AZ-900 Microsoft Azure Fundamentals

🎓 Don't Forget Your Learning Badge!

Congratulations on completing your study! You can redeem your learning badge here to showcase your achievement.

Describe cloud concepts (25–30%)

Describe cloud computing

Define cloud computing

Cloud computing is the delivery of IT resources and services—such as servers, storage, databases, networking, software, and analytics—over the internet (‘the cloud’), rather than relying on local servers or personal devices.
With cloud computing, users can access, store, and process data remotely, allowing for greater flexibility, scalability, and convenience compared to traditional on-premises solutions.
Cloud services are typically offered on a pay-as-you-go or subscription basis, meaning organizations only pay for the resources and services they use—reducing upfront costs and enabling easy scaling with demand.
There are different models of cloud computing, including public, private, and hybrid clouds. Each model offers distinct advantages and can be chosen based on organizational requirements like security, cost, and scalability.
The shared responsibility model in cloud computing outlines which aspects of security and management are handled by the cloud provider and which remain the responsibility of the user—helping organizations allocate resources and plan for compliance more effectively.

Example: A company uses Microsoft Azure to host its website and store customer data. Instead of buying and maintaining their own servers, the company rents computing resources from Azure, paying only for what they use, while Microsoft ensures the infrastructure runs smoothly and securely.

Use Case: An IT administrator at a medium-sized business migrates their company’s email system from on-premises servers to a cloud-based service like Microsoft 365. This transition reduces the burden of server maintenance, improves disaster recovery, and allows staff to access emails securely from any device, anywhere.

For more information see these links:

Describe the shared responsibility model

The shared responsibility model in cloud computing clearly defines which security and management tasks are handled by the cloud service provider and which are handled by the customer. This helps prevent misunderstandings and ensures all important areas of cloud security are managed.
Cloud providers (like Microsoft Azure) are responsible for managing and securing the core infrastructure: physical servers, storage, networking, and the foundational cloud services. The customer is responsible for security inside the cloud, such as managing data, user access, device security, and the configuration of their own software and applications.
The specific division of responsibilities can vary based on the type of cloud service used (IaaS, PaaS, or SaaS). However, customers always retain responsibility for their own data, user identities, and access management. Knowing your responsibilities helps reduce risk and maintain compliance.

Example: If an IT team moves its company email to a cloud-based service like Microsoft 365, Microsoft secures the underlying servers and service availability, but the IT team must set up proper password policies, multi-factor authentication, and decide who can access which mailboxes.

Use Case: A company stores confidential customer data in Azure cloud storage. Microsoft secures the physical data centers and storage hardware, but the IT staff are responsible for configuring who can access the data, applying encryption, and setting up alerts for suspicious access. If they don’t set access permissions correctly, data could be exposed even though Azure itself is secure.

For more information see these links:

Define cloud models, including public, private, and hybrid

1. Public Cloud: Public clouds are operated by third-party providers like Microsoft Azure, and offer computing resources (such as servers and storage) over the public internet. These resources are shared across multiple organizations but are logically separated for security. Public cloud is known for scalability, cost-effectiveness, and immediate access to the latest technologies.
1. Private Cloud: Private clouds are dedicated environments used exclusively by a single organization. They can be physically located on-premises or hosted by a third-party provider, but the key characteristic is that resources are not shared with others. Private clouds offer more control, customization, and compliance for sensitive data or regulatory requirements.
1. Hybrid Cloud: A hybrid cloud combines elements of both public and private clouds, allowing data and applications to be shared securely between them. This approach helps organizations maximize existing investments, comply with data regulations, and still benefit from the scalability and innovation of the public cloud.

Example: A company uses Microsoft Azure (public cloud) to host its website for global reach and high scalability. At the same time, it maintains sensitive employee data on its own private servers (private cloud). It integrates both environments so authenticated users can access both services without disruption, forming a hybrid cloud setup.

Use Case: An IT department at a mid-sized business needs to modernize its legacy applications but cannot move all data to the public cloud due to compliance needs. They adopt a hybrid cloud approach: running sensitive databases in a private cloud on-premises, while migrating public-facing apps and development workloads to Azure’s public cloud. This lets them manage regulations, reduce costs, and modernize services without expensive infrastructure upgrades.

For more information see these links:

Identify appropriate use cases for each cloud model

Public cloud is best for organizations that need to scale quickly, innovate fast, or require global reach without investing in hardware. It works well for variable or unpredictable workloads, and when you want to take advantage of the latest technologies and security features offered by cloud providers.
Private cloud is suited for organizations with strict regulatory, data privacy, or security requirements. It is also ideal when companies need to keep sensitive data on-premises, require greater control over their infrastructure, or must customize resources for unique applications.
Hybrid cloud fits scenarios where organizations want to combine the benefits of both public and private clouds. It is useful when some data or workloads must stay on-premises (for compliance or latency reasons) but other services are moved to the public cloud for flexibility and expansion.
Multicloud environments are used when organizations want to avoid depending on a single cloud provider, take advantage of best-in-class services from different providers, or meet specific business, compliance, or geographical needs.

Example: A software development company deploys its customer-facing website using a public cloud to benefit from on-demand scalability and global availability, while keeping its proprietary research data and internal applications in a private cloud to ensure maximum control and security.

Use Case: An IT department at a healthcare provider uses a hybrid cloud solution: electronic health records (EHRs) and patient-sensitive data are stored in a private cloud on-premises to meet data privacy regulations, while less sensitive applications like appointment scheduling and telemedicine services are hosted in the public cloud for greater reliability and flexibility.

For more information see these links:

Describe the consumption-based model

The consumption-based model, also called pay-as-you-go, charges customers based on actual usage of cloud resources, such as data storage, compute power, or AI interactions, instead of a fixed monthly or yearly fee.
This model offers high flexibility and cost control, allowing businesses to scale resources up or down to meet changing demands without incurring unnecessary costs during periods of low activity.
Customers only need to maintain an active subscription (e.g., Azure) and are billed monthly for the resources consumed; there’s no long-term commitment required unless a discount or reserved plan is selected.
Consumption is measured using units relevant to the service—like number of messages for AI bots, number of gigabytes stored, or server uptime per hour/second—making it easy for businesses to track and manage cloud expenses.
This model is ideal for scenarios with variable workloads, short-term projects, or development/test environments, where resource needs frequently change and cost predictability is critical.

Example: A company uses Microsoft Purview for data security and governance. Instead of paying a flat fee, they are billed monthly based on the amount of data analyzed, the number of compliance operations performed, or other specific features used during the period. If activity increases, the bill goes up; if it decreases, they pay less.

Use Case: An IT department runs several development environments for project teams, using Azure virtual machines. Since these environments are only needed temporarily for testing, the company opts for consumption-based billing. They only pay for the hours each virtual machine is running, helping them keep costs low when machines are turned off or deleted after project completion.

For more information see these links:

Compare cloud pricing models

Pay-as-you-go pricing: Most cloud providers, such as Microsoft Azure, charge customers based on actual usage—meaning you pay only for the computing resources, storage, or bandwidth you use, rather than a flat fee. This model provides flexibility and helps avoid overpaying for unused capacity.
Reserved or subscription pricing: Cloud services often offer discounts for reserving resources for a fixed term (for example, 1 or 3 years). This reserved pricing reduces costs for predictable workloads but requires a commitment.
Feature-based pricing: Some services, like Azure CDN and Azure Front Door, charge based on the features and level of service chosen—such as data transfer zones, number of rules, web application firewall, or private links. The more advanced the features or higher the service tier (for example, Standard vs. Premium), the higher the month-to-month base fees and usage charges.
Tools and calculators: Cloud providers like Azure offer pricing calculators and forecasting tools to help organizations estimate and monitor spending. These tools make it easier to budget, compare models, and control costs over time.

Example: An IT department compares Azure Front Door Standard ($35 base fee/month plus per-use data transfer and request fees) versus legacy Azure CDN Standard (no base fee, but variable data transfer pricing) to deliver company web applications globally. By using Azure’s pricing calculator, they determine which option is more cost-effective for their projected levels of web traffic and security needs.

Use Case: A small IT team at a mid-sized company needs to deliver its new website efficiently to users worldwide. They use Azure’s pricing calculator to model costs for both pay-as-you-go and reserved resource plans for bandwidth and security, enabling them to select the right mix of services and avoid unexpected charges.

For more information see these links:

Describe serverless

Serverless computing allows you to run code without worrying about managing servers or infrastructure. The cloud provider handles all the underlying resources for you.
With serverless, you only pay for the actual time your code runs or resources you use, making it cost-effective for workloads that don’t run continuously.
Serverless solutions, like Azure Functions, are event-driven. Your code, called a ‘function,’ executes automatically in response to events (such as a file upload, an HTTP request, or a database update).
Serverless platforms automatically scale up or down based on demand, so your application can handle increases in traffic without manual intervention.
Developers can focus on writing and improving their application logic rather than dealing with server setup, maintenance, and scaling concerns.

Example: A company wants its website to resize and store user-uploaded profile pictures. Using Azure Functions, a developer writes a serverless function that automatically resizes any new image uploaded to cloud storage, without needing to manage any servers.

Use Case: An IT team sets up an automated process where, whenever data is added to a database (like a new customer record), an Azure Function runs to send a welcome email. This event-driven, serverless approach saves time and resources, making it easy to automate common business tasks.

For more information see these links:

Describe the benefits of using cloud services

Describe the benefits of high availability and scalability in the cloud

High availability in the cloud means your applications and services are designed to stay up and running, even if something goes wrong (like hardware failures or unexpected traffic spikes). Cloud providers use strategies like redundancy, automatic failover, and distributed regions to minimize downtime.
Scalability allows you to quickly add or remove computing resources based on demand. Cloud services can automatically scale up during busy periods and scale down when demand drops, so you only pay for the resources you need.
By leveraging high availability and scalability, businesses can ensure critical IT systems remain accessible to users, avoid costly disruptions, and deliver consistent performance, even as business needs change or unexpected events occur.

Example: An online retail website hosted in the cloud can automatically add more servers during Black Friday sales to handle millions of visitors without crashing. If one server fails, traffic is seamlessly redirected to healthy servers so customers can continue shopping with no interruption.

Use Case: A general IT team uses Azure Virtual Machine Scale Sets to host a company’s web portal. During end-of-year reporting, traffic increases dramatically. The cloud infrastructure automatically scales out to support the extra demand, then scales back in afterward to save costs. If a server instance fails, others remain available and service is uninterrupted.

For more information see these links:

Describe the benefits of reliability and predictability in the cloud

Cloud providers offer built-in redundancy and failover mechanisms, reducing the risk of downtime caused by hardware or network failures. This ensures continuous access to critical applications and data.
Predictable performance and reliability make it easier for IT teams to plan capacity and maintenance schedules, helping organizations avoid unexpected outages and service disruptions.
Automated backups and disaster recovery solutions in the cloud increase data protection and minimize data loss, safeguarding business operations even if failures occur.
Cloud services provide Service Level Agreements (SLAs) that guarantee certain levels of uptime and response, giving organizations confidence and clarity about service availability.
Reliability and predictability free IT staff to focus on innovation and strategic projects rather than constantly troubleshooting infrastructure issues.

Example: A medium-sized company hosts its customer relationship management (CRM) system on Azure. During a local power outage, the system remains accessible to employees because Azure automatically switches workloads to unaffected data centers. Employees can continue serving customers without interruption.

Use Case: An IT administrator at a retail organization uses cloud-based inventory management with automatic failover and backup features. If there’s a hardware failure in one data center, inventory data is instantly available via backup in another region, ensuring stores always have accurate stock information and can process sales smoothly.

For more information see these links:

Describe the benefits of security and governance in the cloud

Security and governance in the cloud help protect sensitive company data by applying policies that automatically classify and label critical information. For example, tools like Microsoft Purview can automatically scan files and add confidentiality labels, reducing the risk of data leaks.
Cloud governance establishes guardrails—like rules, procedures, and monitoring tools—that regulate how employees use cloud resources. This control prevents unauthorized activities, ensures compliance with regulations, and aligns cloud usage with business goals.
Continuous security monitoring and policy enforcement in the cloud enable organizations to quickly detect threats, respond to incidents, and prevent data exfiltration. Automated alerts and recommendations ensure issues are addressed rapidly and efficiently.

Example: An IT company uses Microsoft Defender for Cloud Apps to automatically detect when files labeled as ‘Confidential’ are shared externally. If a sensitive document is mistakenly shared outside the organization, the system immediately revokes access and notifies administrators, preventing a potential data breach.

Use Case: A general IT team implements cloud governance policies to ensure all files containing customer information are automatically labeled ‘Confidential’ and restricted from external sharing. Using integrated tools, they receive real-time alerts if a user tries to share such files outside the organization and can respond by blocking access or contacting the user. This approach secures customer data, meets compliance obligations, and reduces the risk of accidental data loss.

For more information see these links:

Describe the benefits of manageability in the cloud

Centralized Management: The cloud enables IT teams to centrally manage resources, applications, and users through unified dashboards and APIs. This provides visibility and control across all assets, allowing teams to easily apply configuration changes, monitor usage, and enforce organizational standards from a single location.
Automated Operations: Cloud platforms offer built-in automation tools—such as scripting, infrastructure-as-code, and automated scaling—which reduce manual work. Routine tasks like deployments, backups, updates, and patch management can be automated, saving time, minimizing errors, and ensuring consistency.
Improved Governance and Security: Cloud manageability tools help organizations enforce policies (such as resource naming, tagging, and permissions) and track compliance. Features like role-based access control (RBAC) and Azure Policy let IT teams control who can access or modify resources, reducing risk and ensuring regulatory compliance.
Scalability and Flexibility: Managing resources in the cloud means organizations can easily scale operations up or down, adapt to demand, and make fast changes to their environment. IT teams no longer need to manually provision servers or hardware, speeding up project delivery and response to changing business needs.

Example: A company uses Azure Portal to manage all its virtual machines, storage accounts, and networking resources. The IT team can monitor system health, apply security updates, and automate nightly backups for every machine from one interface, instead of accessing individual servers.

Use Case: An IT administrator at a mid-sized business sets up a policy in Azure to automatically tag all created resources with their project name and owner. This makes it simple to track costs, locate resources, and ensure only authorized staff can access sensitive workloads. If a resource doesn’t meet the tagging standard, automated alerts prompt remediation—reducing resource sprawl, cost overruns, and potential security gaps.

For more information see these links:

Describe cloud service types

Describe infrastructure as a service (IaaS)

IaaS (Infrastructure as a Service) is a cloud computing model that provides access to essential computing resources such as virtual servers, storage, and networking, all managed by the cloud provider and accessible over the internet.
With IaaS, organizations avoid the cost and complexity of buying, managing, and maintaining physical infrastructure. Instead, they pay only for the resources they use, making it a flexible and cost-effective option.
Users have control to install, configure, and manage their operating systems and applications on the cloud infrastructure, offering granular control over their IT environment compared to other cloud service models like PaaS.
IaaS solutions offer scalability, allowing organizations to quickly adjust resources up or down based on demand. This accelerates development cycles and helps maintain business reliability.
Major cloud providers also include features such as security, monitoring, and billing management, giving IT teams more time to focus on business projects rather than routine infrastructure maintenance.

Example: A company needs additional servers to run a new website or application. Instead of purchasing physical hardware, the IT team creates several virtual machines using Microsoft Azure IaaS. The cloud provider handles all maintenance and networking, so the team focuses on configuring the software and launching the application quickly.

Use Case: An IT department at a medium-sized business migrates their on-premises Oracle database to Azure IaaS virtual machines. This move allows the team to scale resources as needed, reduce hardware costs, and improve disaster recovery capabilities by leveraging Azure’s built-in backup and resiliency features.

For more information see these links:

Describe platform as a service (PaaS)

Platform as a service (PaaS) is a cloud computing model that provides developers with a ready-to-use framework to build, test, deploy, and manage applications, without the need to manage underlying hardware or system software.
PaaS solutions handle infrastructure tasks such as operating system updates, security patches, backup, and networking, freeing IT teams to focus on application creation and feature delivery instead of routine maintenance.
These platforms offer built-in tools and services like databases, development frameworks, and monitoring capabilities, which help accelerate application development and enable easy scaling as demand changes.
With PaaS, organizations only pay for what they use, making it cost-effective and reducing the need for large upfront investments in infrastructure.

Example: Azure App Service is a widely used PaaS solution that lets developers quickly create, deploy, and scale web apps and APIs. Instead of setting up servers and operating systems, a developer simply uploads their code, and Azure App Service manages the rest.

Use Case: A midsize IT company needs to launch a new customer portal on a tight deadline. By using Azure App Service (PaaS), the team can focus on developing the portal’s features rather than configuring servers, managing security updates, or handling backups. This accelerates the project timeline and simplifies future updates and scaling.

For more information see these links:

Describe software as a service (SaaS)

Software as a Service (SaaS) is a cloud service type where software applications are delivered and accessed over the internet. Users don’t need to install or maintain the software locally; instead, they use it via a web browser or app, with the provider handling updates, security, and infrastructure.
SaaS providers manage everything required to run the application, including servers, storage, and networking. This approach reduces the overhead and technical burden for organizations, letting them focus on core business tasks instead of IT maintenance.
Most SaaS apps use a subscription-based pricing model. Organizations pay a recurring fee for access, which can be scaled up or down depending on usage and business needs. This allows for predictable costs and flexibility as teams grow or change.
Security and data protection are critical in SaaS environments. Applications like Microsoft Defender for Cloud Apps help organizations monitor, control, and secure data in SaaS platforms, providing features like threat protection and compliance assessments to protect sensitive information.
SaaS solutions are highly scalable and accessible from anywhere, supporting hybrid and remote work environments. Employees can collaborate and access required resources smoothly, whether working from the office or remotely.

Example: Microsoft 365 is a practical SaaS solution offering productivity tools like Word, Excel, Teams, and Outlook. These apps are accessed via the internet, with data stored securely in the cloud and software managed by Microsoft. Updates and security patches are handled automatically, saving IT teams time and effort.

Use Case: An IT department in a medium-sized company adopts Microsoft Defender for Cloud Apps to protect its SaaS resources as employees increasingly access Microsoft 365 and other cloud-based apps remotely. The tool helps the IT team monitor app activity, detect anomalies, and enforce security policies, ensuring sensitive business information remains secure and compliant without requiring staff to be on-site.

For more information see these links:

Identify appropriate use cases for each cloud service type (IaaS, PaaS, and SaaS)

IaaS (Infrastructure as a Service) is best used when you need maximum control over your computing resources, such as when configuring custom virtual machines, storage, or networks. Suitable for organizations running legacy applications or those wanting to handle their own operating systems and middleware.
PaaS (Platform as a Service) is ideal for teams focused on application development without worrying about managing servers, operating systems, or the underlying infrastructure. It offers tools and services to streamline coding, testing, and deployment, making it easier and faster to build and launch apps.
SaaS (Software as a Service) is most appropriate when you want to use ready-made software applications over the internet, like email, collaboration tools, or CRM systems. All maintenance, security, and updates are handled by the service provider, allowing users to focus solely on utilizing the application.

Example: A company needs email services for employees. Instead of installing and managing an email server on their own hardware (IaaS) or building a custom email platform (PaaS), they subscribe to Microsoft 365 (SaaS), which provides a complete, managed email solution accessible through browsers and mobile devices.

Use Case: An IT department wants to launch a new company website. They use IaaS to provision and configure custom virtual machines for hosting a legacy application. For a new, modern web app, they choose PaaS like Azure App Service, enabling developers to quickly deploy code without managing the infrastructure. For email and productivity, they use SaaS solutions such as Microsoft 365—all within the same overall cloud strategy.

For more information see these links:

Describe Azure architecture and services (35–40%)

Describe the core architectural components of Azure

Describe Azure regions, region pairs, and sovereign regions

Azure regions are distinct geographic areas that contain one or more datacenters connected by a high-speed network. These regions allow you to deploy Azure resources close to your users to reduce latency and meet data residency requirements.
Region pairs consist of two Azure regions within the same geography, separated by at least 300 miles. Paired regions provide additional resilience: if a service disruption affects one region, your resources can fail over to its pair. Updates and maintenance are staggered between pairs to minimize risk.
Sovereign regions are special Azure regions designed for strict data residency and compliance needs, like government or legal requirements. These regions (e.g., Azure Government, China, or Germany) provide similar functionality but often with limited features and are restricted to certain customers.

Example: A multinational IT company wants to host its application for European users. It selects the West Europe Azure region to ensure data stays within EU borders, satisfies local data residency laws, and reduces network delays for European customers.

Use Case: An IT department needs high availability for a business-critical application. They deploy the app in North Europe and set up geo-redundant storage in its paired region, West Europe. If North Europe experiences an outage, the app can quickly fail over to West Europe, ensuring minimal downtime and compliance with EU data residency requirements.

For more information see these links:

Describe availability zones

Availability zones are unique physical locations within an Azure region, each with their own independent power, cooling, and networking to isolate them from failures in other zones.
Most Azure regions that support availability zones have at least three zones; this setup allows services and applications to remain available even if one datacenter experiences an outage.
By deploying resources across multiple availability zones, IT teams ensure higher availability and fault tolerance for applications, with Azure automatically rerouting traffic in case of zone failure.
Zone redundancy is a method where applications or services are distributed evenly across the zones within a region, which reduces the risk of data loss and helps with uninterrupted service during outages.
Not all Azure regions currently support availability zones, so it’s important to verify zone support for your chosen region during architectural planning.

Example: Suppose a company hosts its critical web application in Azure. By deploying the application’s virtual machines and databases across three availability zones in the same region, if one zone (datacenter) loses power or connectivity, the app remains accessible because traffic is automatically shifted to the healthy zones.

Use Case: An IT team at a financial services firm wants to ensure continuous access to their online customer portal. They deploy the portal’s backend servers in different Azure availability zones within their main region. This setup protects the application against localized failures (like a datacenter power outage), providing consistent service availability to customers.

For more information see these links:

Describe Azure datacenters

Global Coverage and Scale: Azure datacenters are strategically located around the world, with more than 60 regions across 140 countries. This means organizations can deploy applications and data close to their users, improving performance and meeting local data residency requirements.
Robust Security and Compliance: Each Azure datacenter is physically secured and closely monitored to protect hardware and data. Microsoft invests in physical access controls, surveillance, and strict compliance standards to ensure customer data safety, which is particularly important for industries with strict data protection rules.
Reliability and Redundancy: Azure organizes datacenters within regions and availability zones. Availability zones are distinct physical locations within a region, each with independent power, cooling, and networking. This setup prevents outages and allows applications to stay online even if a particular facility experiences issues.
High-Speed Networking: All Azure datacenters within a region are interconnected by a high-capacity network. This enables fast and secure communication between services, and supports features like load balancing, content distribution, and encrypted data transfers for optimal performance.
Actionable Deployment Decisions: When planning to use Azure, IT professionals select regions and availability zones based on factors such as proximity to users (for low latency), supported compliance requirements, and available redundancy or disaster recovery options.

Example: A company wants to launch a web application for European customers. By choosing an Azure datacenter in Europe, they can ensure legal compliance for customer data and deliver faster service due to proximity, while taking advantage of Azure’s built-in security and redundancy.

Use Case: An IT team at a retail business uses Azure datacenters to host their online shopping platform. They deploy the application in regions closest to their major customer bases and leverage availability zones for high availability, ensuring that their website remains operational even during unexpected hardware failures or regional disruptions.

For more information see these links:

Describe Azure resources and resource groups

Azure resources are individual services or components—such as virtual machines, databases, or storage accounts—that you deploy and manage within Azure.
A resource group is a container that logically organizes related Azure resources, often based on their lifecycle, department, or project. This makes it easier to manage, monitor, and apply policies or permissions collectively.
Managing resource groups through the Azure Portal or tools like Azure PowerShell and Azure CLI enables you to create, list, update, and delete groups, as well as view metrics, deployment history, and diagnostics for all resources within a group.
Resource groups allow you to specify where metadata about the resources is stored, which can help with compliance and data residency requirements, while the actual resources inside a group can live in different Azure regions.

Example: Imagine an IT team setting up a new web application in Azure. They create a resource group called ‘WebApp-RG’ and add resources like the web server (VM), database (Azure SQL), and storage account to it. This helps them manage these related components easily, such as upgrading the app or monitoring its usage.

Use Case: An IT department managing multiple internal systems can use resource groups to separate production environments from development and testing environments. This lets them apply different access controls and deploy or delete whole environments swiftly as needed.

For more information see these links:

Describe subscriptions

An Azure subscription is a logical container that holds all the cloud resources (like virtual machines, databases, and networks) you use and manage in Azure. Each subscription is linked to a billing account and provides boundaries for billing, resource quotas, and permissions.
Subscriptions help you organize resources based on department, project, environment (production, test, sandbox), or region. This organization makes it easier to manage costs, apply security and access controls, and enforce policies tailored to each group’s needs.
A single organization can have multiple subscriptions, each with its own access controls, management policies, and spending limits. Using management groups above subscriptions lets organizations scale governance and policy enforcement efficiently.
Subscriptions themselves are free to create, but charges are incurred for the resources deployed within them. Standard management tools—such as the Azure portal and Azure CLI—make it easy to view, modify, and control subscriptions.

Example: A mid-sized IT company creates three Azure subscriptions: one for production, one for development/testing, and one for sandboxing new technologies. This separation helps the company track costs for each environment, apply stricter security for production, and give developers flexibility to experiment in the sandbox subscription.

Use Case: A general IT team needs to deploy a new web application. They use the production subscription for the live website, the non-production subscription for staging and testing, and the sandbox subscription for developers to try out new features. This setup keeps the critical production environment secure, simplifies costing, and fosters innovation.

For more information see these links:

Describe management groups

Management groups in Azure are logical containers used to organize Azure subscriptions into a hierarchy, making it easier to manage large environments with many subscriptions.
Policies and access controls, such as Azure Policy and role-based access control (RBAC), can be applied at the management group level and automatically inherited by all subscriptions and resources within that group. This simplifies governance and compliance across your organization.
Management groups support multiple levels, allowing you to create structures that reflect your organization’s business units, environments (like development, test, production), or teams, enhancing clarity and control.
Subscriptions within the same management group must belong to the same Microsoft Entra (formerly Azure AD) tenant, ensuring secure and unified identity management across all resources.
Using management groups reduces administrative overhead by allowing centralized actions, such as applying policies or role assignments once at the group level, rather than individually on each subscription.

Example: An IT company with several departments (HR, Finance, Development) uses Azure subscriptions for each department. By creating management groups in Azure for each department, IT can apply security policies and monitor compliance for all departmental resources, ensuring standards are met without manual configuration on every subscription.

Use Case: A general IT administrator sets up a ‘Production’ management group and a ‘Development’ management group to organize all related subscriptions and resources. By applying a data residency policy to the ‘Production’ management group, they ensure that all production resources are only deployed in approved regions, helping the organization meet compliance requirements efficiently.

For more information see these links:

Describe the hierarchy of resource groups, subscriptions, and management groups

Azure organizes resources using a hierarchical model made up of management groups, subscriptions, and resource groups. Each level serves a different purpose in governance, cost management, and operational structure.
Management groups are the highest organizational unit, allowing you to group and manage multiple subscriptions under a single set of policies, access controls, or compliance requirements. Changes made at the management group level are automatically inherited by all included subscriptions.
Subscriptions sit below management groups and act as containers for resources and resource groups, used primarily for billing, quota, and access controls. Organizations typically create separate subscriptions to isolate costs or workloads (e.g., by department, project, or environment).
Resource groups are logical containers within a subscription. They are used to group related resources (like virtual machines, databases, and storage accounts) that share the same lifecycle, making it easier to manage, deploy, update, or delete them together.

Example: Imagine a large IT company with multiple business divisions. The company creates a management group for each division (e.g., ‘Corporate IT’ and ‘Customer Solutions’), assigns respective subscriptions for different environments (like ‘Production’ and ‘Development’), and then uses resource groups within those subscriptions to organize resources for specific projects or services.

Use Case: A general IT team uses management groups to enforce security policies across the entire organization, creates individual subscriptions for development, testing, and production environments to isolate workloads and costs, and organizes all components of a particular web application (such as the web server, database, and storage) into a single resource group. This structure streamlines access management, policy enforcement, and resource lifecycle operations.

For more information see these links:

Describe Azure compute and networking services

Compare compute types, including containers, virtual machines, and functions

Virtual Machines (VMs) provide complete operating system environments, allowing you to install and configure applications as if they were running on a physical machine. VMs offer strong isolation and are ideal for legacy applications or workloads that need custom OS-level configurations.
Containers are lightweight, portable units that bundle an application and its dependencies, sharing the host OS kernel. They start quickly, use fewer resources than VMs, and are ideal for modern, scalable applications where faster deployment and consistency across environments are important.
Functions (e.g., Azure Functions) represent serverless computing. They let you run code in response to specific events (like HTTP requests or file uploads) without managing servers, providing automatic scaling and billing based on actual usage, making them ideal for event-driven and micro-task workloads.
Choosing between these compute types depends on your needs: use VMs for full control and strong isolation, containers for rapid deployment and scaling, and functions for running short, event-driven tasks with minimal maintenance.
All three compute types are available as Azure services: Azure Virtual Machines, Azure Container Instances, and Azure Functions. Each offers different benefits to address a range of IT infrastructure and application hosting needs.

Example: A software development team wants to deploy a new company website. They use a Virtual Machine to host an older database server, containers to run web application components for fast updates, and Azure Functions to process user-uploaded images by resizing them automatically.

Use Case: An IT administrator in a mid-sized company uses Azure Virtual Machines to maintain existing Windows-based line-of-business applications, introduces containers to deploy new microservices for faster updates and better resource utilization, and implements Azure Functions to automate periodic data reports, all leveraging the right Azure compute types for each workload.

For more information see these links:

Describe virtual machine options, including Azure virtual machines, Azure Virtual Machine Scale Sets, availability sets, and Azure Virtual Desktop

Azure Virtual Machines (VMs) are on-demand, scalable computing resources in Azure. You can use them to run a wide range of applications and workloads, choosing operating systems, sizes, and locations to match your needs. Azure VMs offer flexibility, letting you set up virtual servers quickly and efficiently.
Azure Virtual Machine Scale Sets (VMSS) allow you to create and manage a group of identical, load-balanced VMs. Scale Sets automatically increase or decrease the number of VM instances based on demand or a schedule, ensuring cost-effective scaling and high availability for your applications.
Availability Sets are a feature that helps keep your applications running by spreading VMs across multiple physical servers, reducing the risk that a single hardware failure or maintenance event will affect all your VMs at once. This setup helps meet the Azure SLA for uptime and is ideal for workloads needing redundancy.
Azure Virtual Desktop is a cloud-based service that provides a secure, managed virtual desktop experience. Employees can access full Windows desktops and applications from anywhere, enabling remote work scenarios and centralized management for IT teams.
Availability Zones provide additional protection against data center failures by placing VMs in physically separate zones within an Azure region. This ensures that even if an entire data center goes down, your applications and data can remain available.

Example: A small IT company needs to provide remote access to accounting and business applications for its employees. Instead of setting up expensive on-premises servers, it deploys Azure Virtual Machines for the backend servers and uses Azure Virtual Desktop to let staff securely access applications from anywhere.

Use Case: An IT department in a medium-sized business wants to ensure their internal business-critical application is always available, even during hardware failures or planned maintenance. They deploy the application’s VMs in an availability set to minimize downtime risk, and use a scale set to automatically add more servers during busy periods, ensuring both high availability and scalable performance.

For more information see these links:

Describe the resources required for virtual machines

1. Compute Resources (CPU and Memory): Each virtual machine (VM) requires a certain amount of CPU (virtual cores) and memory (RAM) to run applications efficiently. The amount needed depends on the workload. Azure offers a variety of VM sizes so you can choose resources that match your performance requirements.
1. Storage: Every VM needs storage for the operating system, temporary files, and data. In Azure, this typically means an OS disk and, optionally, one or more data disks. Storage performance can vary based on the choice between premium (SSD-based) and standard (HDD-based) disks.
1. Networking: VMs need networking resources to communicate with other services, devices, or the internet. This includes a virtual network (VNet), network interface cards (NICs), private and sometimes public IP addresses, and network security groups (NSGs) to control traffic.
1. Licensing: VMs often require an operating system license (such as Windows or Linux). These licenses can be included in the VM’s cost or brought by the user, impacting the overall expense.
1. Additional Considerations: You must also plan for resource names, locations (Azure regions), and the configuration and limits of your VMs to fit your organization’s needs.

Example: A small IT company wants to deploy a Windows-based application server in Azure. They select a VM size with 2 virtual CPUs and 8 GiB of RAM to match app requirements. They add a 127 GiB premium SSD for the OS and a 512 GiB standard HDD for data. For network communication, the VM is placed in an Azure Virtual Network with a single NIC and a private IP address. A network security group restricts traffic to only allow legitimate users and needed ports.

Use Case: A general IT department needs to set up a development/test environment on short notice without buying new hardware. By provisioning VMs in Azure, they quickly allocate just enough CPU, memory, storage, and network access, allowing their developers to start testing software in hours instead of weeks.

For more information see these links:

Describe application hosting options, including web apps, containers, and virtual machines

Web apps on Azure (such as Azure App Service and Azure Static Web Apps) provide a fully managed hosting environment where you just upload your code and Azure takes care of the infrastructure, scaling, security, and updates. This is the easiest way to rapidly launch and manage websites or APIs with minimal cloud management knowledge.
Container-based hosting (using services like Azure Container Apps, Azure Container Instances, or Azure Kubernetes Service) allows you to package your application and its dependencies into a container for consistent deployment. Containers offer more flexibility than standard web app hosting and are suitable for modern, microservices-based or multi-component applications.
Virtual Machines (VMs) in Azure let you run any application, process, or server environment with maximum control. You manage the operating system, runtime, and security while Azure provides the hardware. This option suits scenarios requiring custom configurations, legacy apps, or when high control over the environment is needed.
Choosing between these options depends on your need for control versus simplicity: web apps are the easiest to manage, containers give more flexibility, and VMs provide the most control but require more maintenance.
Most IT professionals start with web apps for typical business apps, use containers when they need app portability or microservices, and choose VMs for legacy or highly customized workloads.

Example: A company wants to launch an intranet portal for employee self-service. Using Azure App Service, IT simply uploads the portal’s code without worrying about server setup or patching, and Azure automatically keeps the site running smoothly—even during spikes in usage.

Use Case: An IT department migrates a legacy payroll system that requires access to custom drivers and specific operating system settings. They use Azure Virtual Machines to recreate their on-premises environment in the cloud, gaining cloud scalability but retaining full control for compatibility.

For more information see these links:

Describe virtual networking, including the purpose of Azure virtual networks, Azure virtual subnets, peering, Azure DNS, Azure VPN Gateway, and ExpressRoute

Azure Virtual Networks (VNets) create secure, isolated environments in the Azure cloud where you can run virtual machines (VMs), databases, and other resources. VNets let you define IP address ranges, control traffic flows, and group related resources together for security and management.
Virtual subnets subdivide a VNet into smaller, manageable segments. This helps organize resources by function (like separating web servers from databases) and apply specific security rules to different segments, boosting security and network performance.
Virtual network peering connects multiple VNets, allowing resources in different VNets—even across Azure regions—to securely communicate as if they were on the same network, without extra hardware or significant latency.
Azure DNS provides reliable, scalable domain name resolution for your Azure resources, enabling users and applications to locate services using familiar, human-readable names instead of IP addresses.
Azure VPN Gateway and ExpressRoute offer secure hybrid connectivity: VPN Gateway enables encrypted connections over the public internet between on-premises networks and Azure, while ExpressRoute establishes private, high-speed, and reliable connections that don’t traverse the internet, often used by organizations needing consistent performance for mission-critical workloads.

Example: A company sets up a VNet in Azure for its web application. They create subnets to separate the web front-end, app logic, and database layers. To connect their headquarters to Azure securely, they use an Azure VPN Gateway for an encrypted link. Later, as their needs grow, they implement ExpressRoute through their internet provider to guarantee a private, fast, and stable connection for critical applications.

Use Case: An IT department for a mid-sized business needs to support remote employees who require secure access to applications hosted in Azure and on-premises data centers. By designing a VNet with multiple subnets for different services, using virtual network peering to connect resources across regions, leveraging Azure DNS for service discovery, and implementing Azure VPN Gateway or ExpressRoute, the IT team ensures all users can securely and reliably access essential resources from anywhere.

For more information see these links:

Define public and private endpoints

Public endpoints are network interfaces with public IP addresses that allow access to Azure resources from anywhere on the internet. These are ideal for services that need to be broadly accessible but can pose security risks if not properly managed.
Private endpoints are network interfaces assigned private IP addresses within your Azure Virtual Network. They allow secure, internal access to Azure services, keeping data traffic within your organization’s network.
Using private endpoints enhances security and compliance by preventing exposure of resources to the public internet, while public endpoints offer convenience and accessibility for non-sensitive applications.
Azure services, such as Azure Files and Azure File Sync, support both public and private endpoints, allowing organizations to select the most appropriate network configuration based on their security and operational needs.

Example: A company stores files in Azure Files. If employees need to access these files from anywhere, the company enables a public endpoint, making the file share reachable via the internet. For sensitive data, a private endpoint is set up so only users connected to the company’s Azure virtual network—such as those in the corporate office or securely VPN’d in—can access the files.

Use Case: An IT department for a mid-sized business uses private endpoints to connect on-premises servers to Azure File Sync, ensuring that synchronization of business-critical files happens securely within their virtual network. This approach helps the organization comply with internal data protection policies and prevents unauthorized access from the internet.

For more information see these links:

Describe Azure storage services

Compare Azure Storage services

Azure Blob Storage is best for storing large amounts of unstructured data such as documents, images, videos, and backups. It’s highly scalable and accessible from anywhere over HTTP/HTTPS, making it ideal for web applications or archiving data.
Azure Files provides managed file shares that can be mounted simultaneously by cloud or on-premises systems using standard file protocols like SMB and NFS. It’s suitable for replacing or supplementing traditional file servers and supporting ‘lift-and-shift’ migrations.
Azure NetApp Files offers enterprise-grade, high-performance file storage, supporting demanding workloads such as databases, SAP, or large-scale enterprise applications. It includes advanced management features and ultra-low latency, making it suitable for critical business systems.
Azure Queue Storage is used for reliable messaging and communication between distributed application components, enabling decoupled architectures.
Azure Table Storage is a NoSQL service that stores structured, schemaless data, ideal for applications requiring fast and flexible querying of large datasets without a fixed database schema.

Example: A company wants to share project files among its remote IT staff. By migrating the shared folders from an on-premises file server to Azure Files, employees can reliably access files from anywhere using familiar network drive mapping, eliminating the need for VPNs or local storage.

Use Case: An IT organization migrates its departmental file shares to Azure Files to streamline access for users in multiple locations and reduce on-premises hardware maintenance. IT teams manage access rights and backup directly in the Azure portal, simplifying both operations and disaster recovery.

For more information see these links:

Describe storage tiers

Azure offers multiple storage tiers—Hot, Cool, Cold, and Archive—so you can store your data based on how frequently it’s accessed, helping to manage costs and performance.
Hot tier is designed for data that needs to be accessed or modified often. It costs more to store but is cheaper to access, making it ideal for active files and applications.
Cool and Cold tiers are for infrequently accessed data, with minimum storage durations (30 days for Cool, 90 days for Cold). They have lower storage costs, but accessing data costs more compared to the Hot tier.
Archive tier is for rarely accessed data that can tolerate longer retrieval times (hours), such as long-term backups. It has the lowest storage costs, but the highest retrieval costs and data must be stored for at least 180 days.
Choosing the right tier for your data helps you balance cost and accessibility. You can move your data between tiers as usage patterns change, and some Azure tools like Data Box devices can help you upload large volumes of data directly to the correct tier.

Example: An IT team stores daily backup files in the Hot tier for immediate access and disaster recovery. After a month, they move older backups to the Cool or Cold tier to reduce costs, and eventually archive yearly backups for compliance, which are kept for several years but accessed rarely.

Use Case: A general IT department at a mid-sized business wants to optimize costs for company file storage. They keep current project files in the Hot tier for active collaboration, move completed project files to the Cool or Cold tier, and archive legal records in the Archive tier for long-term retention and compliance.

For more information see these links:

Describe redundancy options

Redundancy in Azure storage ensures your data stays available and protected, even if there are hardware failures or outages. Azure storage automatically makes multiple copies of your data.
There are three main redundancy options: local redundancy (data is replicated within a single datacenter), zone redundancy (data is replicated across multiple availability zones within the same region), and geo-redundancy (data is copied to a different region, far away from the primary location).
Choosing the right redundancy depends on how critical continuous access to your data is. For example, geo-redundancy is ideal for disaster recovery and business continuity, while local or zone redundancy may be enough for less critical data.
Some Azure storage options (like RA-GRS and RA-GZRS) allow your applications to read data from secondary locations, so you can keep operating even during local outages.
Redundancy does not replace backups or disaster recovery planning—you should still consider backup strategies tailored to your business needs.

Example: Imagine an IT department stores company files in Azure Storage using geo-redundant storage (GRS). If an entire Azure region has a power failure, the data is still available from a secondary region, keeping business operations running.

Use Case: An IT team uses zone-redundant storage (ZRS) for a cloud-based application that employees use daily. Even if one availability zone goes offline due to a local incident, employees can still access their files with minimal interruption.

For more information see these links:

Describe storage account options and storage types

Azure Storage accounts are containers for all Azure Storage data objects, including blobs, files, queues, and tables. Each storage account provides a unique namespace for accessing data and can be managed through Azure Portal, CLI, or APIs.
There are different types of Azure Storage accounts, with the most common being Standard General-Purpose v2 (GPv2), Premium Block Blob, Premium File Shares, and Premium Page Blobs. Each type offers specific performance, pricing, and feature sets to suit various workloads.
Storage accounts support different storage types: Blob Storage (for unstructured data like images and backups), File Storage (managed SMB and NFS shares), Queue Storage (message storage and processing), and Table Storage (NoSQL key-value store). The selected storage account type determines which storage services are available.
Redundancy and performance options are key considerations: Standard accounts use traditional hard drives and are suitable for most workloads, while Premium accounts use SSDs for faster performance and lower latency. Redundancy options like LRS, ZRS, GRS, and GZRS ensure data durability and availability by replicating data across one or more Azure regions.
It’s important to select the right storage account and configuration based on your needs, such as access patterns, required availability, and cost. Storage account type and redundancy cannot be changed after creation, so planning ahead is crucial.

Example: A small IT company needs to store files, such as documents and project backups, in the cloud. They create a Standard General-Purpose v2 storage account, enabling them to use Azure Files for sharing documents securely among employees, and Blob Storage for backups and archival.

Use Case: An IT department sets up a Premium File Shares storage account for their internal file servers, migrating company shared drives to Azure. This provides high performance for daily file operations and ensures business continuity with zone-redundant storage options.

For more information see these links:

Identify options for moving files, including AzCopy, Azure Storage Explorer, and Azure File Sync

AzCopy is a free, command-line tool provided by Microsoft for copying data to and from Azure Storage accounts. It is best suited for large data migrations, allowing users to efficiently upload, download, and synchronize files or directories with commands such as ‘azcopy copy’ and ‘azcopy sync’.
Azure Storage Explorer is a graphical user interface (GUI) application that provides a user-friendly way to manage, upload, download, and organize files and folders within Azure Storage accounts. It is ideal for users who prefer a visual tool and need to perform ad-hoc transfers or manage multiple storage accounts easily.
Azure File Sync allows organizations to centralize their file shares in Azure Files, while keeping frequently accessed files available on local Windows Servers. It automatically syncs changes between on-premises servers and Azure, making it useful for distributed teams that need access to the same data across different locations.

Example: A small IT team needs to migrate a shared folder containing user documents from their on-premises server to Azure Files. They use AzCopy to upload the folder efficiently in one batch, ensuring all file permissions and properties are preserved during the process.

Use Case: An IT administrator in a mid-sized company sets up Azure File Sync to keep the company’s central document repository in Azure up-to-date while maintaining a local cache on their office file server. This approach ensures employees can quickly access documents locally, and changes are mirrored across all branch offices through Azure.

For more information see these links:

Describe migration options, including Azure Migrate and Azure Data Box

Azure Migrate is a comprehensive tool that helps you discover, assess, and migrate on-premises servers, databases, applications, and data to Azure. It offers a unified platform to plan and manage your migration journey efficiently from a single portal.
Azure Migrate provides built-in assessment and migration tools, including server, database, and web app migration assistants. These tools help evaluate suitability for Azure, estimate costs, and handle the migration process with minimal disruption.
Azure Data Box is a secure, physical appliance designed for migrating large amounts of data to Azure offline. You order a Data Box, copy your data locally to the device, and then ship it back to Microsoft where the data is uploaded to your chosen Azure storage account—ideal when network bandwidth is limited or unavailable.
Other data migration methods like AzCopy and rsync are available for incremental or smaller data transfers over the network, whereas Data Box is best for bulk moves involving terabytes of data.
Choosing the right migration option depends on your specific scenario: use Azure Migrate for a structured, all-in-one migration (apps, virtual machines, databases), and Azure Data Box when transferring large datasets efficiently and securely.

Example: An IT department at a medium-sized company wants to move all their on-premises file servers and databases to Azure for better scalability and disaster recovery. They use Azure Migrate to assess their physical servers and databases, create a migration plan, and automate the move. For tens of terabytes of archived documents and media files, they order an Azure Data Box, copy the files onto it, and ship the device to Microsoft for upload into Azure Storage.

Use Case: A company is consolidating its IT infrastructure by decommissioning legacy on-premises servers and moving workloads to the cloud. Using Azure Migrate, the IT team assesses server readiness, plans the migration, and moves virtual machines and critical applications directly to Azure. For large file shares that would take too long to upload via the company’s limited internet connection, they use Azure Data Box to physically transport the data efficiently, ensuring all business content is successfully available in Azure Storage for user access and ongoing operations.

For more information see these links:

Describe Azure identity, access, and security

Describe directory services in Azure, including Microsoft Entra ID and Microsoft Entra Domain Services

Directory services in Azure help organizations manage user identities, authentication, and access to resources in both cloud and hybrid environments. They provide centralized control over who can access applications and services.
Microsoft Entra ID is a cloud-based identity service that manages users, groups, and access for resources like Microsoft 365, Azure, and thousands of SaaS applications. It supports single sign-on (SSO), multi-factor authentication, and integration with on-premises Active Directory.
Microsoft Entra Domain Services offers managed versions of traditional Active Directory services (such as domain join, group policy, LDAP, and Kerberos/NTLM authentication) in Azure, removing the need to deploy, patch, or maintain domain controllers. It’s especially useful for cloud migration of legacy applications that require these protocols.

Example: A company originally running all applications on-premises wants to move their email and file storage to Microsoft 365 and Azure Files. By using Microsoft Entra ID, they provide employees with a single cloud identity for seamless access to both services. For legacy applications that require Active Directory authentication, they deploy Microsoft Entra Domain Services, allowing those applications to function in Azure without running their own domain controllers.

Use Case: A mid-sized IT organization needs to ensure employees can securely access both modern web services (like Microsoft 365) and older, internal applications after migrating resources to the cloud. They synchronize identities from their existing on-premises Active Directory to Microsoft Entra ID, enabling unified cloud access. For legacy applications with specific directory requirements, they use Microsoft Entra Domain Services to provide needed protocols and authentication methods—facilitating a smooth transition without redeveloping old apps.

For more information see these links:

Describe authentication methods in Azure, including single sign-on (SSO), multi-factor authentication (MFA), and passwordless

Azure supports multiple authentication methods to secure access to resources, including single sign-on (SSO), multi-factor authentication (MFA), and passwordless options, all managed through Microsoft Entra ID (formerly Azure Active Directory).
Single sign-on (SSO) allows users to access multiple Azure resources and applications by logging in just once, improving user experience and reducing password fatigue. SSO works across on-premises and cloud apps using one identity.
Multi-factor authentication (MFA) adds an extra protection layer by requiring users to verify their identity with a secondary factor—such as a phone notification, SMS code, or biometric check—in addition to a password, helping prevent unauthorized access.
Passwordless authentication methods, like Windows Hello for Business, Microsoft Authenticator, or FIDO2 security keys, remove the need for passwords altogether. Passwordless sign-in is more convenient and reduces risks of password theft or phishing.
Organizations can combine these methods based on their security needs; for example, requiring MFA for high-risk actions and enabling passwordless sign-in for everyday access to streamline user experience and improve protection.

Example: An IT company uses Azure single sign-on (SSO) for all employees. When a staff member logs into their work laptop with their Microsoft Entra ID, they automatically get access to Outlook, SharePoint, Teams, and other business apps without needing to enter their password again. The company also enforces multi-factor authentication: whenever an employee accesses sensitive data from outside the office, they receive a push notification on their phone to confirm their identity.

Use Case: A general IT administrator sets up passwordless authentication for staff using Windows Hello for Business. Employees use fingerprint scans or facial recognition to log into their devices and access Azure Virtual Desktop resources. This setup reduces password-related help desk calls and eliminates common attacks like phishing, while still allowing multi-factor authentication for especially sensitive operations.

For more information see these links:

Describe external identities in Azure, including business-to-business (B2B) and business-to-customer (B2C)

Azure external identities let organizations securely collaborate and connect with users outside their own company directory, including partners or customers.
Business-to-Business (B2B) in Azure allows external partners (such as suppliers or contractors) to access internal resources using their own organizational accounts, without needing new credentials. This is managed securely with Microsoft Entra ID (formerly Azure AD).
Business-to-Customer (B2C) in Azure enables businesses to provide customer-facing applications where customers log in using their social accounts (e.g., Google, Facebook), enterprise accounts, or local credentials, all managed by Azure AD B2C as the identity provider.
Azure AD B2C handles large-scale authentication, offers customizable user experiences, and supports integration with various external identity providers, enabling single sign-on and strong security for millions of users.
Organizations can configure federated sign-in options, allowing users to choose and authenticate with their preferred identity provider, improving convenience and security while reducing password fatigue.

Example: A local IT services firm launches a web portal for its customers to manage support tickets. Instead of requiring every customer to create a new account for the portal, the firm implements Azure AD B2C so customers can sign in using their existing social accounts (like Google or Facebook), making access easier and more secure.

Use Case: A general IT department partners with an external software vendor to develop a custom business application. By setting up Azure B2B collaboration, the IT team grants the vendor’s staff secure access to the app using their own company credentials, enabling quick onboarding and access control without managing a separate identity system.

For more information see these links:

Describe Microsoft Entra Conditional Access

Conditional Access is a Microsoft Entra feature that controls how and when users can access company resources based on specific conditions, such as user location, device compliance, or risk level.
Administrators can design policies that require extra security steps, like multi-factor authentication (MFA), only when risks are detected (e.g., sign-in from an unknown location or a non-compliant device).
Conditional Access policies can be targeted to specific users, user groups, applications, or roles, giving organizations granular and flexible security control.
IT teams can combine different requirements (for example, require both MFA and a compliant device) to create policies that best fit their organization’s security needs and compliance goals.
Conditional Access helps protect sensitive data and supports regulatory compliance by making sure only authorized users and devices can access important systems and information.

Example: A company sets up a Conditional Access policy that requires employees to use multi-factor authentication (such as a phone app prompt) when accessing the company’s email system from outside the office network. If an employee tries to sign in from home, they must complete MFA, but if they are in the office, MFA is not required.

Use Case: An IT department wants to secure access to critical business applications, such as cloud storage, for a remote workforce. They create Conditional Access policies so that employees can only access these apps if they log in with a compliant (company-managed) device and complete MFA, reducing the risk of unauthorized access or data breaches from personal or unsecured devices.

For more information see these links:

Describe Azure role-based access control (RBAC)

Azure role-based access control (RBAC) is a system that allows organizations to manage and restrict access to Azure resources by assigning roles to users, groups, or applications. Each role has specific permissions that define what actions can be performed on resources.
RBAC supports the principle of least privilege, meaning users only receive the minimum level of access required to perform their work. This approach improves security and helps prevent accidental or malicious changes.
Roles can be assigned at different levels or scopes, such as at the subscription, resource group, or individual resource level, providing flexibility in how permissions are granted and managed.
Common built-in roles in Azure RBAC include Owner (full access to all resources), Contributor (can manage resources but cannot assign roles), and Reader (can view resources but cannot make changes). Custom roles can also be created for more specific permission needs.
Managing access through groups instead of individual users simplifies administration, keeps access management consistent, and reduces the chance of configuration errors.

Example: Suppose a company has an IT administrator who needs to be able to create and manage virtual machines in Azure, while a separate finance team member only needs to view resource usage reports. Using Azure RBAC, the admin is assigned the ‘Contributor’ role, which allows for managing resources, while the finance employee is assigned the ‘Reader’ role, which only permits viewing resources.

Use Case: In a general IT department, Azure RBAC can be used to ensure that only network administrators can configure virtual networks, only database administrators can change databases, and regular users can view resources relevant to their work. This helps to protect critical resources from unauthorized access and ensures team members only have access appropriate to their responsibilities.

For more information see these links:

Describe the concept of Zero Trust

Zero Trust is a modern security approach where no user, device, or request is automatically trusted, regardless of its location (inside or outside the organization’s network). Every access attempt is treated as potentially risky.
The model is built on three main principles: 1) Verify explicitly by always requiring authentication and authorization, 2) Use least privilege access by granting users only the permissions they need for their tasks, and 3) Assume breach, meaning you operate as if a security threat already exists and proactively limit potential damage.
Zero Trust extends across identities, devices, applications, networks, and data. It ensures that access to resources is continuously monitored, evaluated, and controlled based on real-time context and risk.
Rather than relying on a secure network perimeter, Zero Trust uses policies and technologies like multifactor authentication, conditional access, endpoint security checks, and microsegmentation to enforce security everywhere.
Adopting Zero Trust improves visibility and control, reduces the risk of insider threats and external attacks, and supports remote or hybrid work by verifying and protecting access from any location or device.

Example: An IT helpdesk technician wants to access the company’s sensitive HR records from a personal laptop at home. With Zero Trust, the technician must first go through multifactor authentication. The device’s health is assessed to ensure it meets company security standards, and access is only granted if the technician’s role requires it. This means unauthorized attempts or risky devices are automatically blocked, keeping data safer.

Use Case: A general IT team is deploying Azure Active Directory Conditional Access to enforce Zero Trust across their environment. They configure policies so that users must complete multifactor authentication, and only healthy, compliant devices can access critical company applications—no matter if the user is on the office network or working remotely.

For more information see these links:

Describe the purpose of the defense-in-depth model

Defense-in-depth is a security approach that uses multiple layers of protection to safeguard information and resources. If one layer fails, others still provide security.
This model reduces the risk of a single point of failure by combining various defenses, such as firewalls, authentication systems, encryption, and regular software updates.
In Azure, defense-in-depth means using features like identity management, access controls, network segmentation, and monitoring to protect cloud services from threats.
Regular updates and patches, like those delivered by Microsoft security advisories, are part of defense-in-depth—they improve existing security controls to address new vulnerabilities.

Example: A company protects its Azure environment by requiring multi-factor authentication (MFA), using network firewalls, encrypting sensitive data, and monitoring account activities. If an attacker gets past the password, they still need to bypass MFA and other safeguards.

Use Case: An IT administrator sets up defense-in-depth for their Azure tenant by implementing strong identity controls (Azure AD), restricting access using role-based access control (RBAC), ensuring only approved users can access critical resources, and enabling logging to detect suspicious activity. This layered approach limits damage from potential account compromise.

For more information see these links:

Describe the purpose of Microsoft Defender for Cloud

Microsoft Defender for Cloud is a unified security management system that protects Azure, on-premises, and multi-cloud resources against threats such as ransomware and malware.
It improves your security posture by continuously monitoring your environment, identifying potential vulnerabilities, and providing actionable security recommendations.
The platform streamlines threat detection and response by integrating with existing security workflows, offering security alerts, automated remediation steps, and visibility into your cloud resources.
Defender for Cloud supports hybrid and multi-cloud environments, allowing organizations to monitor and secure assets beyond just Azure, including on-premises servers and other cloud platforms like AWS or Google Cloud.
It uses advanced tools, automation, and Microsoft’s global threat intelligence to proactively defend workloads, data, applications, and IoT devices.

Example: A small IT company hosts web applications on both Azure and on-premises servers. By enabling Microsoft Defender for Cloud, they receive alerts about suspicious login attempts on their servers and can immediately act to block unauthorized access.

Use Case: An IT administrator enables Microsoft Defender for Cloud to monitor the security of their organization’s Azure virtual machines, storage accounts, and databases. They use the security recommendations dashboard to quickly find and resolve misconfigured firewalls, missing patches, and weak access controls, helping prevent ransomware attacks and improving compliance.

For more information see these links:

Describe Azure management and governance (30–35%)

Describe cost management in Azure

Describe factors that can affect costs in Azure

Resource Sizing and Usage: The cost of Azure services is heavily influenced by the size and number of resources you deploy, such as virtual machines (VMs), databases, and storage. Over-provisioning (allocating more resources than needed) leads to higher costs. Right-sizing your resources and regularly reviewing usage helps ensure you only pay for what you need.
Pricing Model Selections: Azure offers different pricing models, such as pay-as-you-go, Reserved Instances, and Savings Plans. Committing to long-term usage (like a 1- or 3-year Reserved Instance) can provide significant discounts compared to on-demand pricing, especially for predictable workloads. Choosing the most suitable model based on your workload’s stability can optimize costs.
Autoscaling and Automation: Implementing autoscaling allows your environment to automatically increase or decrease resources based on demand. This means you only incur costs when extra resources are actually needed, helping avoid unnecessary charges during low-usage periods. Automated actions such as scheduled VM shutdowns can further reduce costs by minimizing usage when resources are idle.
Type of Services and Storage: Different Azure services and storage types come with varying costs. For example, high-performance storage or premium services cost more than standard or basic options. Selecting the appropriate service and storage tier according to workload demand helps balance performance needs and budget.
Discounts and Benefits: Azure provides additional cost-saving options, like Azure Hybrid Benefit (reusing on-premises licenses in Azure), Spot Instances for interruptible workloads, and free tiers for limited usage. Understanding and taking advantage of these offerings plays an important role in cost management.

Example: A small IT company runs its main website on Azure. Initially, they used a large VM to ensure reliability but found their average CPU usage stayed below 10%. By switching to a smaller VM size, setting up autoscaling to handle higher traffic, and scheduling an automatic shutdown overnight (when there is little or no traffic), they significantly reduced their monthly Azure bill.

Use Case: An IT department managing multiple business applications in Azure reviews monthly resource usage reports. They discover several development and test environments running 24/7, incurring high costs. By implementing automatic shutdowns during off-hours and right-sizing test VMs, they achieve substantial savings without impacting project delivery.

For more information see these links:

Compare the pricing calculator and the Total Cost of Ownership (TCO) Calculator

The Azure Pricing Calculator is designed to estimate the cost of Azure services based on your planned cloud usage. You select the specific services, locations, and usage quantities to see a detailed monthly and annual cost breakdown, helping you budget for new or existing cloud workloads.
The Total Cost of Ownership (TCO) Calculator allows you to compare the overall costs of running workloads on-premises versus moving them to Azure. It considers not only IT infrastructure (servers, storage, networking) but also factors like power, cooling, physical space, and IT labor costs, giving a comprehensive view of potential cost savings.
Use the Pricing Calculator when planning for new or changing Azure solutions, as it helps generate estimates by configuring and adjusting different cloud resources. Use the TCO Calculator when you want a broader financial comparison to justify migration from on-premises to Azure, providing valuable data for stakeholders making investment decisions.

Example: An IT manager wants to estimate the cost of adding three virtual machines, a SQL database, and storage for a new application in Azure. Using the Pricing Calculator, they can enter the VM sizes, database requirements, and storage needs to get a detailed monthly price estimate, adjust parameters as the design changes, and share the report with the finance team for approval.

Use Case: A mid-sized IT company is considering moving its web hosting infrastructure from physical servers in its office to Azure. By using the TCO Calculator, the IT team inputs the current on-premises hardware specs, expected lifespan, power and cooling expenses, and staff maintenance hours. The tool then shows a multi-year cost comparison between keeping the workloads on-premises and running them in Azure, helping leadership make an informed migration decision.

For more information see these links:

Describe cost management capabilities in Azure

1. Budgets and Cost Alerts: Azure allows you to set budgets for your resources and receive alerts when spending approaches or exceeds these predefined limits. This helps prevent unexpected charges and enables proactive cost control.
1. Cost Analysis Tools: With Cost Analysis in the Azure portal, you can break down and visualize your spending by services, tags, subscriptions, resource groups, location, and more. This makes it easier to understand where money is being spent and to identify trends or unexpected costs.
1. Resource Tagging and Cost Allocation: By applying tags to resources and enabling tag inheritance, you can group and track costs by department, project, or other custom criteria. Cost allocation features also help distribute shared costs to appropriate business units or projects for accurate financial reporting.
1. Advisor Cost Recommendations: Azure Advisor provides actionable insights and suggestions to help optimize your cloud costs, such as identifying idle resources, suggesting reservations, or recommending Azure Savings Plans.
1. Automated Cost Monitoring: Configurable alerts—such as budget alerts, anomaly alerts, and scheduled notifications—ensure ongoing monitoring and rapid response to any unusual spending activity, helping organizations maintain financial accountability.

Example: An IT department sets a monthly budget of $5,000 for Azure resources. They configure cost alerts so that when expenses hit 80% of the budget, both the IT manager and finance team get an automated email. This helps the team investigate usage spikes early and avoid end-of-month surprises.

Use Case: A general IT team uses resource tags to categorize Azure services by project (e.g., ‘HR App’, ‘Website’, ‘R&D’). Using Cost Analysis, they review monthly spending by project, and when costs for the ‘R&D’ project are higher than expected, they receive an automatic cost alert. They then analyze the details and find several underused virtual machines, which they shut down based on Azure Advisor recommendations, reducing overall spend.

For more information see these links:

Describe the purpose of tags

Tags are descriptive labels that help categorize and organize Azure resources. By attaching tags, you can classify resources according to business units, environments (such as production or development), projects, or cost centers.
Tags simplify cost management by allowing you to group and filter resources for billing and budgeting. For example, you can view costs by department or application, enabling more accurate financial tracking and accountability.
Tags improve operational efficiency by making it easier to search, filter, and manage resources within the Azure portal. Administrators and IT staff can quickly locate relevant assets based on tag values, saving time and reducing errors.
Tags can be used to automate processes like resource clean-up, security checks, and compliance reporting. Many Azure tools and scripts rely on tags to identify which resources require specific actions.
Consistent tagging supports governance by aligning resource management with organizational policies, ensuring that important information (like owner, environment, and purpose) is always attached to every resource.

Example: An IT department tags all Azure virtual machines with ‘Department: Finance’, ‘Environment: Production’, and ‘Project: Payroll’. When viewing costs in Azure Cost Management, they filter by these tags to see how much the Finance Payroll project spends, helping allocate expenses correctly.

Use Case: A general IT administrator regularly audits all cloud resources. By filtering Azure resources via the ‘Environment: Dev’ and ‘Department: Sales’ tags, the administrator quickly identifies dev/test resources owned by Sales. This enables them to schedule resource clean-up or adjust capacity based on project status—streamlining cost control and resource management.

For more information see these links:

Describe features and tools in Azure for governance and compliance

Describe the purpose of Microsoft Purview in Azure

Microsoft Purview provides a unified platform in Azure to discover, classify, and catalog all organizational data, making it easy to find and manage data assets across clouds, on-premises, and SaaS sources.
Purview automates data discovery and tagging, helping IT teams classify sensitive information, maintain data quality, ensure data security, and comply with regulations like GDPR and HIPAA.
The service streamlines governance by centralizing metadata, enforcing access policies, and visually tracking data lineage, so organizations can control who accesses data and how it is used.
With built-in tools like the Data Map and Unified Catalog, IT teams can efficiently curate, monitor, and manage data lifecycles, reduce redundancy, and ensure that trusted information is used for analytics and decision-making.

Example: A healthcare company using Azure integrates Microsoft Purview to automatically scan and classify patient records stored across multiple databases. This helps staff quickly locate accurate, compliance-ready data while keeping sensitive personal information protected.

Use Case: An IT team at a financial services firm leverages Microsoft Purview in Azure to create a central data catalog, which enables secure access, easier auditing, and automated classification of sensitive financial data. This supports both regulatory compliance and efficient reporting workflows.

For more information see these links:

Describe the purpose of Azure Policy

Azure Policy allows organizations to set and enforce rules that govern how Azure resources should be configured and maintained, ensuring they meet specific standards and business requirements.
It provides automated compliance assessments and remediation, helping IT teams quickly identify and correct resources that do not follow company policies across all cloud subscriptions and resource groups.
The compliance dashboard in Azure Policy gives a centralized view of policy status and resource compliance, enabling easier tracking, reporting, and auditing for regulatory or internal requirements.
Azure Policy supports both built-in and custom policy definitions using JSON, which can be grouped into initiatives for broader governance, and works alongside other tools like Azure RBAC to give granular control over resources and users.

Example: An IT department uses Azure Policy to require that every virtual machine deployed in the organization must have a specific tag, such as ‘Department’, to help track resource owners and manage costs more efficiently. If a VM is deployed without the tag, Azure Policy remediates the configuration automatically or flags it in the compliance dashboard.

Use Case: A general IT organization wants to enforce security by ensuring that all storage accounts have secure transfer enabled. By creating and assigning an Azure Policy requiring secure transfer, the IT team guarantees company-wide compliance without manual checking, reducing risk and saving administrative time.

For more information see these links:

Describe the purpose of resource locks

Resource locks in Azure help prevent critical resources from being unintentionally deleted or modified by users, even if they have the right permissions.
There are two types of locks: ‘CanNotDelete’ (prevents deletion but allows reading and modifying) and ‘ReadOnly’ (prevents any changes, allowing only viewing the resource).
Locks can be applied to various levels, such as individual resources, resource groups, or entire subscriptions, providing flexible protection for important assets.
Applying resource locks is an important part of governance and compliance in IT environments, ensuring that essential services are safeguarded against accidental or unauthorized changes.
Resource locks take precedence over role-based access control (RBAC), meaning that even users with high-level permissions cannot bypass them without first removing the lock.

Example: An IT team is managing a production Azure SQL Database that runs a critical business application. To prevent accidental deletion or changes that could disrupt business operations, they place a ‘ReadOnly’ lock on the database resource. This ensures that, even if a team member tries to update or delete the database, Azure blocks the action until the lock is removed intentionally.

Use Case: A general IT administrator is responsible for the organization’s web application hosted on Azure. To ensure the web app and its associated DNS records are not accidentally deleted during maintenance or cleanup tasks, the administrator applies a ‘CanNotDelete’ lock on the web app resource and a ‘ReadOnly’ lock on the DNS records. This protects the application’s availability and prevents costly downtime caused by accidental actions.

For more information see these links:

Describe features and tools for managing and deploying Azure resources

Describe the Azure portal

The Azure portal is a web-based, unified console that allows users to create, manage, and monitor Azure resources using a graphical user interface. It provides access to all Azure services within a single, easy-to-navigate environment.
Users can perform key actions such as creating resources (virtual machines, databases, storage accounts), monitoring their health with built-in graphs and dashboards, and managing subscription settings—all without the need for command-line tools.
The portal includes features for organizing and securing resources, such as tagging for logical grouping, applying locks to prevent accidental deletions, and managing access permissions using Azure role-based access control (RBAC).
Continuous availability is built into the Azure portal, ensuring resilience against individual datacenter failures and requiring no downtime for maintenance. It can be accessed securely from any supported web browser.
The portal offers helpful tools like guided wizards for resource creation, customizable dashboards for quick access to key information, and direct links to documentation, making it beginner-friendly and actionable for daily IT tasks.

Example: A small IT team uses the Azure portal to set up a new web application. Through the portal’s guided wizards, they create a virtual machine, add a storage account, and set up monitoring dashboards—all through an easy-to-use web interface, with no need for advanced scripting or command-line experience.

Use Case: An IT administrator at a mid-sized company regularly logs into the Azure portal to monitor virtual machine performance, apply cost-saving tags to resources, and manage user access to different projects. This central, visual interface streamlines their daily cloud management tasks, even without deep cloud expertise.

For more information see these links:

Describe Azure Cloud Shell, including Azure Command-Line Interface (CLI) and Azure PowerShell

Azure Cloud Shell is a browser-based, interactive shell environment provided by Microsoft. It lets users manage and deploy Azure resources directly from their web browser, without any local installation.
Cloud Shell supports both Bash (for command-line Linux commands and the Azure CLI) and PowerShell (for Azure PowerShell cmdlets), making it flexible for different scripting and automation needs.
Azure Command-Line Interface (CLI) and Azure PowerShell are the main tools available in Cloud Shell. Both tools allow you to automate, script, and manage Azure resources, but they use different command structures—CLI is built on Python and uses simple, cross-platform commands, while PowerShell uses its own cmdlets and is ideal for users familiar with Windows scripting.
Cloud Shell is preconfigured with the latest versions of Azure CLI and Azure PowerShell, so users can always access up-to-date tools. It also includes persistent cloud-based storage for saving scripts and configuration files.
With Cloud Shell, IT professionals can quickly troubleshoot, automate tasks, or deploy resources from anywhere, using any device, without the overhead of configuring a local environment.

Example: An IT administrator needs to quickly check the status of all virtual machines in an Azure subscription during an outage. By launching Azure Cloud Shell in the browser, the admin can run ‘az vm list -o table’ (Azure CLI) or ‘Get-AzVM’ (Azure PowerShell) to see all VMs and their statuses within seconds—no software installation required.

Use Case: A general IT team manages multiple Azure resources for their organization. To onboard a new team member, they simply provide access to Azure Cloud Shell. The new member can immediately start learning and managing Azure resources using either Azure CLI or PowerShell, without spending time installing tools or configuring their workstation.

For more information see these links:

Describe the purpose of Azure Arc

Azure Arc provides a single, unified platform to manage resources that are located outside of Azure, including on-premises data centers, other cloud providers, and edge devices. This allows IT teams to control diverse environments using familiar Azure tools.
With Azure Arc, organizations can bring servers, virtual machines, Kubernetes clusters, and databases into Azure Resource Manager, enabling centralized deployment, monitoring, and governance, regardless of where those resources physically reside.
Azure Arc enables consistent application of security, compliance, and operational policies across all resources, simplifying operations and reducing risk when managing hybrid and multicloud environments.

Example: A company operates both an on-premises data center and uses services from multiple cloud providers. By connecting all their servers and virtual machines to Azure Arc, the IT team can manage updates, monitor health, and apply security policies from a single Azure dashboard, instead of using multiple tools for each environment.

Use Case: An IT administrator in a financial institution needs to ensure compliance and security standards are consistently enforced across both on-premises infrastructure and cloud workloads. Using Azure Arc, they apply policies centrally, monitor compliance status, and quickly remediate issues, all from the Azure portal.

For more information see these links:

Describe infrastructure as code (IaC)

Infrastructure as Code (IaC) automates the setup and management of IT infrastructure—like virtual machines, networks, and storage—using code instead of manual processes. This makes infrastructure deployment faster, more reliable, and repeatable.
With IaC, all changes to infrastructure are defined in code files (such as JSON, YAML, or Bicep templates) that can be stored in version control systems (like Git). This allows teams to track changes, collaborate, and roll back if needed, just like with application code.
IaC enables teams to create multiple identical environments (such as development, testing, and production) easily, ensuring consistency between them. This reduces configuration errors and ‘drift’ that may cause issues during deployment.
Popular IaC tools for Azure include Azure Resource Manager (ARM) templates, Bicep, Terraform, and the Azure CLI. These tools allow users to declare the desired state of resources and automate deployment, scaling, or deletion as requirements change.

Example: An IT team needs to deploy a web application on Azure. Instead of manually configuring servers, databases, and networking settings through the portal, they use an ARM template to define all resources in code. When they run this template, Azure automatically creates the required infrastructure in a consistent, error-free way. The same template can be reused to quickly set up test or production environments.

Use Case: A general IT department at a company wants to enforce standard security and networking policies across all their Azure environments. By creating a version-controlled Bicep template that includes virtual network settings, firewall rules, and storage accounts, they ensure each team deploys resources that comply with company policies. This approach makes it simple to update configurations company-wide by editing a single source template.

For more information see these links:

Describe Azure Resource Manager (ARM) and ARM templates

Azure Resource Manager (ARM) is the management layer in Azure that enables you to create, update, and delete resources in your Azure account in a consistent and unified way. It provides a centralized way to manage and organize resources like virtual machines, storage accounts, and networks.
ARM templates are JSON files that define the desired state and configuration of your Azure resources using declarative syntax. Instead of running multiple individual commands, you describe what resources you want and how they should be configured, and Azure Resource Manager takes care of deploying them in the right order.
ARM templates support automation and repeatable infrastructure deployments, following the ‘infrastructure as code’ (IaC) approach. Templates can be stored in source control, shared, versioned, and used across different environments, ensuring consistency and reliability.
ARM templates can deploy resources at the resource group or subscription level, making it easy to apply policies, access controls, or deploy multiple resources across your Azure environment from a single template file.
Templates can be modular and reusable by linking or nesting them, and can be stored as template specs in Azure for sharing within your organization. This makes it easier to standardize deployments and manage complex environments.

Example: An IT team wants to quickly set up a complete web application environment in Azure for development and testing. They use an ARM template that specifies a virtual network, a subnet, two virtual machines for web servers, a load balancer, and a storage account. With one deployment of the ARM template, all necessary resources are created and configured automatically and consistently.

Use Case: A general IT department needs to enforce security across all Azure resources by deploying a set of policies and role-based access controls (RBAC) at the subscription level. By using a single ARM template, they can apply these policies and RBAC assignments to all resource groups in the subscription at once, ensuring compliance and reducing manual management effort.

For more information see these links:

Describe monitoring tools in Azure

Describe the purpose of Azure Advisor

Azure Advisor is a cloud-based service that analyzes your Azure resources and provides personalized recommendations to help you follow best practices.
It helps you optimize your Azure environment by suggesting improvements across five categories: cost, security, reliability, performance, and operational excellence.
The recommendations from Azure Advisor are actionable, meaning you can understand the impact and steps required to implement changes directly from the Azure portal.
Azure Advisor continuously evaluates your resources, ensuring you are aware of opportunities to save money, improve security, or boost efficiency as your workloads evolve.
IT teams can filter recommendations by resource type or subscription, making it easier to prioritize and act on the most important improvements.

Example: An IT team managing several virtual machines in Azure receives a recommendation from Azure Advisor to resize or shut down underutilized VMs. By following this advice, the team reduces unnecessary spending without impacting their services.

Use Case: A general IT department uses Azure Advisor after migrating company applications to Azure. Advisor highlights security improvements, such as enabling multi-factor authentication on user accounts and applying specific patches to exposed virtual machines. By acting on these recommendations, the IT team improves security and compliance with company policy.

For more information see these links:

Describe Azure Service Health

Azure Service Health is a monitoring tool that provides personalized alerts and guidance about issues, planned maintenance, advisories, and security updates affecting your Azure services and regions. Unlike the global Azure Status page, it shows issues relevant specifically to your subscriptions.
The Service Health portal offers a customizable dashboard where IT teams can track real-time service issues, upcoming maintenance, health advisories, security notices, and billing updates for the Azure services and regions they use.
You can set up Service Health alerts to notify your team automatically by email, SMS, or other channels whenever a new incident or planned maintenance impacts your environment, helping maintain business continuity and a quick response to potential disruptions.
Service Health focuses on service-wide events, while Azure Resource Health reports on the health of individual resources, such as a virtual machine or database. Using both together provides a complete view of your environment’s health.
Access to Service Health details and configuring alerts is available to users with permitted roles (Reader, Contributor, Owner) in the Azure portal; data is updated in near real-time as incidents evolve.

Example: Suppose your company hosts a web application in Azure, and Microsoft starts planned maintenance on the database service in your region. Azure Service Health sends you an alert in advance, allowing you to notify users and prepare by scaling your environment or scheduling downtime.

Use Case: A general IT administrator in a medium-sized company gets a Service Health alert about an unplanned Azure outage in their primary region. Thanks to the immediate notification, the admin quickly informs stakeholders, shifts workloads to a backup region, and updates support channels before users are significantly impacted.

For more information see these links:

Describe Azure Monitor, including Log Analytics, Azure Monitor alerts, and Application Insights

Azure Monitor is a comprehensive monitoring service that collects and analyzes telemetry data (such as logs and metrics) from your Azure resources, applications, and infrastructure. It helps IT teams monitor health, performance, and usage, and acts as the central platform for tracking what happens in your Azure environment.
Log Analytics is a feature within Azure Monitor that allows you to collect, search, and analyze log data from various resources. Using Log Analytics, you can run powerful queries to identify trends, troubleshoot problems, and gain insights from across your resources.
Azure Monitor Alerts provide proactive notifications based on conditions set by IT professionals. You can create alerts using metrics (such as CPU usage), logs (such as error logs), or activity logs (such as resource changes). This helps detect and address issues quickly, often before users notice any impact.
Application Insights is an extension of Azure Monitor designed for monitoring live applications. It automatically detects performance anomalies, tracks usage patterns, and provides detailed diagnostics—enabling IT teams to understand how applications are performing from the user’s perspective.
All components work together—Log Analytics analyzes log data, Application Insights focuses on application health, and Alerts provide real-time notifications—giving IT teams a complete monitoring toolkit for cloud resources and applications.

Example: Imagine an IT team managing an Azure-hosted web application. They use Azure Monitor to collect performance metrics (like server load), set up alerts for slow response times, analyze application errors with Log Analytics, and monitor how users interact with the app using Application Insights. If response time exceeds 2 seconds, the system automatically sends an alert to the team so they can investigate before customers complain.

Use Case: A general IT administrator uses Azure Monitor and its features to maintain a business-critical web application hosted on Azure. They configure Log Analytics to collect detailed error logs, set up metric alerts for high CPU or memory usage, and enable Application Insights to detect slow page loads or exceptions in real-time. This ensures rapid identification and resolution of incidents, minimizes downtime, and optimizes the user experience for customers accessing the application.

For more information see these links: