az-900 Lessons

In this lesson, we explain what cloud computing is (and what it is not) using a simple definition you can reuse. We also cover the five essential characteristics that distinguish cloud computing from “just using the internet.” By the end, you should be able to recognize cloud scenarios quickly and avoid the most common misunderstandings.

The shared responsibility model explains how cloud responsibilities are split between Microsoft and you. Microsoft is responsible for **security of the cloud** (the Azure platform and infrastructure), while you are responsible for **security in the cloud** (how you configure and use what you deploy). This split changes depending on whether you use Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).

Public, private, and hybrid cloud deployment models fit different constraints. In this lesson, you’ll learn simple rules of thumb for choosing a model based on scaling needs, cost, control, compliance, and existing on-premises systems. You’ll also practice explaining your choice clearly from a short scenario.

High availability is about keeping an application accessible when failures happen. Scalability is about handling demand changes by adding or removing resources. In this lesson, you’ll learn how to tell “failure problems” from “demand problems,” and how cloud makes both easier when you design for them.

Reliability is the ability of a system to recover from failures and continue to function. Predictability is the ability to plan for more consistent performance and costs over time. This lesson explains both ideas, how they relate to high availability and scalability, and what you still need to design and configure to get these benefits.

Cloud platforms provide built-in capabilities that can help you apply security controls more consistently and spot problems faster. Governance is how you set guardrails (standards and rules) so teams create and operate resources in an approved, repeatable way. This lesson clarifies the difference between security and governance and explains the shared responsibility model so you know what the cloud provider handles and what you still own.

Manageability in the cloud means you can deploy, operate, and update resources in more consistent and repeatable ways. It shows up in two areas: managing your resources (automation, monitoring, and replacement) and the ways you manage them (portal, command line, APIs, and PowerShell). This lesson explains both and the common tools used in Azure.

Infrastructure as a Service (IaaS) is a cloud service model where you rent basic infrastructure—servers, storage, and networking—and keep significant control over how it runs. The cloud provider maintains the physical datacenter, hardware, and physical security, while you manage the operating system (OS), configuration, and what you deploy on top. This lesson helps you recognize IaaS in real situations and separate it from Platform as a Service (PaaS) and Software as a Service (SaaS).

Platform as a Service (PaaS) is a cloud model where the provider runs the platform for you, and you focus on your application. You deploy code to a managed environment without managing servers or patching the Operating System (OS). This lesson explains what PaaS means, what you still own, and how to tell PaaS apart from Infrastructure as a Service (IaaS) and Software as a Service (SaaS).

Software as a Service (SaaS) is a cloud service model where you use a finished application that runs on the cloud provider’s infrastructure. The provider operates the service (including updates and patching), while you focus on your users, the devices that connect, and the data you put into the app. This lesson helps you recognize SaaS and distinguish it from Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

This lesson helps you choose between Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) based on what a workload needs. You will use a simple mental model: how much control you need versus how much operational work you want the provider to handle. You will also learn how service types differ from deployment models (public, private, hybrid).

In this lesson, you learn what an Azure region is, why Microsoft pairs many regions, and what “sovereign” regions (sovereign clouds) mean. You will also learn the difference between a region, a geography, and an availability zone, so you don’t mix them up. The goal is to help you reason about latency, resilience, and data residency at a high level.

In this lesson, you will learn what Azure Availability Zones are and why they exist. You will understand how zones relate to regions, what problems zones solve (datacenter-level failures), and what you must do to benefit from them. You will also learn how zones differ from availability sets.

In this lesson, you’ll learn what an Azure datacenter is and how it connects to regions and availability zones. You’ll also learn why Azure usually asks you to choose a region, not a specific building. Finally, you’ll understand (at a high level) why redundancy and physical security matter in datacenter design.

An **Azure resource** is a manageable item in Azure, like a Virtual Machine (VM) or a storage account. A **resource group** is a logical container that helps you manage related resources together. You’ll also learn how Azure Resource Manager (ARM) treats resource groups as a management scope for organizing, controlling access, and applying governance—plus what really happens when a resource group is deleted.

This lesson explains what an Azure subscription is and why it exists. You’ll learn how subscriptions fit into Azure’s scope hierarchy and how they relate to identity (Microsoft Entra ID) and cost tracking. You’ll also see practical reasons teams use multiple subscriptions.

Azure management groups help me apply the same governance rules across multiple Azure subscriptions. They sit above subscriptions in the scope hierarchy, so policies and access assignments can inherit down the tree. In this lesson, I’ll focus on what management groups are, how inheritance works, and the common “oops” moments that happen when you assign things too high.

In this lesson, you’ll learn how Azure organizes resources using a simple hierarchy of scopes. You’ll understand what each level is mainly used for (governance, boundaries for management, and lifecycle organization). You’ll also see how access and governance settings can inherit from higher scopes to lower ones.

In this lesson, you’ll compare three common Azure compute models: virtual machines, containers, and serverless functions. You’ll learn what you control in each model, what Azure manages for you, and when each option is a natural fit. You’ll also see how scaling and billing tend to differ so you can pick the right tool for a workload.

In this lesson, you’ll compare the main “VM-based” choices in Azure and the specific problem each one solves. You’ll see the difference between a single Azure Virtual Machine (VM), Azure Virtual Machine Scale Sets (VMSS), and availability sets. You’ll also learn when Azure Virtual Desktop (AVD) is the right fit because the goal is end-user desktops and apps, not general server compute.

When I create an Azure Virtual Machine (VM), I’m really creating a small set of connected resources, not one “all-in-one” object. This lesson explains the core building blocks—compute, storage, and networking—and what’s optional based on connectivity needs. I’ll also clarify why a VM is only reachable from the internet if I explicitly configure a public endpoint and allow inbound traffic.

In this lesson, you’ll compare three common Azure hosting options: web apps, containers, and virtual machines. You’ll learn what each option is best at and what you’re responsible for managing in each model. By the end, you’ll be able to match a simple requirement (like “no OS management” or “must control the OS”) to the right hosting choice.

In this lesson, you’ll learn the core Azure virtual networking building blocks and what each one is for. You’ll understand how an Azure Virtual Network (VNet) and subnets create private address spaces and segmentation. You’ll also learn how name resolution (Domain Name System (DNS)) differs from connectivity options such as peering, Azure VPN Gateway, and Azure ExpressRoute.

An endpoint is the network entry point (usually a hostname) your app uses to reach an Azure service. A **public endpoint** is reachable over the public internet, while a **private endpoint** gives the service a private IP address inside your **Virtual Network (VNet)** using **Azure Private Link**. In this lesson, you’ll learn how to tell them apart, what DNS changes to expect, and how to choose the right option for a real scenario.

Azure has multiple storage services because “storage” isn’t one thing: it depends on how you read and write data. In this lesson, I compare Blob Storage, Azure Files, Queue Storage, Table Storage, and Azure managed disks. The goal is to pick the service that matches your data shape (objects, files, messages, entities, or blocks) and your access pattern.

Access tiers in Azure Blob Storage help me control cost by matching storage to how often I read the data. Hot, Cool, and Cold are “online” tiers (immediate access), while Archive is “offline” and typically requires rehydration before I can read the data. The key is balancing storage price with transaction, retrieval, and early deletion costs.

In this lesson, I explain what “redundancy” means in Azure Storage and why it matters for durability and availability. I compare the main redundancy models (within one datacenter, across availability zones, and across regions) and when each one is a good fit. I also clarify the difference between redundancy and backup, and what “read-access” means for geo-redundant options.

In this lesson, I explain what an Azure storage account is and why it’s the starting point for many Azure Storage services. I then map common needs (objects, file shares, messages, simple Not Only SQL (NoSQL) records) to the right storage service. Finally, I separate “which service do I need?” from “how do I configure the account?” so I don’t paint myself into a corner later.

When I say “move files to Azure,” I’m usually doing one of three jobs: a one-time transfer, interactive management, or ongoing synchronization. This lesson compares three Microsoft tools that map cleanly to those jobs: AzCopy, Azure Storage Explorer, and Azure File Sync. The goal is to pick the simplest tool that matches the workflow I actually need.

Migrating to Azure usually has two parts: understanding what I have, and then moving it. Azure Migrate helps me discover, assess, and track migrations. Azure Data Box helps me move very large datasets when uploading over the network isn’t realistic.

In this lesson, I compare Microsoft Entra ID and Microsoft Entra Domain Services. I’ll learn what each service is for and how they relate to Active Directory Domain Services (AD DS). I’ll also practice choosing the right service based on what an app or workload *expects*.

In this lesson, you’ll learn how Microsoft Entra ID handles sign-ins and how to tell apart Single Sign-On (SSO), multifactor authentication (MFA), and passwordless authentication. You’ll see what problem each one solves and how they’re commonly combined. By the end, you should be able to pick the right approach from a short real-world scenario.

In this lesson, you’ll learn what “external identities” means in Azure and why you usually don’t want to create full internal employee accounts for every outside person. You’ll see the difference between Business-to-Business (B2B) collaboration (partners/guests) and Business-to-Customer (B2C) customer sign-in for public apps. You’ll also learn the key mindset: “external” still needs strong access control and regular review.

In this lesson, you learn what Microsoft Entra Conditional Access is and why it matters for securing access to cloud apps. You’ll see how it evaluates sign-in context (signals) and then enforces an outcome (controls), such as requiring extra verification or blocking access. You’ll also connect it to Zero Trust: don’t assume a sign-in is safe just because it “looks normal.”

Azure role-based access control (Azure RBAC) is Azure’s main way to manage **authorization** (permissions) for resources. It works by creating **role assignments** that combine **who** (a security principal), **what** (a role definition), and **where** (a scope). In this lesson, you’ll practice choosing the smallest scope and the most specific role to follow least privilege. You’ll also see where RBAC ends and where sign-in controls (like Conditional Access) and governance controls (like Azure Policy and resource locks) take over.

In this lesson, you’ll learn what the Zero Trust security model is (and what it is not). You’ll learn the three guiding principles—verify explicitly, use least privilege, and assume breach—and how they change day-to-day access decisions. You’ll also see why “inside the corporate network” is not treated as automatic trust.

Defense in depth means you protect your environment using multiple layers of security, not one “magic” control. If one layer fails or gets bypassed, other layers still reduce damage and slow the attacker down. In Azure, this model is commonly explained using a set of layers that surround the data you’re trying to protect.

Microsoft Defender for Cloud helps you improve your cloud security posture and protect workloads from threats. It gives you **recommendations** to reduce risk (for example, by fixing insecure configurations) and **security alerts** when suspicious activity is detected. It can also cover hybrid and multi-cloud environments when you connect them.

Azure costs are mainly driven by **what you deploy**, **how much you use it**, and **where it runs**. The same service can have different prices based on region, service tier, and usage pattern (for example, running 24/7 vs. only during business hours). Discounts and purchasing options (like reservations, savings plans, and Azure Hybrid Benefit) can reduce costs when your usage is predictable.

In this lesson, I show you what the Azure Pricing Calculator is and when you should use it. You’ll learn how to create a more realistic estimate by setting the right configuration inputs (region, tier/size, and monthly usage) and by including the major cost components. You’ll also learn why estimates and real charges often differ after deployment.

Azure Cost Management helps you understand where your cloud money goes and spot changes early. You can analyze costs, set budgets and alerts, export data for reporting, and review cost-saving recommendations. You’ll also learn why Cost Management totals and invoices don’t always match perfectly.

zure tags are key/value labels you attach to resources to make them easier to organize and report on. Used consistently, tags help you filter resources and allocate costs without changing your resource hierarchy. Tags are metadata only: they don’t enforce access, and they don’t automatically propagate from a resource group to every resource inside it.

Microsoft Purview helps organizations **understand, find, and govern their data** by organizing information *about* that data (metadata). It can scan connected data sources to build a searchable catalog and help classify data to support governance and compliance work. Purview does **not** store your business data or run analytics jobs; it helps you manage the *visibility and governance* of data that already lives elsewhere.

In this lesson, you’ll learn what Azure Policy is and why it’s used for governance and compliance in Azure. You’ll see how policy scope and assignments determine where rules apply, and how compliance is evaluated. You’ll also learn how Azure Policy differs from Azure role-based access control (RBAC).

Azure resource locks help you protect important resources from accidental deletion or unwanted changes. You’ll learn the two lock types and what actions each one blocks. You’ll also see where locks apply (scope and inheritance) and how they differ from Azure role-based access control (Azure RBAC).

In this lesson, I explain what the Azure portal is and what you typically use it for. You’ll learn how it relates to Azure Resource Manager (ARM) and how it compares to tools like Azure CLI and Azure PowerShell. I’ll also cover why portal access must be treated as real production access.

In this lesson, you’ll learn what Azure Cloud Shell is and why it’s useful. You’ll also learn how Azure Command-Line Interface (CLI) and Azure PowerShell relate to Cloud Shell. By the end, you’ll be able to choose the right option based on whether you need a quick browser session or a local setup.

Azure Arc helps you manage and govern resources that run outside Azure (on-premises, edge, or in other clouds) using familiar Azure tools. It does this by connecting those resources to Azure and representing them in Azure Resource Manager (ARM). The key idea: Arc is about **management and governance**, not “a new place to run your workloads.”

Infrastructure as Code (IaC) means defining your cloud infrastructure in machine-readable files instead of setting it up manually in the portal. Those files help you deploy the same environment repeatedly with fewer “surprises” between development, test, and production. In Azure, common IaC options are Azure Resource Manager (ARM) templates (JSON) and Bicep.

In this lesson, I explain what Azure Resource Manager (ARM) is and why most Azure management actions go through it. Then I explain what an Azure Resource Manager template (ARM template) is and why “declarative” templates help you deploy the same environment consistently. You’ll leave with a simple mental model: **tools send requests, ARM processes them, templates describe the desired end state**.

Azure Advisor helps you optimize your Azure resources by analyzing your resource configuration and usage telemetry, then surfacing best-practice guidance. It groups guidance into five categories: Reliability, Security, Performance, Cost, and Operational Excellence. Advisor tells you *what to improve*; you still decide *what to change* and when.

Azure Service Health helps you see Azure platform events that could affect your subscriptions, services, and regions. You’ll learn how it differs from the public Azure Status page (global view) and Azure Monitor (your resource and app telemetry). You’ll also learn how to set up alerts so you get notified automatically when incidents, maintenance, or advisories impact you.

Azure Monitor is Azure’s service for collecting, analyzing, and acting on monitoring data from Azure and non-Azure environments. You use it to understand health and performance using metrics, logs, and distributed traces. In this lesson, you’ll see where Log Analytics fits, how Azure Monitor alerts notify you automatically, and what Application Insights adds for application performance monitoring.