requirements? A) By creating firewall rules and network security policies B) By providing visibility into data locations and enabling compliance with regulations like GDPR C) By automatically patching all software vulnerabilities D) By managing user access controls through Active Directory

Correct Answer: B Microsoft Purview provides data governance capabilities that help organizations understand where their data is located, who can access it, and whether it complies with regulations like GDPR and HIPAA.

Questions 16-20: Azure Management and Governance

Domain: Describe Azure management and governance | Difficulty: Challenging 16. How can Azure Policy and resource locks work together to improve governance? A) Azure Policy enforces standards while locks prevent accidental changes to compliant resources B) Locks replace the need for Azure Policy entirely C) They serve identical functions and one should be chosen over the other D) Resource locks can only be applied through Azure Policy rules

Correct Answer: A Azure Policy and resource locks complement each other: Azure Policy ensures resources meet organizational standards and compliance requirements, while locks provide an additional layer of protection against accidental modification or deletion.

Domain: Describe Azure management and governance | Difficulty: Foundation 17. What does Infrastructure as Code (IaC) mean? A) Writing code to encrypt and secure infrastructure B) Using code to define and provision infrastructure resources in a repeatable and version-controlled manner C) Creating virtual machines with custom applications D) Writing security policies for network firewalls

Correct Answer: B Infrastructure as Code is an approach where infrastructure is defined using code (such as JSON or YAML templates) that can be version-controlled, reviewed, and deployed consistently across environments.

Domain: Describe Azure management and governance | Difficulty: Moderate 18. What is the main function of resource locks in Azure? A) To encrypt data in transit between resources B) To prevent accidental deletion or modification of critical resources C) To monitor resource usage and billing D) To automatically scale resources based on demand

Correct Answer: B Resource locks in Azure provide a mechanism to prevent accidental deletion or modification of resources by restricting the actions that can be performed on those resources.

Domain: Describe Azure management and governance | Difficulty: Moderate 19. What can Azure Policy be used to do? (Select the best answer) A) Automatically delete non-compliant resources B) Enforce consistent naming conventions and tagging standards across resources C) Replace Azure Blueprints entirely D) Manage user identities in Azure Active Directory

Correct Answer: B Azure Policy can enforce organizational standards such as naming conventions, tagging requirements, and resource configurations across all Azure resources to ensure compliance.

Domain: Describe Azure management and governance | Difficulty: Challenging 20. Which type of resource lock allows read operations but prevents modifications and deletions? A) CanNotDelete lock B) ReadOnly lock C) NoModify lock D) DeleteProtected lock

Correct Answer: B A ReadOnly lock prevents any modifications or deletions to a resource while still allowing read operations. In contrast, a CanNotDelete lock only prevents deletions but allows modifications.

How Did You Score?

Can you beat the average? Most first-time test-takers score 12/20 on these questions. Share your score and challenge a study partner. 15-20 correct: Exam-ready. You have a strong command of Azure fundamentals across all three domains. Book your exam with confidence and start drilling edge cases at readroo.st/marketplace/az-900-azure-fundamentals. 10-14 correct: Good foundation but review the domains where you dropped questions. One focused study session on your weak areas should close the gap. Use the domain labels above to identify exactly where to focus. Under 10 correct: Focus on the domains you missed. Start with the free Microsoft Learn AZ-900 learning path, then work through practice questions daily until you consistently score above 80%. The ReadRoost spaced repetition system at readroo.st/marketplace/az-900-azure-fundamentals will track your weak spots automatically.

These 20 questions are just 5% of the full AZ-900 question bank. The complete ReadRoost pack includes 400 questions and 200 flashcards with spaced repetition that tracks exactly which concepts you need to review. Start your free preview at readroo.st/marketplace/az-900-azure-fundamentals.

If you passed the AZ-900, your next step is the AZ-104 Azure Administrator exam. ReadRoost has practice packs for AZ-104 at readroo.st/marketplace/az-104-azure-administrator and AI-900 Azure AI Fundamentals at readroo.st/marketplace/ai-900-azure-ai-fundamentals.