Here I will write all my notes, all that I found relevant to understand a little better, and that is helping me prepare for AZ-900.

a. All exam details can be found here.
b. Make sure you know and understand AZ-900 skills outline.
c. See full Azure knowledge base and docs on this link.

Skills measured

Describe cloud concepts (25–30%)

Describe cloud computing

• Define cloud computing
• Describe the shared responsibility model

• Define cloud models, including public, private, and hybrid
– Hybrid cloud can be used to augment on-premises resources by providing overflow capacity
– Hybrid cloud is a combination of two or more clouds, such as public + private cloud
– Hybrid cloud can be used to keep sensitive data on-premises
– Hybrid cloud can be used for on-premises business, while use public cloud resources when needed

• Identify appropriate use cases for each cloud model
• Describe the consumption-based model
• Compare cloud pricing models

Describe the benefits of using cloud services

• Describe the benefits of high availability and scalability in the cloud
• Describe the benefits of reliability and predictability in the cloud
• Describe the benefits of security and governance in the cloud
• Describe the benefits of manageability in the cloud

Describe cloud service types

• Describe infrastructure as a service (IaaS)
• Describe platform as a service (PaaS)
• Describe software as a service (SaaS)
• Identify appropriate use cases for each cloud service (IaaS, PaaS, SaaS)

Describe Azure architecture and services (35–40%)

Describe the core architectural components of Azure

• Describe Azure regions, region pairs, and sovereign regions
– Azure Regions specify the location of resources
– Azure Regions contains one or more datacenters
– Azure Regions are always paired with other regions
– Azure Regions paired regions is always within the same geography, such as US
– Azure Regions cannot span across countries

• Describe availability zones
• Describe Azure datacenters

• Describe Azure resources and resource groups
– Azure Resource Group can contain resources from any region
– A Resource can only reside in only one Resource Group at a time
– Resources can interact with other Resources from different Resource Groups
– Azure Resource Group does not impact access to resource

• Describe subscriptions
– When you transfer the billing ownership to another Azure AD tenant account, all users and groups with RBAC to manage the subscription lose their access
– When you transfer the billing ownership to another Azure AD tenant account, Azure Kubernets Services cluster lose functionality
– When you transfer the billing ownership to another Azure AD tenant account, system-assigned managed identities are not re-enabled automatically and must be re-enabled after the transfer
– When you transfer the billing ownership to another Azure AD tenant account, any user-assigned managed identities must be re-created
– You can transfer existing Subscription to a new AZ AD Tenant, however ALL RBAC assignments are deleted from source tenant
– You can transfer existing Subscription to a new AZ AD Tenant, but role assignments are not migrated
– Billing occurs at Subscription level
– A resource can belong to only one subscription
– A user may access multiple subscriptions

• Describe management groups
• Describe the hierarchy of resource groups, subscriptions, and management groups

Describe Azure compute and networking services

• Compare compute types, including container instances, virtual machines (VMs), and functions
– Azure Container can be accessed over the internet by IP or domain name
– Azure Container can run Windows or Linux
– Azure Container scale out as needed
– Azure Container represent a single App and its dependencies
– Azure Container does not require you to install dependencies. Dependencies are installed automatically
– Azure Container does not require you to configure host VM. Azure does it for you
– Azure Container group share the same Operational System (OS) amongst all containers in that group

– Azure Functions is serverless compute
– In Azure Functions serverless compute users can submit their APP code to Azure
– In Azure Functions serverless compute Azure provision and maintain server and infra to run Apps
– In Azure Functions serverless compute Azure does backup, provides high-availability and autoscale
– In Azure Functions one can build an event-driven solution and pay only for the time spent running your code
– In Azure Functions includes the abstraction of servers, infra and Operational System (OS)

• Describe VM options, including Azure Virtual Machines, Azure Virtual Machine Scale Sets, availability sets, and Azure Virtual Desktop
– Azure Virtual Desktop works on MacOS and iOS
– Azure Virtual Desktop works on Android and in the web
– Azure Virtual Desktop users should exist in the same Windows server Active Directory (AD server) that is linked to Azure AD
– Azure Virtual Desktop is not charged on monthly basis, nor it is charged according to active users
– Azure Virtual Desktop can be used with Microsoft 365 or Windows, and does not require specific or other additional requests

• Describe resources required for virtual machines

• Describe application hosting options, including the Web Apps feature of Azure App Service, containers, and virtual machines
– Azure Dedicated Hosts is a provided physical server, dedicated to your organization workload only.
– Azure Dedicated Hosts is an isolated physical server. They are not shared with any other customer.
– Azure Dedicated Hosts is used to meet corporate compliance standards
– Azure Dedicated Hosts cannot be shared across multiple subscriptions
– Azure Dedicated Hosts is single tenant
– Azure Dedicated Hosts is charged per dedicated host
– Azure Dedicated Hosts can run windows, linux

• Describe virtual networking, including the purpose of Azure Virtual Networks, Azure virtual subnets, peering, Azure DNS, Azure VPN Gateway, and Azure ExpressRoute
– Azure Virtual Network can be used to connect virtual networks across azure regions
– Azure Virtual Network provides logically isolated, private networks in the cloud
– Azure Virtual Network supports inbound connects using public IP addresses and load balancers
– Azure Virtual Network can be used to transfer data between Azure AD tenants
– Azure Virtual Network Peering is used to connect VNETS within Azure Regions, also known as Global Vnet Peering
– Azure Virtual Network Peering creates a high bandwidth, low-latency, connection between VNETS.
– Azure Virtual Network transfer data between tenants, subscriptions and deployment models is supported
– Azure Virtual Network Peering setup do not provoque downtime
– Azure Virtual Network traffic is NOT routed over the public internet

• Define public and private endpoints

Describe Azure storage services

• Compare Azure storage services

• Describe storage tiers
– Azure Blob storage cool tier incurs penalty for data deleted within 30 days
– Azure Blob storage archive tier is not available at account level
– Azure Blob storage archive tier incurs the highest rehydration cost

• Describe redundancy options
• Describe storage account options and storage types

• Identify options for moving files, including AzCopy, Azure Storage Explorer, and Azure File Sync
– Azure Files can be accessed using SMB protocol (Server Message Block)
– Azure Files can be accessed using NFS protocol (Network File System)
– Azure Files is a cloud file storage service that operates like a traditional file server
– Azure Files can be used to periodically migrate data to azure using SMB or NFS
– SMB is a file sharing protocol on WINDOWS. Using SMB any SMB client can access shared files on the cloud
– NFS is a file sharing protocol on LINUX. Using NFS any NFS client can access shared files on the cloud

• Describe migration options, including Azure Migrate and Azure Data Box

Describe Azure identity, access, and security

• Describe directory services in Azure, including Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra and Azure Active Directory Domain Services (Azure AD DS)
– Azure AD Premium P1 supports RBAC and Conditional Access
– Azure AD Premium P1 does NOT support identity protection, self-service entitlement management, privileged identity management (PIM) just-in-time access (those are included in Premium P2)

– Azure AD also has Free, Office 365, Premium P1 and P2 versions

– Azure AD Free version allows on-premises directory synchronization
– Azure AD Free supports SSO and user group management

– Azure AD Premium is required when you want to publish on-premises web apps. This happens via use of Azure AD Application proxy

– Azure AD is required when on-premises users’ needs to reset their own password. This feature is offered by all AD versions, except Free version.

– Azure AD authentication and authorization does not require integration with on-premises AD
– Azure AD integration with on-premises AD might be applicable in a hybrid environment
– When Azure AD is used with on-premises AD integration it uses the AD FS (federation servers). In this scenario AD leaves authentication to AD FS.
– Web Apps must be registered with Azure AD to receive AD support for authorization and authentication
– Azure AD support authorization through use of RBACv

• Describe authentication methods in Azure, including single sign-on (SSO), multifactor authentication, and passwordless
• Describe external identities and guest access in Azure

• Describe Conditional Access in Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra
– Conditional Access requires compliant devices
– Conditional Access block access by location
– Conditional Access specify what is required to grant access to requested resource

• Describe Azure role-based access control (RBAC)
• Describe the concept of Zero Trust
• Describe the purpose of the defense in depth model

• Describe the purpose of Microsoft Defender for Cloud
– Microsoft Defender for Cloud integrates with Azure Policies
– Microsoft Defender for Cloud shows securities alerts
– Microsoft Defender for Cloud can be used to improve secure score
– Microsoft Defender for Cloud provides general security recommendations
– Microsoft Defender for Cloud suggests remediations to better secure resources
– Microsoft Defender for Cloud has native integration with Microsoft Defender Anti-virus in Windows
– Microsoft Defender for Cloud works on many different Operation Systems
– Microsoft Defender for Cloud automatically discover and assess security for new resources as they are deployed
– Microsoft Defender for Cloud supports monitoring, security recommendations, advanced threat protection
– Microsoft Defender for Cloud works for cloud and on-premises VM resources
– Microsoft Defender for Cloud Regulatory Compliance compare yourself against a set of benchmarks built by Azure to see if you are good or not
– Microsoft Defender for Cloud Regulatory Compliance shows an overall compliance score
– Microsoft Defender for Cloud Regulatory Compliance shows a number of passing and failing assessments

Describe Azure management and governance (30–35%)

Describe cost management in Azure

• Describe factors that can affect costs in Azure
• Compare the Pricing calculator and the Total Cost of Ownership (TCO) calculator

• Describe the Azure Cost Management and Billing tool
– Azure Cost Management is used for monitor, allocate and optimize cloud spent in multi-cloud environment

• Describe the purpose of tags

Describe features and tools in Azure for governance and compliance

• Describe the purpose of Azure Blueprints
– Azure Blueprint when Azure Blueprint is updated and the updated version is published, any assignments are NOT updated automatically
– Azure Blueprint when unassigned all resources previously assigned by the Blueprint remains in place
– Azure Blueprint when unassigned all Blueprint resources LOCKs are removed
– Azure Blueprint when unassigned the Blueprint assigned object is deleted
– Azure Blueprint when you delete a core Blueprint any assigned version remains in place
– Azure Blueprint before deleting a Blueprint it must first be unassigned
– Azure Blueprint is a declarative way to deploy various templates and artifacts, such as: ARM templates, policies templates, resources groups, role assignments

• Describe the purpose of Azure Policy

• Describe the purpose of resource locks
– Lock can be used to prevent new resources from being ADDED to a resource group (READ-ONLY mode)
– Lock helps prevent modification to a resource group
– Locking a resource group also locks ALL resources contained in that group
– Locks can be applied to resource groups, subscriptions and resources
– Locks applies to all users’ roles
– The most restrictive lock is applied when multiple locks are in place
– Locks always take precedence over RBAC
– Locks are applied to all resources in a scope, and any new resource added to that scope later
– Locks can be READ ONLY or DELETE (cannot delete)
– Locks can be used to prevent any users from deleting resources from a subscription with contents spanning across multiple resource groups

• Describe the purpose of the Service Trust Portal

Describe features and tools for managing and deploying Azure resources

• Describe the Azure portal

• Describe Azure Cloud Shell, including Azure CLI and Azure PowerShell
– Azure Cloud Shell is an interactive, browser accessible shell environment
– Azure Cloud Shell at launch, select Powershell to execute Azure Powershell commands; or Bash to execute CLI commands
– Azure Cloud Shell when running with Azure Powershell linux-specific functions are available
– Azure Cloud Shell times out in 20 minutes
– Azure Cloud Shell can run Azure CLI and Powershell on iOS and Android mobile devices
– Azure Cloud Shell can be acessed from Azure mobile App

– Azure Powershell and Azure CLI commands works the same on Linux, Mac and Windows
– Azure Powershell and Azure CLI commands execution is supported in Azure Cloud Shell
– Azure Powershell and Azure CLI executes commands in an interactive environment
– Azure Powershell and Azure CLI do not support GUI interface (graphical user interface)

• Describe the purpose of Azure Arc

• Describe Azure Resource Manager and Azure Resource Manager templates (ARM templates)
– Azure Resource Manager use it to increase default limits on how many types of resource can be provisioned per azure region

Describe monitoring tools in Azure

• Describe the purpose of Azure Advisor
– Azure Advisor use information from Azure Security Center to develop best practices recommendation for optimization
– Azure Advisor can be used to reduce cost by resizing underutilized virtual machines
– Azure Advisor makes recommendation based on CPU and outbound network utilization
– Azure Advisor helps you optimize resources for: cost, performance, availability, security, operational excellence
– Azure Advisor provides recommendation on high-availability
– Azure Advisor can be used to review security recommendations to your deployed resources
– Azure Advisor integrates with Microsoft Defender for Cloud to help prevent, detect, and respond to threats to Azure resources

• Describe Azure Service Health
– Azure Service Health is for the CLOUD PROVIDER side
– Azure Service Health notify you if your App service exceeds the usage quota
– Azure Service Health shows you Planned Services outages
– Azure Service Health allow you to implement a webhook on your website to display health incidents
– Azure Service Health shows advisories, such as deprecated offerings

• Describe Azure Monitor, including Log Analytics, Azure Monitor alerts, and Application Insights
– Azure Monitor send email to admin when a VM is about to exceed usage quota for the month [ azure monitor alerts ]
– Azure Monitor create alerts/actions for when CONSUMER side conditions are met
– Azure Monitor can use autoscale to add/remove resources to minimize cost and/or ensure optimum performance levels
– Azure Monitor does not requires to enable diagnostics to start collecting data (except for cases below)
– Azure Monitor is required to enable diagnostics if you want to use EVENT LOGS
– Azure Monitor also enable diagnostics to collect information on performance counters
– Azure Monitor also enable diagnostics to collect information on crash logs
– Azure Monitor begins collecting data as soon as a resource is added to a new subscription

– Azure Monitor Application Insights is a feature part of Azure Monitor
– Azure Monitor Application Insights allow visualization of TELEMETRY data
– Azure Monitor Application Insights is an Application Performance Management (APM) service that detects performance in real time
– Azure Monitor Application Insights can be installed on Web Apps so they can receive telemetry data out of those web apps

Extra topics

• Azure Cloud Adoption Framework
– Azure Cloud Adoption Framework defines strategy as: define business justification and the expected outcome
– Azure Cloud Adoption Framework defines plan as: align actionable adoption plans with business outcomes
– Azure Cloud Adoption Framework defines ready as: prepare the cloud environment for the planned changes
– Azure Cloud Adoption Framework defines innovate as: develop new cloud-native or hybrid solutions

• Azure Application Security Group
– Application Security Groups organize similar servers so you can easily define and implement security policies for those groups
– Application Security Groups let you apply security to the group as a whole
– Application Security Groups do not allow or block connections directly to all servers running instances of the same server
– Application Security Groups do not let you control user access to serverless Apps
– Application Security Groups works on server Apps only
– Application Security Groups do not let you define templates for rapid deployment

• Cloud Bursting
– Cloud Bursting is used on hybrid clouds
– Cloud Bursting is used when hybrid clouds are composed of Public cloud + on-premises
– Cloud Bursting provision resources when on-premises reaches 100% resource capacity
– Cloud Bursting is used to address increased workload from on-premises

• Azure Spot Instances (Azure Spot VM)
– Azure Spot VM Instances can help reduce costs by using unutilized capacity
– Azure Spot VM Instances do not guarantee computer resource at specific time
– Azure Spot VM Instances is great use for batch or asynchronous processes that are not critical, urgent and can run in a not specific time

• Azure DDoS Protection
– Azure DDoS Protection BASIC is enabled by default
– Azure DDoS Protection STANDARD is NOT enabled by default
– Azure DDoS Protection STANDARD provides more protection vs basic
– Azure DDoS Protection STANDARD incurs additional charge to the subscription
– Azure DDoS Protection STANDARD protects against volumetric, protocol, and application layer attacks
– VNETs from multiple subscriptions can link to the same Azure DDoS plan
– Azure DDoS Protection is provided for load balancers, azure application gateway, azure service fabric instances with public ip address

Old writing, but still relevant (pt-br)