Skip to main content

Microsoft Certified: Azure Fundamentals (AZ-900)

The Microsoft Certified: Azure Fundamentals (AZ-900) is the essential starting point for anyone looking to validate their foundational knowledge of cloud services and how those services are provided with Microsoft Azure. It is designed for both technical and non-technical professionals

---------- Question 1
A new junior administrator has joined your IT team and needs to manage virtual machines for a specific development project within your Azure subscription. This project has its own dedicated resource group called dev-project-rg. The administrator should be able to start, stop, and reboot virtual machines, but should not be able to delete them or modify network configurations, and crucially, should not have access to virtual machines or resources in other projects or subscription-level settings. Which Azure identity and access management concept, along with its appropriate scope, should be used to grant these specific permissions?
  1. Microsoft Entra ID Conditional Access, applied at the subscription level.
  2. Azure Role-Based Access Control (RBAC), assigned at the resource group scope.
  3. Microsoft Entra Domain Services, enabling authentication for virtual machines.
  4. Zero Trust model, implemented globally across all Azure resources.

---------- Question 2
An enterprise has multiple development teams working on various projects within a shared Azure subscription. There have been instances of critical resources being accidentally deleted or modified, causing service disruptions. Additionally, the finance department requires all deployed resources to be consistently tagged with Project and Department information to accurately allocate costs and perform chargebacks. Which two Azure governance features should the enterprise implement to address both the accidental modification/deletion issue and the mandatory tagging requirement?
  1. Azure Advisor and Azure Service Health.
  2. Azure Monitor and Log Analytics.
  3. Resource Locks and Azure Policy.
  4. Azure Cost Management and Azure Purview.

---------- Question 3
An enterprise is looking for a networking solution that provides a dedicated, private connection between their on-premises office and Azure resources. They require a connection that does not traverse the public internet, offers consistent bandwidth, and supports speeds up to 100 Gbps for large data transfers. Which Azure networking service should the enterprise implement to satisfy these specific requirements?
  1. Azure VPN Gateway
  2. Azure Virtual Network Peering
  3. Azure ExpressRoute
  4. Azure DNS

---------- Question 4
An IT department is struggling with developers deploying expensive virtual machines that do not follow corporate naming conventions or security standards. They want to enforce a rule that prevents the creation of any resource that does not meet these specific criteria across the entire subscription. Which Azure tool is designed to enforce these compliance standards and prevent non-compliant resource creation?
  1. Azure Advisor
  2. Azure Policy
  3. Resource Locks
  4. Azure Monitor

---------- Question 5
A company is migrating its legacy on-premises applications to Azure. They have chosen to deploy their web application to Azure App Service, which is a Platform as a Service PaaS offering. The company is particularly concerned about data encryption at rest and assumes that all aspects of security, including physical security of the datacenter, network controls, operating system patching, and application-level security, are entirely handled by Microsoft. Which specific security responsibility component is the customer solely accountable for in this PaaS scenario, according to the Shared Responsibility Model?
  1. Physical security of the Azure datacenter infrastructure.
  2. Network controls between virtual machines within the Azure virtual network.
  3. Operating system patching and configuration for the underlying servers hosting Azure App Service.
  4. Application-level security, including code vulnerabilities and data encryption within the application itself.

---------- Question 6
A company has several Azure subscriptions and wants to ensure that no one accidentally deletes a critical production database. They also want to ensure that all resources in these subscriptions are only deployed in the 'East US' region to comply with data residency laws. Which two Azure governance tools should the administrator use to solve these requirements respectively?
  1. Azure Advisor to identify the database and Azure Monitor to track the regional location of all newly deployed resources.
  2. Resource Locks to prevent accidental deletion and Azure Policy to enforce the regional deployment requirement.
  3. Management Groups to group the subscriptions and RBAC roles to prevent the deletion of the database by specific users.
  4. Azure Service Health to monitor the database and Azure Resource Manager (ARM) templates to define the deployment region.

---------- Question 7
A DevOps team wants to deploy a complex infrastructure consisting of multiple virtual networks, subnets, and virtual machines in a repeatable and consistent manner. They want to use a declarative approach where they define the desired state of the infrastructure in a file that can be version-controlled. Which Azure technology is the native solution for this requirement?
  1. Azure Command-Line Interface (CLI)
  2. Azure Resource Manager (ARM) templates
  3. Azure Cloud Shell
  4. Azure PowerShell

---------- Question 8
An organization is considering migrating their existing on-premises data analytics platform to Azure. They are particularly interested in the cloud characteristic that allows them to provision and deprovision resources as needed, paying only for the resources they consume. This approach helps them align costs directly with usage fluctuations, avoiding large upfront capital expenditures for hardware that might be underutilized during low demand periods. Which core cloud concept does this scenario primarily describe?
  1. High Availability, which ensures that services remain operational even during component failures.
  2. Elasticity, representing the ability to automatically scale resources up or down to meet changing demand.
  3. Consumption-based model, where resources are paid for based on usage, measured by metrics like compute time or data stored.
  4. Predictability, which relates to understanding future costs and performance for consistent budgeting.

---------- Question 9
A global company is planning to migrate its on-premises infrastructure to Azure. The IT Director is concerned about security tasks and wants to understand the division of labor. According to the Azure Shared Responsibility Model, which specific responsibility remains solely with the customer regardless of whether they choose Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS)?
  1. Physical security of the datacenters and network hardware
  2. Operating system patching and middleware configuration
  3. Management of endpoints, accounts, and information/data
  4. Virtualization layer maintenance and physical host security

---------- Question 10
A government agency is migrating its sensitive data and applications to Azure. A critical security requirement is to implement a robust access control mechanism where users and applications are granted only the minimum necessary permissions to perform their tasks, and all access attempts are continuously verified. The agency adheres to a security philosophy that no entity, whether internal or external, should be inherently trusted. They need a way to precisely define who can do what with specific resources. Which two Azure identity and access management concepts are fundamental to achieving this stringent security posture and principle of least privilege?
  1. Microsoft Entra Domain Services and Single Sign-On SSO
  2. Azure Role-Based Access Control RBAC and Zero Trust
  3. Azure Private Link and Azure Firewall
  4. Microsoft Entra External Identities and Multi-Factor Authentication MFA

Are they useful?
Click here to get 360 more questions to pass this certification at the first try! Explanation for each answer is included!

Follow the below LINKEDIN channel to stay updated about 89+ exams!

Comments

Post a Comment

Popular posts from this blog

Google Associate Cloud Engineer

The Google Associate Cloud Engineer (ACE) certification validates the fundamental skills needed to deploy applications, monitor operations, and manage enterprise solutions on the Google Cloud Platform (GCP). It is considered the "gatekeeper" certification, proving a candidate's ability to perform practical cloud engineering tasks rather than just understanding theoretical architecture.  ---------- Question 1 Your team is developing a serverless application using Cloud Functions that needs to process data from Cloud Storage. When a new object is uploaded to a specific Cloud Storage bucket, the Cloud Function should automatically trigger and process the data. How can you achieve this? Use Cloud Pub/Sub as a message broker between Cloud Storage and Cloud Functions. Directly access Cloud Storage from the Cloud Function using the Cloud Storage Client Library. Use Cloud Scheduler to periodically check for new objects in the bucket. Configure Cloud Storage to directly ca...
Post a Comment
Read more

CompTIA Cybersecurity Analyst (CySA+)

CompTIA Cybersecurity Analyst (CySA+) focuses on incident detection, prevention, and response through continuous security monitoring. It validates a professional's expertise in vulnerability management and the use of threat intelligence to strengthen organizational security. Achieving the symbol COMP_CYSA marks an individual as a proficient security analyst capable of mitigating modern cyber threats. ---------- Question 1 A security analyst is reviewing logs in the SIEM and identifies a series of unusual PowerShell executions on a critical application server. The logs show the use of the -EncodedCommand flag followed by a long Base64 string. Upon decoding, the script appears to be performing memory injection into a legitimate system process. Which of the following is the most likely indicator of malicious activity being observed, and what should be the analysts immediate technical response using scripting or tools? The activity indicates a fileless malware attack attempting to ...
Post a Comment
Read more