Domain 1 — Describe Cloud Concepts
Cloud benefits, service models (IaaS/PaaS/SaaS), deployment models, shared responsibility
25–30% of Exam
☁️ Cloud Benefits — Microsoft's 6 Key Terms
⬆️ High Availability
Guarantee maximum uptime via SLAs. Services remain accessible even during failures. Azure SLAs typically 99.9%–99.99%.
📈 Scalability
Add resources as demand grows (scale up = bigger; scale out = more). Pay only for what you use.
🔄 Elasticity
Automatically scale resources up AND down with demand. Avoid over-provisioning. Scale in when not needed.
🏆 Reliability
Recover from failures automatically. Azure's global infrastructure distributes resources so one failure doesn't take everything down.
📊 Predictability
Consistent performance AND consistent cost. You can forecast costs before deploying. Azure Pricing Calculator helps.
🔐 Security
Built-in security tools, compliance certifications, physical security of datacenters, encryption. Shared responsibility applies.
⚖️ Governance
Enforce standards and policies at scale. Azure Policy, blueprints, management groups. Compliance reporting built in.
🛠️ Manageability
Manage resources through portal, CLI, PowerShell, APIs, ARM templates. Auto-scale, auto-heal, monitoring built in.
🏠 Cloud Deployment Models
☁️ Public Cloud
Owned and operated by a cloud provider (Azure, AWS, GCP). Resources shared across multiple customers. No upfront hardware. Pay-as-you-go. Most cost-effective.
🏢 Private Cloud
Cloud environment owned by a single organisation. Can be on-premises or hosted. Full control and customisation. Highest cost, highest control.
🔀 Hybrid Cloud
Combines public and private. Workloads move between environments. Azure Arc extends Azure management to on-prem and other clouds. Most flexible.
🌐 Multi-Cloud
Using services from multiple cloud providers simultaneously (e.g. Azure + AWS). Azure Arc supports multi-cloud management. Increasingly tested on AZ-900 since 2025.
🧱 Cloud Service Models — IaaS, PaaS, SaaS
| Model | You Manage | Microsoft Manages | Azure Example |
|---|---|---|---|
| IaaS Infrastructure as a Service |
OS, middleware, runtime, apps, data | Physical hosts, network, datacenters | Azure VMs |
| PaaS Platform as a Service |
Applications, data | OS, middleware, runtime, hardware | Azure App Service, Azure SQL |
| SaaS Software as a Service |
Data (configuration only) | Everything — application + all infrastructure | Microsoft 365, Outlook |
💡 Exam Tip
Responsibility increases as you go IaaS → PaaS → SaaS from your side. IaaS = most control, most responsibility. SaaS = least control, least responsibility. For IaaS (VMs), YOU patch the OS. For PaaS/SaaS, Microsoft patches it.
💰 CapEx vs OpEx — A Core Cloud Economics Concept
🏭 CapEx — Capital Expenditure
Upfront investment in physical infrastructure. Buy servers, racks, networking. Value depreciates over time. Traditional on-premises model.
☁️ OpEx — Operational Expenditure
Pay-as-you-go, ongoing costs. No upfront investment. Azure consumption-based pricing. Deductible as a business expense in the same period.
💡 Exam Tip
Cloud = OpEx model. "Pay only for what you use" = OpEx / consumption-based. Microsoft distinguishes "Reliability" (fault tolerance) from "Predictability" (consistent performance + cost). Both appear as separate answer choices on AZ-900.
Shared Responsibility Model
Microsoft's Responsibility
Security "of" the cloud
Physical datacenters, hardware, and networking
Host operating system and virtualisation layer
Physical security and environmental controls
Global network infrastructure
For SaaS: application software + all infrastructure
For PaaS: OS, middleware, runtime patching
Customer's Responsibility
Security "in" the cloud
Data — always the customer's responsibility
Identity and access management (always customer)
For IaaS (VMs): OS patching, middleware, runtime
Applications deployed to cloud
Network security configurations
Devices accessing cloud resources
💡 Exam Tip — Most tested in Domain 1
Data and identity are ALWAYS the customer's responsibility across all service models. Microsoft ALWAYS owns the physical datacenters. For IaaS (VMs) = you patch the OS. For PaaS = Microsoft patches the OS. For SaaS = Microsoft manages everything. The more managed the service, the more Microsoft owns.
Domain 2 — Azure Architecture & Services
Global infrastructure, compute, storage, networking, databases, identity, AI, security
35–40% of Exam
Azure Global Infrastructure
🌍 Scale: 60+ Regions, 140+ Countries, 3+ AZs per Region
Azure is Microsoft's global cloud infrastructure — the largest global footprint of any cloud provider in terms of compliance coverage. Azure has availability zones in most major regions, region pairs for geo-redundant backup, and sovereign clouds for government and national requirements.
🌐 Region
Geographic area with one or more datacenters. Data stays in the region unless you move it. Examples: East US, Southeast Asia, UK South.
🔗 Region Pair
Each region paired with another in the same geography (≥300 miles apart). Used for geo-redundant replication and disaster recovery. E.g. East US ↔ West US.
🏢 Availability Zone (AZ)
Physically separate datacenter within a region, with independent power, cooling, and networking. Min 3 AZs per region. Protect against datacenter failure.
📦 Resource Group
Logical container for Azure resources. Resources in a group share the same lifecycle. Deleting a resource group deletes all resources inside it.
🏦 Subscription
Billing and access boundary. One bill per subscription. Multiple subscriptions can belong to one organisation under a Management Group.
🏛️ Management Group
Organise multiple subscriptions. Apply policies and RBAC at scale above the subscription level. Up to 6 levels of hierarchy.
🏗️ Availability Sets vs Availability Zones
| Feature | Availability Set | Availability Zone |
|---|---|---|
| Scope | Within a single datacenter | Separate physical datacenters within a region |
| Fault Domain | Separate rack/power/network within one DC | Entire separate DC |
| Update Domain | Group of VMs rebooted together during maintenance | Separate maintenance schedules per zone |
| SLA | 99.95% for 2+ VMs | 99.99% for 2+ VMs across zones |
| Cost | No extra cost for the set itself | Data transfer charges between zones |
💡 Exam Tip
Availability Zones protect against datacenter failure. Availability Sets protect against rack/hardware failure within ONE datacenter. Zones give higher SLA (99.99%). Sets give 99.95%. Region Pairs protect against region-wide failure (natural disaster, etc.).
VM
Azure Virtual Machines Compute
IaaS — Windows or Linux VMs in the cloud
Full control over OS, software, and configuration
▼
What It Does
Provides virtualised compute in Azure. Choose CPU, RAM, disk, and OS. You manage the guest OS, patching, and everything inside the VM. Azure manages the physical host.
Pricing Models
Pay-as-you-go: Per-second billing. No commitment. Most flexible.
Reserved VM Instances: 1 or 3-year commitment. Up to 72% savings.
Spot VMs: Unused Azure capacity. Up to 90% off. Evictable with 30-second notice. For fault-tolerant batch workloads.
Azure Hybrid Benefit: Use existing Windows Server/SQL Server licences on Azure VMs.
Key Concepts
VM Scale Sets: Auto-scale a group of identical VMs based on demand. Load-balanced automatically.
VM Size families: General purpose (D-series), Compute optimised (F), Memory optimised (E/M), Storage (L), GPU (N)
VM images available via Azure Marketplace (Windows, Linux, pre-configured appliances)
💡 Exam Tips
VMs = IaaS. You patch the OS — Microsoft does not. Spot VMs = cheapest + evictable. Reserved = best long-term savings. VM Scale Sets = automatic horizontal scaling. Azure Hybrid Benefit saves cost if you already own Microsoft licences.
AS
Azure App Service Compute
PaaS — Fully managed web app hosting
Deploy web apps, REST APIs, and mobile backends without managing servers
▼
What It Does
Fully managed platform for building, deploying, and scaling web apps. Azure manages the infrastructure. You focus on code.
Key Concepts
Supports: .NET, Java, Node.js, Python, PHP, Ruby, Go, Docker containers
App Service Plan: Defines region, size, and scale for apps. One plan can host multiple apps.
Deployment slots: Staging and production slots. Swap with zero downtime.
Built-in auto-scaling, SSL/TLS, custom domains, authentication
💡 Exam Tips
App Service = PaaS. "Deploy web app without managing OS" = App Service. Deployment slots enable zero-downtime deployment. PaaS = Microsoft manages OS/runtime. Free and Shared tiers exist for dev/test.
FN
Azure Functions Compute
Serverless Event-Driven Compute
Run code triggered by events — no servers to manage
▼
What It Does
Execute small pieces of code in response to events (HTTP request, blob upload, timer, queue message). Serverless — no infrastructure management. Pay only for executions.
Key Concepts
Consumption plan: Pay per execution + per GB-second. Auto-scales to zero. Free 1M executions/month.
Premium plan: Pre-warmed instances, no cold starts, VNet integration.
Triggers: HTTP, Timer, Blob, Queue, Event Grid, Cosmos DB, Service Bus
Supports: C#, Python, JavaScript, TypeScript, Java, PowerShell
💡 Exam Tips
Azure Functions = serverless = event-driven = pay per execution. "Run code only when triggered" = Azure Functions. Cold starts on Consumption plan (slight delay on first execution). Premium plan eliminates cold starts.
AKS
Azure Kubernetes Service Compute
Managed Kubernetes Container Orchestration
Deploy and manage containerised applications at scale
▼
Key Concepts
Fully managed Kubernetes. Azure handles control plane (master nodes). You manage worker nodes.
Pods: Smallest deployable unit (one or more containers)
Integrates with Azure Container Registry (ACR) for storing container images
Auto-scaling: Horizontal Pod Autoscaler + Cluster Autoscaler
💡 Exam Tips
AKS = managed Kubernetes. If the question mentions "Docker containers at scale" or "microservices orchestration" → AKS. Azure Container Instances (ACI) = simpler, single containers, no orchestration needed.
ACI
Azure Container Instances Compute
Fast Serverless Containers — No Cluster Needed
Run a container in seconds without managing infrastructure
▼
Key Concepts
Fastest way to run a container in Azure. No VMs, no clusters, no Kubernetes.
Per-second billing. Great for burst workloads, batch jobs, CI/CD tasks.
vs AKS: ACI = simple single containers; AKS = complex multi-container orchestration at scale.
💡 Exam Tips
ACI = "quickest way to run a container" = no setup needed. AKS = containers at scale with orchestration. If the question says "simple container, no cluster" → ACI.
AVD
Azure Virtual Desktop Compute
Cloud-Based Windows Desktop & App Virtualisation
Deliver Windows desktops and apps from Azure to any device
▼
Key Concepts
Windows multi-session — multiple users share one Windows 11/10 VM (reduces cost)
Runs in Azure; users access from any device via browser or client app
Great for remote work, BYOD scenarios, regulated industries requiring centralised control
Integrates with Microsoft Entra ID for identity and Intune for device management
💡 Exam Tips
"Deliver Windows desktops from the cloud" = Azure Virtual Desktop. Multi-session Windows = cost efficiency. Includes Microsoft 365 apps. Contrast with Azure VMs (IaaS, individual machines).
BLOB
Azure Blob Storage Storage
Object/Unstructured Data Storage
Store text, images, videos, backups — any format, any size
▼
What It Does
Massively scalable object storage for unstructured data. Accessible via HTTPS from anywhere. Three blob types: Block (files), Append (logs), Page (VHDs/random access).
Access Tiers (cost high → low)
Hot: Frequently accessed data. Highest storage cost, lowest access cost.
Cool: Infrequently accessed (30+ day minimum). Lower storage cost, retrieval fee.
Cold: Rarely accessed (90+ day minimum). Even lower cost.
Archive: Rarely accessed (180+ day minimum). Lowest cost. Offline — must rehydrate (hours) before reading.
Key Features
Lifecycle management: auto-move blobs between tiers based on age
Immutable storage (WORM) for compliance and legal hold
Static website hosting from blob storage
Azure Storage accounts house all Azure Storage services (Blob, Files, Queues, Tables)
💡 Exam Tips
Blob = object storage. Archive tier = cheapest + offline (must rehydrate). Hot = fastest + costliest. Lifecycle management auto-moves blobs between tiers. "Static website hosting on Azure" = Blob Storage. Redundancy options: LRS (local), ZRS (zone), GRS (geo), GZRS (geo+zone).
FILES
Azure Files Storage
Managed Cloud File Shares (SMB/NFS)
Replace or supplement on-premises file servers
▼
Key Concepts
Fully managed file shares accessible via SMB (Windows) and NFS (Linux) protocols
Mount from Windows, Linux, or macOS on-premises AND in Azure VMs simultaneously
Azure File Sync: Cache Azure file share on-premises Windows servers for local performance + cloud backup
Great for: lift-and-shift of file-server workloads, shared app configs, diagnostic data
💡 Exam Tips
"Replace Windows file server" or "SMB file share in the cloud" = Azure Files. Azure File Sync = extend on-prem file servers to Azure. Compare to Blob (object) and Disk (VM-attached block). Files = shared network drive.
DISK
Azure Managed Disks Storage
Block Storage Volumes for Azure VMs
Persistent storage attached to Virtual Machines
▼
Disk Types
Ultra Disk: Highest performance. Sub-ms latency. For intensive DB workloads.
Premium SSD v2: High performance, cost-efficient. Production DBs, enterprise apps.
Premium SSD: High performance, consistent. SQL Server, production VMs.
Standard SSD: Web servers, dev/test, lightly used apps.
Standard HDD: Cheapest. Backup, non-critical, infrequent access.
💡 Exam Tips
Managed Disks = block storage attached to VMs. "Managed" means Azure handles storage account management behind the scenes. Azure snapshots back up disks to Blob Storage. Different from Azure Files (shared) or Blob (objects).
REPL
Storage Redundancy Options Storage
LRS · ZRS · GRS · GZRS
Protect data against hardware, zone, and region failures
▼
Redundancy Levels (cost low → high)
LRS (Locally Redundant): 3 copies in ONE datacenter. Cheapest. Protects against disk failure. Does NOT protect against datacenter failure.
ZRS (Zone Redundant): 3 copies across 3 AZs in ONE region. Protects against datacenter failure.
GRS (Geo-Redundant): 6 copies — 3 in primary region (LRS) + 3 in paired region (LRS). Protects against region failure.
GZRS (Geo-Zone Redundant): ZRS in primary + LRS in paired region. Highest durability.
💡 Exam Tips
LRS = same datacenter. ZRS = same region, different zones. GRS = different regions. GZRS = best of both. For DR requirements, you need at minimum GRS. "Protect against region-wide outage" = GRS or GZRS. All options provide 11 nines (99.999999999%) durability.
VNet
Azure Virtual Network (VNet) Network
Your Isolated Private Network in Azure
Connect Azure resources securely, like a traditional network in the cloud
▼
Key Concepts
Subnets: Divide VNet into segments. Resources in same subnet communicate freely.
VNet Peering: Connect two VNets (same region or global). Traffic stays on Microsoft backbone.
NSG (Network Security Group): Filter traffic to/from subnets and VMs. Inbound/outbound rules.
Service Endpoints: Extend VNet private address space to Azure services (e.g. Storage, SQL). Traffic stays on backbone.
Private Endpoints: Give Azure PaaS services a private IP inside your VNet. No public internet exposure.
💡 Exam Tips
VNet = Azure's private network (like AWS VPC). NSGs control traffic at subnet or VM level (stateful). Service Endpoints = backbone routing to Azure services. Private Endpoints = private IP for PaaS services inside your VNet (stronger isolation). VNet Peering ≠ VPN (peering = backbone, VPN = encrypted tunnel).
VPN
VPN Gateway & ExpressRoute Network
Connect On-Premises to Azure
Encrypted VPN or dedicated private connection
▼
Two Options
Azure VPN Gateway: Encrypted tunnel over public internet. Site-to-site (network to network) or Point-to-site (user to network). Quick, cheaper, variable bandwidth.
Azure ExpressRoute: Private, dedicated connection via a connectivity provider. Does NOT go over the internet. Consistent bandwidth, lower latency, higher cost. Takes weeks to provision.
💡 Exam Tips
VPN Gateway = encrypted internet tunnel = cheaper, variable. ExpressRoute = private dedicated line = consistent, no internet, expensive. "Not go through the public internet" = ExpressRoute. "Encrypted connection over internet" = VPN Gateway. ExpressRoute SLA = higher guaranteed availability.
LB
Azure Load Balancing Services Network
Load Balancer · App Gateway · Front Door · Traffic Manager
Distribute traffic for availability and performance
▼
Four Services — Choose the Right One
Azure Load Balancer: Layer 4 (TCP/UDP). Distributes traffic within a region. Internal or public. High performance, no content-based routing.
Application Gateway: Layer 7 (HTTP/HTTPS). Route based on URL path or hostname. Built-in WAF (Web Application Firewall). Regional.
Azure Front Door: Global Layer 7 load balancer + CDN + WAF. Routes users to nearest healthy backend worldwide. SSL offload.
Azure Traffic Manager: DNS-based global routing. Routes users based on geography, performance, priority, or weight. Does NOT inspect HTTP content.
💡 Exam Tips
Layer 4 + single region = Load Balancer. Layer 7 + single region + WAF = Application Gateway. Layer 7 + global + CDN = Front Door. DNS-based global routing = Traffic Manager. "Global HTTP load balancing" = Front Door. "URL-path-based routing" = App Gateway or Front Door.
DNS
Azure DNS Network
Host DNS Domains in Azure
Manage DNS records with Azure reliability and global network
▼
Key Concepts
Host DNS zones in Azure — manage A, AAAA, CNAME, MX, TXT records
Private DNS zones: Name resolution within VNets (not public internet)
Cannot register/purchase domain names — only host DNS for existing domains
99.99% SLA, Anycast routing for low latency
💡 Exam Tips
Azure DNS = host and manage DNS records, NOT buy domain names. Azure DNS ≠ Traffic Manager (TM is routing; DNS is just resolution). Private DNS zones resolve names inside VNets.
CDN
Azure CDN Network
Content Delivery Network
Deliver content from edge locations closest to users
▼
Key Concepts
Cache static content (images, videos, CSS, JS) at edge locations globally
Reduces latency for global users — content served from nearest PoP
Reduces origin server load
Integrates with Blob Storage, App Service, Azure Front Door
Note: Azure Front Door now includes CDN capabilities. Azure CDN from Akamai/Verizon being consolidated into Front Door.
💡 Exam Tips
"Speed up delivery of static content globally" = Azure CDN. Azure Front Door also provides CDN + WAF + global load balancing in one service.
SQL
Azure SQL Database Database
Fully Managed Relational Database (PaaS)
SQL Server in the cloud — patches, backups, HA managed by Azure
▼
Key Concepts
PaaS — Azure manages OS, SQL engine patching, backups, high availability
Purchasing models: vCore (choose CPU/RAM) or DTU (bundled compute/IO/storage)
Hyperscale: Up to 100TB, auto-scales storage, fast backups
Serverless tier: Auto-pauses when idle. Pay only when active.
Azure SQL Managed Instance: Near 100% SQL Server compatibility. Lift-and-shift from on-premises with minimal changes.
💡 Exam Tips
Azure SQL Database = PaaS SQL Server. You manage queries/data; Azure manages everything else. SQL Managed Instance = more compatible with full SQL Server (for lift-and-shift). Both are PaaS. "Fully managed SQL Server" = Azure SQL Database.
COSM
Azure Cosmos DB Database
Globally Distributed Multi-Model NoSQL
Single-digit millisecond at global scale with multiple APIs
▼
What It Does
Fully managed, serverless, globally distributed NoSQL database. Supports multiple data models via different APIs. Active-active multi-region writes.
Supported APIs
NoSQL (Core SQL): Document model with SQL-like query language
MongoDB: Wire protocol compatible with MongoDB applications
Cassandra: Column-family data model
Table: Key-value store (Azure Table Storage compatible)
Gremlin: Graph database model
Key Features
Global distribution: replicate to any Azure region with one click
5 consistency levels: Strong, Bounded Staleness, Session, Consistent Prefix, Eventual
Serverless option: pay per request (no provisioned throughput)
💡 Exam Tips
Cosmos DB = globally distributed NoSQL. "Multi-model, multi-API" = Cosmos DB. "Migrate MongoDB to Azure" = Cosmos DB for MongoDB API. "Low latency globally + NoSQL" = Cosmos DB. Active-active multi-region = all regions accept reads AND writes.
OSS-DB
Azure DB for MySQL / PostgreSQL Database
Managed Open-Source Relational Databases
Fully managed MySQL and PostgreSQL — no infrastructure management
▼
Key Concepts
PaaS — Azure manages patching, backups, HA, scaling
Flexible Server: Full control over maintenance windows, cost-optimised, zone-HA
Supports MySQL 8.0 and PostgreSQL 14/15/16
Built-in read replicas, point-in-time restore, geo-redundant backup
💡 Exam Tips
"Managed MySQL/PostgreSQL" = Azure Database for MySQL/PostgreSQL. Same concept as Azure SQL Database but for open-source engines. All are PaaS — Azure patches the engine, you manage data and queries.
REDIS
Azure Cache for Redis Database
In-Memory Cache for Sub-Millisecond Performance
Reduce database load by caching frequently accessed data
▼
Key Concepts
Fully managed Redis. Microsecond to millisecond response times.
Use cases: session store, leaderboard, real-time analytics, pub/sub messaging, database query caching
Tiers: Basic (dev/test, no SLA), Standard (replicated, SLA), Premium (clustering, persistence, VNet)
💡 Exam Tips
"Reduce database load" or "session caching" = Azure Cache for Redis. Same role as AWS ElastiCache. "Sub-millisecond latency for data lookups" = Redis cache.
ENT
Microsoft Entra ID Identity Replaces Azure AD
Cloud Identity and Access Management
Manage users, authentication, and access across Azure and Microsoft 365
▼
What It Does
Microsoft's cloud-based identity service. Controls who can sign in, what they can access, and how they authenticate. Formerly called Azure Active Directory (Azure AD). Rebranded to Microsoft Entra ID in 2023.
Key Concepts
Tenant: Dedicated Azure AD/Entra ID instance for your organisation
SSO: Sign in once, access multiple apps (Microsoft 365, Azure, SaaS apps)
MFA: Multi-factor authentication. Require second factor (phone, app, hardware key)
Conditional Access: If-then policies. "IF user is in Singapore on a compliant device THEN allow. ELSE require MFA or block." Zero Trust enforcement.
Entra ID Protection: Detect risky sign-ins using ML (atypical location, leaked credentials, etc.)
B2B: Invite external partners/vendors to access your resources
B2C: Identity for customer-facing apps (sign in with Google, Facebook, etc.)
🆕 2025–2026 Updates
External MFA (GA 2026): Integrate third-party MFA providers into Conditional Access. Replaces Custom Controls (retiring September 2026).
Conditional Access enforcement (June 2026): Policies now enforced during credential registration for Windows Hello for Business and macOS Platform SSO.
Phishing-resistant MFA on Linux: Now supported on Ubuntu 24.04/26.04 and RHEL 8/9/10.
💡 Exam Tips
Entra ID = Microsoft's identity service (formerly Azure AD). It is NOT the same as on-premises Active Directory. Entra ID is cloud-native; on-prem AD uses Kerberos/LDAP. Conditional Access = Zero Trust policy engine. MFA = always recommend enabling. "Block legacy authentication" = Conditional Access. Tenant = your organisation's identity boundary.
RBAC
Azure RBAC Identity
Role-Based Access Control
Control who can do what on which Azure resources
▼
Built-in Roles (most important)
Owner: Full access including ability to grant access to others
Contributor: Create and manage resources but cannot grant access to others
Reader: View resources only, no modifications
User Access Administrator: Manage user access to Azure resources
Key Concepts
RBAC assignments: WHO (security principal) + WHAT (role) + WHICH SCOPE (management group/subscription/resource group/resource)
Additive — most permissive role wins across assignments
DENY assignments override role assignments
Custom roles can be created with specific permissions
💡 Exam Tips
RBAC = WHO can access WHAT. Azure Policy = enforce RULES on resources. These are different and commonly confused. RBAC controls access; Policy controls compliance. Owner > Contributor > Reader. Always use least privilege.
PIM
Microsoft Entra PIM Identity
Privileged Identity Management
Just-in-time privileged access with approval and audit
▼
Key Concepts
JIT (Just-in-Time) access: request elevated role for a limited time window (e.g. 1 hour as Global Admin)
Requires justification and optional approval workflow
All activations and access are audited
Reduces standing privilege — no permanent admin roles sitting idle
Requires Entra ID P2 licence
💡 Exam Tips
PIM = JIT privileged access. "Temporary admin access with approval and audit" = PIM. Requires Entra ID P2. Reduces attack surface by eliminating standing privileges. "Zero standing access" architecture.
DFC
Microsoft Defender for Cloud Security
Cloud Security Posture Management (CSPM) + Workload Protection
Assess, harden, and protect Azure, on-prem, and multi-cloud workloads
▼
Two Core Functions
CSPM (Posture Management): Secure Score — numerical score of how well-configured your security is. Recommendations to improve it. Free for Azure resources.
CWP (Workload Protection): Threat detection for VMs, containers, databases, storage, Key Vault, App Service. Paid per resource type.
Key Concepts
Secure Score: Your security posture score (0–100%). Higher = better. Actionable recommendations to improve.
Works across Azure, on-premises, AWS, and GCP (multi-cloud)
Regulatory compliance dashboard: CIS, PCI DSS, ISO 27001, NIST
💡 Exam Tips
Defender for Cloud = security posture (Secure Score) + threat detection. "Improve security score" = Defender for Cloud recommendations. "Detect threats on VMs" = Defender for Cloud workload protection. Works on Azure AND other clouds (multi-cloud).
SENT
Microsoft Sentinel Security
Cloud-Native SIEM & SOAR
Collect, detect, investigate, and respond to threats at scale
▼
What It Does
Security Information and Event Management (SIEM) + Security Orchestration Automation and Response (SOAR). Collects logs from across your entire estate, uses AI to detect threats, and automates responses.
Key Concepts
Ingests data from: Azure services, Microsoft 365, AWS, on-premises, third-party tools
Analytics rules: Detect suspicious patterns in log data
Playbooks: Automated response workflows (Logic Apps-based)
Workbooks: visualise security data, dashboards
Built on Log Analytics workspace
💡 Exam Tips
Sentinel = SIEM + SOAR = detect and respond to threats across your whole estate. Defender for Cloud = posture management + workload protection. Sentinel = the SOC (Security Operations Center) tool. "Automated threat response" = Sentinel playbooks.
KV
Azure Key Vault Security
Secrets, Keys, and Certificates Management
Store and control access to secrets, encryption keys, and certificates
▼
What It Stores
Secrets: Passwords, connection strings, API keys — no hardcoding in code/config
Keys: Encryption keys (RSA, EC). FIPS 140-2 Level 2 validated. Premium tier = HSM-backed (Level 3).
Certificates: TLS/SSL certificates. Auto-renewal with CA integration.
Key Concepts
Soft delete + purge protection: deleted secrets not immediately purged (retention period)
All access logged in Azure Monitor
Access via Managed Identities — no credentials needed in app code
Dedicated HSM (Hardware Security Module) available for highest compliance needs
💡 Exam Tips
Key Vault = store secrets/keys/certificates. "No hardcoded passwords in application code" = Key Vault. Premium tier = HSM-backed keys. Managed Identity + Key Vault = passwordless access from Azure services. "Certificate auto-renewal" = Key Vault certificate feature.
DDoS
Azure DDoS Protection Security
Distributed Denial of Service Attack Protection
Always-on protection against network-layer attacks
▼
Two Tiers
DDoS Network Protection (formerly Standard): ~$2,940/month per protected VNet. Adaptive tuning, attack analytics, real-time telemetry, rapid response team. 100-resource protection.
DDoS IP Protection: Pay per protected public IP (~$199/IP/month). Granular control for specific IPs. No VNet-level commitment.
Default (basic) protection: Always-on for all Azure customers at no cost. Platform-wide protection.
💡 Exam Tips
Basic DDoS = free, always-on for all Azure resources. Standard/Network Protection = paid, adaptive, per-VNet. "Protect against DDoS attacks" = DDoS Protection Standard. Pairs with Azure Firewall and WAF for layered defence. Different from WAF (application layer).
FW
Azure Firewall Security
Managed Cloud-Native Network Firewall
Centralised network security for Azure VNets
▼
Key Concepts
Stateful, fully managed firewall. Rules for inbound/outbound/east-west traffic.
FQDN filtering: allow/deny by domain name (e.g. *.microsoft.com)
Threat intelligence-based filtering: block known malicious IPs/domains
Azure Firewall Premium: IDPS (Intrusion Detection and Prevention), TLS inspection, URL filtering
Used in hub-spoke network topologies as the centralised security control
💡 Exam Tips
Azure Firewall = managed Layer 3-7 firewall for VNet traffic. NSG = Layer 4 port/IP rules at subnet/NIC level. WAF = Layer 7 web app protection. These are different layers: use together for defence-in-depth.
PUR
Microsoft Purview Security Exam Focus 2025+
Data Governance, Risk & Compliance
Discover, classify, and govern data across your entire estate
▼
What It Does
Unified data governance and compliance platform. Covers: data discovery and classification, sensitivity labels, data lifecycle, regulatory compliance, insider risk management, audit logging, and eDiscovery.
Key Capabilities
Data Map: Automated scanning and classification of data across Azure, on-prem, and other clouds
Sensitivity Labels: Classify and protect documents/emails (applies to Microsoft 365 content)
Compliance Manager: Assess compliance against regulations (GDPR, ISO 27001, HIPAA) with a compliance score
Audit: Unified audit log of user and admin activities across Microsoft 365 and Azure
💡 Exam Tips
Purview = data governance + compliance. Added to AZ-900 objectives in 2024–2025. "Classify sensitive data across the organisation" = Purview. "Compliance score and regulatory assessment" = Purview Compliance Manager. Different from Defender for Cloud (which focuses on security posture of Azure workloads).
AI
Azure AI Services AI/ML Expanded Jan 2026
Pre-Built AI APIs (formerly Cognitive Services)
Add AI capabilities to apps without ML expertise
▼
Service Categories
Vision: Computer Vision (analyse images/video), Face (detect/verify faces), Custom Vision (train custom image classifiers)
Speech: Speech-to-text, text-to-speech, speech translation, speaker recognition
Language: Text Analytics (sentiment, key phrases, entities), Translator (100+ languages), Language Understanding (LUIS), QnA Maker → now Azure AI Language
Decision: Anomaly Detector, Content Moderator, Personaliser
Document Intelligence: Extract data from forms, invoices, receipts (OCR + ML)
Azure OpenAI Service: Access GPT-4, DALL-E, Whisper via API. Enterprise controls, content filtering, your own data.
💡 Exam Tips
Azure AI Services = pre-built AI, no training needed, API calls. Azure Machine Learning = build your own custom models. Azure OpenAI Service = access to OpenAI models (GPT, DALL-E) with enterprise security. The January 2026 AZ-900 refresh significantly increased AI coverage — know OpenAI Service and Responsible AI principles.
AOAI
Azure OpenAI Service AI/ML New AZ-900 Focus
Enterprise Access to OpenAI LLMs
GPT-4, DALL-E, Whisper — with Azure security and compliance
▼
What It Does
Provides enterprise access to OpenAI's models (GPT-4, GPT-4o, o1, DALL-E 3, Whisper) through Azure's infrastructure with full enterprise security, compliance, and private networking.
Key Concepts
Completions/Chat: Text generation, summarisation, Q&A, code generation
Embeddings: Represent text as vectors for semantic search
DALL-E: Image generation from text prompts
Whisper: Speech-to-text transcription
Data stays in your Azure tenant — not shared with OpenAI for training
Content filtering, responsible AI guardrails built in
💡 Exam Tips
Azure OpenAI = OpenAI models with Azure enterprise features (security, compliance, private networking, content filtering). Key differentiator: your data is NOT used to train OpenAI models. Increasingly tested on AZ-900 since Jan 2026 update.
AML
Azure Machine Learning AI/ML
End-to-End ML Platform
Build, train, deploy, and manage custom ML models
▼
Key Concepts
Full ML lifecycle: data prep → training → evaluation → deployment → monitoring
Automated ML (AutoML): Automatically trains and tunes multiple models, picks the best one. No ML expertise needed.
Designer: Drag-and-drop pipeline builder for ML workflows
MLOps: version control for models, CI/CD pipelines, drift monitoring
Compute: train on CPU/GPU clusters, including Spot/low-priority for cost savings
💡 Exam Tips
Azure ML = build YOUR OWN custom models. Azure AI Services = pre-built, no training needed. AutoML = automated model selection within Azure ML — still requires ML understanding but reduces code. "Train a custom classification model" = Azure ML.
RAI
Microsoft Responsible AI AI/ML AZ-900 Jan 2026
6 Principles for Trustworthy AI
Microsoft's framework for ethical, trustworthy AI development
▼
6 Responsible AI Principles (FIRTPA)
Fairness: AI systems should treat all people equitably, without discrimination or bias
Reliability & Safety: AI should perform reliably and safely, with thorough testing and failure mode analysis
Privacy & Security: AI must respect privacy rights and protect data from misuse
Inclusiveness: AI should empower everyone, including people with disabilities
Transparency: AI systems should be understandable; people should know when and how AI is used
Accountability: Humans remain responsible for AI systems and their impacts
💡 Exam Tips
Memorise the 6 principles: Fairness, Reliability & Safety, Privacy & Security, Inclusiveness, Transparency, Accountability. Added to AZ-900 in the January 2026 update. "Which principle ensures AI systems are understandable?" = Transparency. "Who is responsible for AI outcomes?" = Accountability.
COP
Microsoft Copilot AI/ML AZ-900 Jan 2026
AI Assistant Across Microsoft Products
Generative AI embedded in Microsoft 365, Azure, and Windows
▼
Copilot Variants
Microsoft 365 Copilot: AI assistant in Word, Excel, PowerPoint, Teams, Outlook. Summarise meetings, draft emails, analyse spreadsheets.
GitHub Copilot: AI pair programmer. Code completion, chat, PR summaries.
Copilot in Azure: Natural language to manage Azure resources in the portal, CLI, and Cloud Shell.
Microsoft Copilot (web): General-purpose AI assistant available free via Bing and Windows.
💡 Exam Tips
Microsoft Copilot = AI embedded in Microsoft products powered by Azure OpenAI. Added to AZ-900 in January 2026 update. Know the different Copilot variants and which product each applies to. GitHub Copilot = developer coding assistant.
SYN
Azure Synapse Analytics Analytics
Unified Analytics Platform
Data warehousing + big data analytics in one service
▼
Key Concepts
Dedicated SQL Pool: Traditional data warehouse. Massive parallel processing. Columnar storage.
Serverless SQL Pool: Query data in Azure Data Lake Storage using SQL. Pay per query (like AWS Athena).
Apache Spark Pool: Big data processing and ML with Spark
Integrated with Power BI, Azure ML, and Azure Data Lake
💡 Exam Tips
Synapse = Azure's data warehouse + big data platform. "Query data lake with SQL" = Synapse Serverless or Synapse Link. Compare to AWS Redshift (dedicated DW) + Athena (serverless query). Power BI is the visualisation layer on top.
ADF
Azure Data Factory Analytics
Cloud ETL and Data Integration Service
Move and transform data at scale with pipelines
▼
Key Concepts
Extract, Transform, Load (ETL) and Extract, Load, Transform (ELT) orchestration
90+ connectors: SQL, Oracle, SAP, Salesforce, REST, S3, Blob, Cosmos DB, and more
Mapping Data Flows: Visual, code-free data transformation
Schedule, monitor, and manage data pipelines
Integrates with Synapse Analytics, Databricks, SQL, and Blob Storage
💡 Exam Tips
"Move and transform data between data stores" = Azure Data Factory. "ETL/ELT pipeline" = ADF. Compare to Azure Synapse Analytics (query/warehouse). ADF = the plumbing; Synapse = the analysis engine.
PBI
Power BI Analytics
Business Intelligence & Reporting
Create interactive dashboards and reports from any data source
▼
Key Concepts
Connects to hundreds of data sources: Azure, SQL, Excel, APIs, Salesforce, etc.
Power BI Desktop: Free desktop app to build reports
Power BI Service: Web-based, share and collaborate on reports
Power BI Embedded: Embed reports in your own applications
Part of Microsoft Fabric (new unified analytics platform launched 2023)
💡 Exam Tips
"Business intelligence dashboards and reports" = Power BI. Power BI is in the Microsoft Fabric suite along with Synapse, Data Factory, and more. "Embed analytics in an app" = Power BI Embedded.
ARM
Azure Resource Manager Management
Deployment and Management Layer for Azure
Everything in Azure goes through ARM — it's the control plane
▼
What It Does
The underlying management layer that processes ALL Azure API calls — from the portal, CLI, PowerShell, SDK, or REST API. Provides consistent authentication, RBAC, tagging, and access control for all Azure resources.
ARM Templates & Bicep (IaC)
ARM Templates: JSON-based Infrastructure as Code. Define resources declaratively. Idempotent (safe to re-run).
Bicep: Domain-specific language that compiles to ARM JSON. More readable, less verbose. Microsoft-recommended IaC for Azure.
Template specs: Store ARM templates in Azure for reuse across the organisation
💡 Exam Tips
ARM = the management layer everything goes through. ARM Templates = Azure's IaC (like AWS CloudFormation). Bicep = simpler syntax that compiles to ARM JSON. Azure portal / CLI / PowerShell all go through ARM under the hood. "Deploy infrastructure consistently and repeatedly" = ARM Templates or Bicep.
MON
Azure Monitor Management
Full-Stack Observability Platform
Collect, analyse, and act on telemetry from Azure and other environments
▼
Key Components
Metrics: Numerical time-series data. CPU usage, memory, network — collected by default for most Azure resources.
Log Analytics: Log data store and query engine. Query logs with KQL (Kusto Query Language).
Application Insights: APM for web apps. Track exceptions, requests, dependencies, custom events. Agent-based or SDK.
Alerts: Trigger notifications or actions when metrics/log conditions are met
Workbooks: Interactive visualisation of monitoring data
💡 Exam Tips
Azure Monitor = the umbrella monitoring service (metrics, logs, alerts, dashboards). Log Analytics = the query and storage layer within Monitor. Application Insights = APM for applications (code-level). "Monitor resource health" = Azure Monitor. "Query logs with KQL" = Log Analytics.
ARC
Azure Arc Management Exam Focus
Extend Azure Management Anywhere
Manage on-premises, AWS, and GCP resources from Azure
▼
What It Does
Projects non-Azure resources (on-premises servers, Kubernetes clusters, SQL Servers, data services) into Azure Resource Manager. Lets you apply Azure Policy, RBAC, Defender for Cloud, Monitor, and tagging to resources running anywhere.
Key Concepts
Arc-enabled servers: Manage Windows/Linux servers on-prem or other clouds via Azure
Arc-enabled Kubernetes: Manage K8s clusters anywhere from Azure
Arc-enabled data services: Run Azure SQL Managed Instance or PostgreSQL on-premises
Part of Azure's hybrid cloud strategy alongside Azure Stack
💡 Exam Tips
Arc = extend Azure management to non-Azure resources. "Manage AWS EC2 instances with Azure Policy" = Azure Arc. Hybrid cloud = Azure Arc connects on-prem/other clouds to Azure management plane. Multi-cloud management = Azure Arc. Increasingly tested since 2025.
ADEV
Azure DevOps Management
End-to-End DevOps Toolchain
Plan, develop, test, and deliver software continuously
▼
Five Services
Azure Boards: Work tracking, Kanban boards, backlogs (like Jira)
Azure Repos: Git or TFVC source control hosting
Azure Pipelines: CI/CD build and release pipelines. Language agnostic. Any cloud.
Azure Test Plans: Manual and automated testing management
Azure Artifacts: Package feed for NuGet, npm, Maven, Python packages
💡 Exam Tips
Azure DevOps = complete DevOps platform. Azure Pipelines = CI/CD. Azure Repos = Git hosting. "Build and deploy code automatically" = Azure Pipelines. GitHub Actions is an alternative (owned by Microsoft) increasingly used alongside Azure DevOps.
HLTH
Azure Service Health Management
Personalised Azure Health Dashboard
Track Azure outages, planned maintenance, and health advisories affecting YOUR resources
▼
Three Components
Azure Status: Global view of Azure service health. Public page at status.azure.com.
Service Health: Personalised view. Only shows issues affecting YOUR subscriptions and regions.
Resource Health: Status of specific individual Azure resources. "Is THIS VM healthy?"
💡 Exam Tips
Azure Status = all customers, global. Service Health = your subscriptions specifically. Resource Health = individual resource. "Personalised view of Azure outages" = Service Health. "Is my specific VM healthy?" = Resource Health.
ADV
Azure Advisor Management
Personalised Best Practice Recommendations
Free automated recommendations across 5 categories
▼
5 Categories
Cost: Resize/shutdown underutilised VMs, Reserved Instance recommendations, identify idle resources
Security: Enable MFA, patch vulnerabilities, secure exposed resources (integrates with Defender for Cloud)
Reliability: Add redundancy, enable backups, fix single points of failure
Operational Excellence: Enable diagnostics, follow deployment best practices
Performance: Right-size VMs, add caching, improve app throughput
💡 Exam Tips
Azure Advisor = free, personalised Azure best practice recommendations. Same concept as AWS Trusted Advisor. "Right-size your VMs to save cost" = Advisor Cost recommendation. "Enable MFA" = Advisor Security. Free for all Azure customers.
CLI
Azure Management Tools Management
Portal · CLI · PowerShell · Cloud Shell · SDK
Multiple ways to manage Azure resources
▼
Tool Comparison
Azure Portal: Web GUI at portal.azure.com. Best for exploration, visualisation, one-off tasks.
Azure CLI: Cross-platform command-line tool. Works on Windows, macOS, Linux. Commands start with
az.Azure PowerShell: PowerShell module for Azure. Commands use
Az prefix (e.g. New-AzVM). Best for Windows admins.Azure Cloud Shell: Browser-based shell (bash or PowerShell) accessible from the portal. No local install needed. State persists in Azure Files.
Azure SDKs: Language-specific libraries (.NET, Java, Python, JavaScript, Go) for embedding Azure management in application code.
💡 Exam Tips
Portal = GUI, visual. CLI = scripting, cross-platform. PowerShell = scripting, Windows-centric. Cloud Shell = browser-based, no install. SDK = embed in application code. All go through ARM under the hood. "Manage Azure from a browser without installing anything" = Cloud Shell.
Domain 3 — Azure Management & Governance
Cost management, Azure Policy, RBAC, compliance, monitoring, deployment tools
30–35% of Exam
Azure Pricing Models
Pay-as-you-go
Consumption-based. Pay only for what you use. No upfront, no commitment. Most flexible.
Reserved Instances
1 or 3-year commitment for VMs, SQL, Cosmos DB. Up to 72% savings. Exchange/cancel allowed.
Spot VMs
Unused Azure capacity. Up to 90% off. Evicted with 30-second notice when capacity needed.
Azure Hybrid Benefit
Use existing Windows Server / SQL Server SA licences on Azure. Significant savings.
Dev/Test Pricing
Reduced rates for dev/test environments through Visual Studio subscriptions. No production use.
💡 Exam Tips — Azure Pricing
Pay-as-you-go = OpEx, flexible. Reserved = committed, 72% savings. Spot = cheapest, interruptible. Azure Hybrid Benefit = use existing Microsoft licences. TCO Calculator = compare on-prem vs Azure. Pricing Calculator = estimate Azure costs before deploying.
POL
Azure Policy Governance
Enforce Rules and Compliance at Scale
Define and enforce organisational standards across all Azure resources
▼
What It Does
Creates, assigns, and evaluates policies that enforce rules on Azure resources. Example: "All VMs must be in UK South", "Storage accounts must require HTTPS", "All resources must have a CostCenter tag".
Key Concepts
Policy definition: The rule itself (JSON)
Policy assignment: Applying a policy to a scope (management group, subscription, resource group)
Policy initiative (set): Group of multiple policies applied together (e.g. CIS benchmark = 100+ policies)
Effects: Audit (flag but allow), Deny (block non-compliant), DeployIfNotExists (auto-remediate), Append, Modify
Compliance dashboard shows % compliant resources
💡 Exam Tips
Azure Policy = ENFORCE rules on resources. RBAC = control WHO can access resources. These are different! Policy controls what resources look like; RBAC controls who can do things. "Prevent resources being created without a tag" = Azure Policy (Deny). "Only allow specific VM sizes" = Azure Policy.
MGRP
Management Groups Governance
Organise Subscriptions for Policy & Access at Scale
Apply policies and RBAC above the subscription level
▼
Hierarchy (top to bottom)
Root Management Group (one per tenant, no deletion)
Management Groups — up to 6 levels deep
Subscriptions
Resource Groups
Resources
Key Concepts
Policies assigned to a management group inherit DOWN to all subscriptions and resources below
RBAC assigned at management group level propagates to all children
Up to 10,000 management groups per directory
💡 Exam Tips
Management Groups sit ABOVE subscriptions. Assign policies once at the top to govern all subscriptions below. Think: Root MG → Business Unit MGs → Department MGs → Subscriptions. Inheritance flows downward.
BLUE
Azure Blueprints Governance
Repeatable Governance Package for New Environments
Bundle RBAC, policy, ARM templates, resource groups into one deployable package
▼
Key Concepts
Blueprints = package of: Policy assignments + RBAC roles + ARM templates + Resource Group definitions
Versioned: you can update blueprints and track versions
Assigned to subscriptions. Ensures every new subscription meets compliance from day 1.
Note: Azure Blueprints is being deprecated. Microsoft now recommends using Deployment Stacks + Azure Policy + ARM/Bicep templates instead.
💡 Exam Tips
Blueprints = governance package for new subscriptions. "Deploy a compliant new environment consistently" = Blueprints (or the newer Deployment Stacks approach). Key difference from ARM templates: Blueprints track the relationship between what was deployed and the blueprint definition.
COST
Azure Cost Management Billing
Monitor, Analyse, and Optimise Azure Spending
Track costs, set budgets, and get recommendations
▼
Key Features
Cost analysis: Visualise spending by service, resource, location, tag, or subscription over time
Budgets: Set spending limits. Alert at % threshold (e.g. 80% of budget). Can trigger Azure Automation for auto-shutdown.
Advisor integration: Cost recommendations (rightsizing, Reserved Instances, Spot)
Export billing data to Storage Account for custom analysis
Key Tools
Azure Pricing Calculator: Estimate costs BEFORE deploying. Configure services and see monthly projection.
TCO Calculator: Compare on-premises vs Azure costs. Build a migration business case. Accounts for hardware, power, labour, real estate.
💡 Exam Tips
"Estimate cost before deploying" = Pricing Calculator. "Compare on-prem vs Azure" = TCO Calculator. "Set a budget with email alert when exceeded" = Azure Budgets (in Cost Management). "View past spending" = Cost Analysis. Pricing Calculator ≠ TCO Calculator — different purposes.
TAG
Resource Tags Governance
Metadata Labels for Azure Resources
Organise and track resources for cost allocation, automation, and policy
▼
Key Concepts
Key-value pairs attached to resources (e.g. Environment=Production, CostCenter=Marketing, Owner=TeamA)
Up to 50 tags per resource. Tag names are case-insensitive, tag values are case-sensitive.
NOT inherited by default — child resources do not inherit tags from resource groups
Use Azure Policy to enforce mandatory tags
Filter Cost Analysis by tag for chargeback/showback reporting
💡 Exam Tips
Tags do NOT inherit down to child resources automatically — you must use Azure Policy to enforce tagging at deployment. "Track costs per department" = tags + Cost Analysis. "Enforce that all resources have an environment tag" = Azure Policy + tags.
LOCK
Azure Resource Locks Governance
Prevent Accidental Deletion or Modification
Override RBAC permissions to protect critical resources
▼
Two Lock Types
CanNotDelete (Delete lock): Users can read and modify but CANNOT delete. Even Owners cannot delete without removing the lock first.
ReadOnly (Read-only lock): Users can read but CANNOT modify or delete. Like Reader role enforced regardless of RBAC.
Key Concepts
Locks apply at: Subscription → Resource Group → Individual resource level
Locks INHERIT downward (resource group lock applies to all resources inside)
Locks override RBAC — even Owner role cannot delete a locked resource without removing the lock
💡 Exam Tips
Locks prevent accidental changes even if you have Owner RBAC. "Prevent production database from being deleted accidentally" = CanNotDelete lock. "Make resources read-only in production" = ReadOnly lock. Locks INHERIT down; tags do NOT inherit down.
TRUST
Microsoft Trust Center & Compliance Governance
Compliance Documentation and Certifications
Access Azure compliance reports, data privacy info, and regulatory certifications
▼
Key Resources
Microsoft Trust Center: Central resource for security, privacy, compliance, and transparency documentation
Service Trust Portal: Download audit reports, compliance guides, pen test results for Azure (like AWS Artifact)
Compliance Manager: Assess your compliance against 300+ regulations. Actionable improvement recommendations with a compliance score.
Azure regions and data residency: Data stays in the selected region unless you explicitly replicate it. Sovereign clouds available: Azure Government (US), Azure China (21Vianet), Azure Germany.
Common Certifications Azure Holds
ISO 27001, ISO 27018, SOC 1/2/3, PCI DSS Level 1, HIPAA, GDPR, FedRAMP, CSA STAR, Singapore MTCS, Australia IRAP
💡 Exam Tips
Service Trust Portal = download Azure compliance reports (like AWS Artifact). Compliance Manager = assess YOUR compliance posture. Trust Center = learn about Microsoft's privacy and security practices. "Download Azure SOC 2 report" = Service Trust Portal.
SLA
Azure SLAs Billing
Service Level Agreements — Uptime Guarantees
Microsoft's uptime commitments — and what affects them
▼
Key SLA Values
Most Azure services: 99.9% = ~8.7 hours downtime/year
VMs with Availability Zones: 99.99% = ~52 minutes/year
VMs with Availability Sets: 99.95% = ~4.4 hours/year
Single VM with Premium SSD: 99.9%
What Increases SLA
Using Availability Zones (multiple zones) → higher SLA
Using Availability Sets (fault + update domains) → 99.95%
Deploying to multiple regions → near 100% effective availability
FREE tier services have NO SLA — not for production use
💡 Exam Tips
Higher redundancy = higher SLA. Free/preview services have NO SLA. Composite SLA: if two services each 99.9%, combined = 99.9% × 99.9% = 99.8% (lower!). To increase SLA: use AZs, availability sets, or multiple regions. SLA violations → service credits (not refunds).
SB
Azure Service Bus Integration
Enterprise Message Broker
Reliable, ordered, transactional messaging between applications
▼
Key Concepts
Queues: Point-to-point messaging. One consumer processes each message. FIFO available.
Topics & Subscriptions: Pub/sub. One message fan-out to multiple subscribers. Filters possible.
Dead-letter queue, duplicate detection, transactions, sessions
Ordering guaranteed, message persistence, high reliability
vs Azure Queue Storage: Service Bus = enterprise features. Queue Storage = simpler, cheaper, larger messages (64KB limit).
💡 Exam Tips
Service Bus = enterprise messaging with ordering, transactions, pub/sub. "Decouple application components" = Service Bus or Queue Storage. Service Bus Queues ≈ AWS SQS. Service Bus Topics ≈ AWS SNS. For simple queuing: Queue Storage. For complex enterprise scenarios: Service Bus.
EG
Azure Event Grid Integration
Fully Managed Event Routing Service
React to Azure events and route them to handlers
▼
Key Concepts
Serverless, event-driven architecture. Low latency, massive scale.
Event sources: Azure services (Blob Storage, Resource Manager, IoT Hub, etc.) or your own apps
Event handlers: Azure Functions, Logic Apps, webhooks, Service Bus, Event Hubs
Push-based: events pushed to handlers immediately when they occur
vs Event Hubs: Event Grid = discrete events (blob created). Event Hubs = high-throughput streaming data.
💡 Exam Tips
Event Grid = react to Azure resource changes (event-driven). "Run a Function when a blob is uploaded" = Event Grid (or Blob trigger directly). Event Grid ≈ AWS EventBridge. Event Hubs = streaming data (telemetry, logs) at scale ≈ AWS Kinesis.
LA
Azure Logic Apps Integration
Low-Code Workflow Automation
Automate workflows and integrate apps with 400+ connectors
▼
Key Concepts
Drag-and-drop workflow designer. 400+ built-in connectors: Salesforce, SAP, SQL, Office 365, Twitter, Slack, etc.
Trigger-action model: when X happens, do Y then Z
vs Azure Functions: Functions = code (developers). Logic Apps = visual designer (less-technical users). Both can automate tasks.
Consumption (pay per action) or Standard (fixed compute) plan
💡 Exam Tips
"Automate workflow without writing code" or "low-code integration" = Logic Apps. "Write code to process events" = Azure Functions. "Business process automation using SaaS connectors" = Logic Apps. Sentinel playbooks are built on Logic Apps.
APIM
Azure API Management Integration
Full API Lifecycle Management
Publish, secure, transform, and monitor APIs
▼
Key Concepts
Sits in front of backend APIs as a gateway. Policies: rate limiting, caching, transformation, auth.
Developer portal: Auto-generated documentation for API consumers
Supports REST, SOAP, GraphQL, WebSocket APIs
Analytics and monitoring of API usage
💡 Exam Tips
"Expose and protect APIs to external developers" = API Management. "Rate limit API calls" = APIM policy. Compare to AWS API Gateway + Developer Portal combination.
🔍
No Azure services found for that search. Try a different term.