Quick answer: These 20 AZ-900 practice questions cover all three exam domains—cloud concepts (25–30%), core Azure services (35–40%), and security/privacy/compliance (30–35%). Each question includes a detailed rationale explaining why the correct answer is right and why each wrong answer is a trap. Use these to identify weak areas and build confidence before exam day.
Why These AZ-900 Practice Questions Matter
The Microsoft Azure Fundamentals (AZ-900) exam validates foundational cloud knowledge—no deep technical expertise required. But passing isn’t just about memorizing facts. You must understand Azure’s service boundaries, pricing models, and compliance frameworks. These 20 free practice questions are designed to mirror the real exam’s style, including tricky wording and common distractors. Study them, understand the reasoning, and you’ll walk in prepared.
Domain 1: Cloud Concepts (Questions 1–6)
Question 1: Which cloud model gives you the most control over the underlying infrastructure?
A) Software as a Service (SaaS)
B) Platform as a Service (PaaS)
C) Infrastructure as a Service (IaaS)
D) Function as a Service (FaaS)
Correct Answer: C) Infrastructure as a Service (IaaS)
Rationale: IaaS provides virtualized computing resources over the internet, giving you control over OS, storage, and deployed applications. You manage the infrastructure while the provider handles the physical hardware.
Why wrong:
- SaaS gives you no control—you only use the application.
- PaaS abstracts the OS and runtime; you manage code and data only.
- FaaS is serverless; you don’t manage any infrastructure.
Exam trap: Many candidates confuse PaaS with IaaS. Remember: IaaS = you manage the virtual machine; PaaS = you only deploy code.
Question 2: What is a key benefit of a public cloud deployment?
A) Highest level of control over hardware
B) No capital expenditure for hardware
C) Guaranteed data sovereignty
D) Single-tenant isolation by default
Correct Answer: B) No capital expenditure for hardware
Rationale: Public cloud shifts costs from upfront capital expense (CapEx) to operational expense (OpEx). You pay for what you use, avoiding large hardware purchases.
Why wrong:
- A is false—public cloud shares hardware across tenants.
- C is false—data sovereignty depends on region selection, not inherent.
- D is false—public cloud is multi-tenant by default.
Exam trap: Don’t confuse “no CapEx” with “no cost”—you still pay recurring fees.
Question 3: Which characteristic of cloud computing allows resources to be adjusted automatically based on demand?
A) High availability
B) Elasticity
C) Fault tolerance
D) Scalability
Correct Answer: B) Elasticity
Rationale: Elasticity is the ability to automatically provision and de-provision resources in response to real-time demand. Scalability is manual or planned scaling.
Why wrong:
- High availability ensures uptime, not dynamic scaling.
- Fault tolerance handles failures without downtime.
- Scalability is broader—elasticity is a subset that focuses on automatic adjustment.
Exam trap: Elasticity = automatic; scalability = capacity to grow.
Question 4: Which cloud model is best suited for an organization with strict regulatory requirements that also needs to burst to public cloud during peak loads?
A) Public cloud only
B) Private cloud only
C) Hybrid cloud
D) Community cloud
Correct Answer: C) Hybrid cloud
Rationale: Hybrid cloud combines private and public clouds, allowing sensitive data to stay in a private environment while leveraging public cloud for overflow.
Why wrong:
- Public only lacks control for compliance.
- Private only doesn’t handle burst scenarios cost-effectively.
- Community cloud is shared among organizations with common concerns—not tailored for individual compliance.
Exam trap: “Hybrid” is about connecting environments, not just using two clouds independently.
Question 5: Which of the following is a financial benefit of the consumption-based model?
A) You pay a fixed monthly fee
B) You pay only for what you use
C) You prepay for reserved capacity
D) You avoid all operational costs
Correct Answer: B) You pay only for what you use
Rationale: Consumption-based (pay-as-you-go) pricing aligns cost with usage, reducing waste and enabling cost optimization.
Why wrong:
- Fixed fee is subscription-based, not consumption.
- Prepay is reserved capacity, which is different.
- Operational costs still exist (e.g., data egress, support).
Exam trap: Reserved instances save money but require upfront commitment—not consumption-based.
Question 6: What is the primary purpose of a Service Level Agreement (SLA) in cloud computing?
A) To define the pricing model
B) To guarantee uptime and performance metrics
C) To specify data storage location
D) To list supported programming languages
Correct Answer: B) To guarantee uptime and performance metrics
Rationale: SLAs are contractual commitments for service availability (e.g., 99.9% uptime) and often include credits if not met.
Why wrong:
- Pricing is separate in a pricing sheet.
- Data location is a compliance requirement, not SLA.
- Languages are technical capabilities, not SLA items.
Exam trap: SLAs are about availability, not functionality or security.
Domain 2: Core Azure Services (Questions 7–14)
Question 7: Which Azure service provides virtual machines and virtual networks?
A) Azure Functions
B) Azure App Service
C) Azure Virtual Machines
D) Azure Kubernetes Service (AKS)
Correct Answer: C) Azure Virtual Machines
Rationale: Azure Virtual Machines is an IaaS offering for running VMs with full control. Virtual networks (VNets) are part of the same infrastructure.
Why wrong:
- Azure Functions is serverless compute.
- App Service is PaaS for web apps.
- AKS is container orchestration.
Exam trap: Don’t confuse IaaS (VMs) with PaaS (App Service).
Question 8: Which Azure storage option is optimized for massive, unstructured data like videos and backups?
A) Azure Blob Storage
B) Azure Files
C) Azure Queue Storage
D) Azure Table Storage
Correct Answer: A) Azure Blob Storage
Rationale: Blob Storage is designed for large amounts of unstructured data—ideal for media, backups, and logs.
Why wrong:
- Azure Files is a managed file share (SMB protocol).
- Queue Storage is for messaging.
- Table Storage is NoSQL key-value store.
Exam trap: “Unstructured” is key—blobs are for binary large objects.
Question 9: Which Azure service provides a fully managed relational database?
A) Azure Cosmos DB
B) Azure SQL Database
C) Azure Cache for Redis
D) Azure Database for MySQL (single server)
Correct Answer: B) Azure SQL Database
Rationale: Azure SQL Database is a fully managed relational database-as-a-service (DBaaS).
Why wrong:
- Cosmos DB is NoSQL.
- Redis is an in-memory cache.
- Azure Database for MySQL is also managed but not the primary relational option—SQL Database is the canonical answer.
Exam trap: “Relational” eliminates Cosmos DB and Redis.
Question 10: What is the primary purpose of Azure Load Balancer?
A) To distribute incoming traffic across multiple servers
B) To encrypt data in transit
C) To provide DNS resolution
D) To monitor application performance
Correct Answer: A) To distribute incoming traffic across multiple servers
Rationale: Load Balancer distributes network traffic to improve availability and resilience.
Why wrong:
- Encryption is handled by SSL/TLS, not load balancer.
- DNS is Azure DNS or custom.
- Monitoring is Azure Monitor.
Exam trap: Load balancers are about distribution, not security or monitoring.
Question 11: Which Azure service allows you to run code without provisioning servers?
A) Azure Virtual Machines
B) Azure App Service
C) Azure Functions
D) Azure Container Instances
Correct Answer: C) Azure Functions
Rationale: Azure Functions is a serverless compute service—you write code and pay only for execution time.
Why wrong:
- VMs require provisioning.
- App Service still runs on a plan (can be serverless with Consumption plan, but Functions is the classic serverless).
- Container Instances require container management.
Exam trap: “Without provisioning servers” is the definition of serverless—Functions is the best answer.
Question 12: What is Azure Resource Manager (ARM) used for?
A) To manage virtual machine images
B) To deploy and manage Azure resources through templates
C) To monitor network traffic
D) To create Azure AD users
Correct Answer: B) To deploy and manage Azure resources through templates
Rationale: ARM is the deployment and management service for Azure. It uses JSON templates for infrastructure as code.
Why wrong:
- VM images are managed in Compute Gallery.
- Network traffic is Network Watcher.
- Azure AD users are managed in Azure AD.
Exam trap: ARM is about resource management, not specific services.
Question 13: Which Azure service provides a global content delivery network (CDN) with low latency?
A) Azure Front Door
B) Azure CDN
C) Azure Traffic Manager
D) Azure DNS
Correct Answer: B) Azure CDN
Rationale: Azure CDN caches content at edge locations for faster delivery.
Why wrong:
- Front Door is a global load balancer and application accelerator.
- Traffic Manager is DNS-based traffic routing.
- DNS is name resolution.
Exam trap: CDN is specifically for caching static content.
Question 14: What is the purpose of Azure Policy?
A) To enforce compliance rules on resources
B) To manage user identities
C) To monitor resource performance
D) To create virtual networks
Correct Answer: A) To enforce compliance rules on resources
Rationale: Azure Policy evaluates resources against rules (e.g., “only allow VMs in West Europe”).
Why wrong:
- User identities is Azure AD.
- Monitoring is Azure Monitor.
- Virtual networks is VNet.
Exam trap: Policy is about governance, not identity or monitoring.
Domain 3: Security, Privacy, Compliance, and Trust (Questions 15–20)
Question 15: Which Azure service provides a centralized way to manage security across all resources?
A) Azure Security Center
B) Azure Sentinel
C) Azure Key Vault
D) Azure Defender
Correct Answer: A) Azure Security Center
Rationale: Security Center (now part of Microsoft Defender for Cloud) offers unified security management and threat protection.
Why wrong:
- Sentinel is a SIEM/SOAR solution.
- Key Vault manages secrets.
- Defender is a broader suite—Security Center is the dashboard.
Exam trap: Security Center is the portal; Defender is the product name.
Question 16: Which encryption type protects data stored in Azure SQL Database?
A) Encryption at rest
B) Encryption in transit
C) Encryption in use
D) Client-side encryption
Correct Answer: A) Encryption at rest
Rationale: Azure SQL Database encrypts data at rest using Transparent Data Encryption (TDE).
Why wrong:
- In transit is TLS for network traffic.
- In use is homomorphic encryption (not standard).
- Client-side is optional, not default.
Exam trap: “Stored” means at rest.
Question 17: Which compliance framework is specifically designed for government agencies in the United States?
A) ISO 27001
B) SOC 2
C) FedRAMP
D) HIPAA
Correct Answer: C) FedRAMP
Rationale: FedRAMP is a U.S. government-wide program that standardizes security assessment for cloud services.
Why wrong:
- ISO 27001 is international.
- SOC 2 is for service organizations.
- HIPAA is for healthcare.
Exam trap: “Government agencies” narrows it to FedRAMP.
Question 18: What is the primary purpose of Azure Active Directory (Azure AD)?
A) To manage virtual machines
B) To provide identity and access management
C) To store blobs
D) To monitor logs
Correct Answer: B) To provide identity and access management
Rationale: Azure AD is Microsoft’s cloud-based identity and access management service.
Why wrong:
- VMs are compute.
- Blobs are storage.
- Logs are Azure Monitor.
Exam trap: Azure AD is not the same as Active Directory Domain Services (on-premises).
Question 19: Which Azure service helps protect against DDoS attacks?
A) Azure Firewall
B) Azure DDoS Protection
C) Network Security Groups (NSGs)
D) Azure Bastion
Correct Answer: B) Azure DDoS Protection
Rationale: Azure DDoS Protection provides mitigation against distributed denial-of-service attacks.
Why wrong:
- Firewall is for traffic filtering.
- NSGs are for subnet/VM rules.
- Bastion is for secure RDP/SSH access.
Exam trap: DDoS Protection is a dedicated service, not a generic firewall.
Question 20: What does the Microsoft Privacy Statement cover?
A) How Microsoft secures its data centers
B) How Microsoft handles customer data
C) How to use Azure Policy
D) How to configure compliance
Correct Answer: B) How Microsoft handles customer data
Rationale: The Privacy Statement explains data collection, usage, and sharing practices.
Why wrong:
- Data center security is covered in compliance docs.
- Azure Policy is separate.
- Compliance is a broader topic.
Exam trap: Privacy is about data handling, not technical security.
Your Next Step: Practice More
These 20 questions cover the three AZ-900 domains, but the real exam has about 40–60 questions. Use this set to identify weak areas—maybe you need more work on security or Azure services. For a full-length practice test with 200+ questions, detailed explanations, and adaptive feedback, check out Courseiva’s free AZ-900 practice questions. It’s the closest you’ll get to the real exam without sitting for it. Good luck—you’ve got this.