Sign in Subscribe

Azure Fundamentals: Mastering Identity, Governance, Privacy & Compliance for AZ-900 (A Mentor’s Guide)

Azure Fundamentals: Mastering Identity, Governance, Privacy & Compliance for AZ-900 (A Mentor’s Guide)

So, maybe you're gearing up for the AZ-900 exam, or honestly, maybe you just want to finally get how all the security, compliance, and governance stuff works in Azure without feeling lost—if that's you, you're in exactly the right place. Having spent over 15 years wrangling security and compliance for all kinds of organizations, I can tell you—getting a solid grip on these concepts isn’t just a box to tick for the exam. It’s absolutely crucial if you want to actually make good decisions in the real-world cloud (and, of course, to pass that test). We're about to roll up our sleeves and dive into the practical, hands-on side of Azure identity, governance, privacy, and compliance—stuff you absolutely need for the AZ-900, but that’ll also serve you every day on the job. We’ll get into everything—from real hands-on labs and common troubleshooting headaches, to policies and what Zero Trust really looks like—so by the end of this, you’ll go from “fingers crossed we’re secure” to actually running the show with confidence in Azure.

Note: As of July 2023, Azure Active Directory (Azure AD) is now called Microsoft Entra ID. You’ll see both names in documentation and on the exam. Also, “Azure Security Center” is now Microsoft Defender for Cloud, and Azure Blueprints is being retired (see governance section for alternatives).

Why Identity, Governance, Privacy & Compliance Matter—A Real-World Perspective

Let’s start with a story. I once helped a hospital migrate sensitive patient data to Azure. The hardest part wasn’t moving the data—it was ensuring only authorized access, maintaining HIPAA compliance, and being able to prove it to auditors. We needed airtight identity, granular governance, and automated compliance checks. Azure handed us all the gadgets and buttons we needed, but, honestly, what really made things click was figuring out not just what knobs to turn—but actually understanding why each setting mattered so much. That ‘why’ behind the technology? That’s where the real magic (and security) comes from. Doesn’t matter if you’re cramming for the AZ-900 exam or already knee-deep in production workloads—these are exactly the kind of skills you’ll keep coming back to, over and over. Trust me, you’ll be glad you know them.

Let’s break down Azure Identity in plain English: Who are you in the cloud, and how do you actually show Azure you’re the real deal?

Identity is the cornerstone of Azure security. Microsoft Entra ID (formerly Azure AD) manages identities—users, groups, devices, service principals—across your Azure estate. Think of it as your security gatekeeper, directory service, and central authentication authority.

  • Tenants: An isolated, dedicated directory for your organization. Like your company’s private slice of the cloud identity pie.
  • Users: Humans or applications needing access. Can be internal, guests (B2B), or service accounts.
  • Groups: Logical collections of users/devices for simplified management. Always attach your roles and policies to groups instead of handing them out to every single person one by one—it’ll save you a ton of headaches as things scale.
  • Devices: Registered computers, phones, or tablets for device-based security controls and Conditional Access.
  • Service Principals & Managed Identities: Secure, cloud-native identities for apps/services needing to access Azure resources without managing credentials. Managed Identities simplify secure app authentication.

Single Sign-On (SSO): Lets users access multiple resources after a single authentication. With Microsoft Entra ID (yep, it used to be called Azure AD), SSO isn’t just for Azure or Microsoft 365—you can hook it up to a bunch of different SaaS apps too. Makes life so much easier when you’re dealing with a whole ecosystem of tools. It’s a game-changer—way fewer passwords for folks to remember (which means fewer sticky notes on desks... you know the ones).

Federation/External Identities: Integrate on-premises directories (via Azure AD Connect) or third-party IdPs (SAML, OAuth). This is the secret sauce for making hybrid identity work and pulling off effortless B2B collaboration. Seriously—if you’ve ever had to wrangle access for contractors or partners (or connect a wild mix of systems), you know how much of a relief this can be.

Authentication vs. Authorization: Authentication proves your identity (like a driver’s license at the door); authorization determines what you’re allowed to do (VIP lounge, bar, or just the lobby?). Seriously—don’t get those two mixed up! It trips up a lot of folks starting out. Trust me, that’s a classic rookie mistake.

Multi-Factor Authentication (MFA) & Passwordless: Passwords are weak. When you turn on MFA, you’re basically making sure there’s a second lock on the door—like an app prompt, SMS code, or security key—and that alone stops well over 99% of the usual break-in attempts. Microsoft also recommends passwordless sign-in (e.g., Microsoft Authenticator, FIDO2 keys) for even stronger security. I’ve seen phishing attempts stopped cold by MFA—one simple control that saves endless headaches.

Conditional Access: Azure’s policy engine for automated, risk-aware access decisions. You can require MFA for admins, block risky logins from unfamiliar locations, or allow access only from compliant devices. Example: “If user signs in from outside the country, require MFA and block access to sensitive apps.” This is a must-know for the exam and real life.

Identity Protection: Uses AI to detect risky sign-ins or compromised accounts, and can trigger Conditional Access policies in response. It’s like having a security guard for your digital identity, always on the lookout.

Privileged Identity Management (PIM): Just-in-time (JIT) access for high-privilege roles. Instead of permanent admin rights (a big security risk), users “activate” privileges when needed, with approval, MFA, and automatic timeouts. I always recommend PIM for organizations with multiple admins.

Lifecycle Management: Automate user provisioning, deprovisioning, and access reviews. That way, only the right, current folks have access to what they should—no more awkward moments when you discover an ex-employee still has admin powers months after they left.”

Managed Identities: Letting Your Apps Log In—Without Password Drama

With managed identities—whether they’re system-assigned or user-assigned—you can let your Azure VMs, Functions, Logic Apps (basically, your cloud resources) talk to other Azure services like Key Vault or Storage, and you don’t have to juggle any secrets or passwords. The system does all the magic for you. Honestly, I wouldn’t build any serious automation or modern app in the cloud without managed identities. It just takes so much pain and risk out of the equation.

az vm identity assign --name MyVM --resource-group MyRG az keyvault set-policy -n MyKeyVault --object-id  --secret-permissions get

Common ID & Access Troubleshooting

  • Access Denied: Check group membership, RBAC scope, and role assignment. Is Conditional Access blocking login?
  • MFA Enrollment Issues: Ensure registration policies are configured, and review user sign-in logs for errors.
  • Hybrid Identity Sync Problems: Use Azure AD Connect Health dashboard for diagnostics.

Access Control and Authorization—Letting the Right People Do the Right Things

Role-Based Access Control (RBAC): Azure’s core authorization model. Assign roles (built-in or custom) at the right scope to follow principle of least privilege.

  • Built-in Roles: Owner (full control), Contributor (can manage but not assign roles), Reader (view only), User Access Administrator, and many service-specific roles (e.g., Virtual Machine Contributor).
  • Custom Roles: Define granular permissions using JSON. Example: Allow users to restart VMs, but not delete them. Custom roles help match your business’s unique security needs.
    { "Name": "VM Restarter", "Actions": [ "Microsoft.Compute/virtualMachines/restart/action" ], "AssignableScopes": [ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}" ] }  Assign via Portal, CLI, ARM, or Bicep.
  • Scopes: Management group > Subscription > Resource Group > Resource. Always assign at the narrowest scope necessary.

Assigning RBAC Roles: Example
Automate role assignment using CLI:

az role assignment create --assignee user@contoso.com --role "Virtual Machine Contributor" --resource-group MyRG // Quick CLI way to put someone in charge of VMs just in this one resource group You can hand out roles to people, groups, or even those special service principals—so you’re not stuck managing a zillion individual permissions. You must have User Access Admin or Owner rights at the relevant scope.

RBAC Troubleshooting: If a user can’t access a resource, check:

  • Are they assigned the right role at the right scope?
  • Do inherited roles conflict or overlap?
  • Is a Deny assignment or Policy blocking access?

Tip: Use the “Check Access” feature in the Azure Portal on any resource to diagnose access issues.

Advanced: ARM/Bicep for Role Assignment

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { name: guid(resourceGroup().id, 'VMContributor', user.objectId) properties: { roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // That giant string? It’s just Azure’s way of giving each role its own unique ‘barcode’ so there’s no mix-up. principalId: user.objectId scope: resourceGroup().id } }

Governance in Azure—Keeping Chaos in Check

Governance is your control system for Azure sprawl. Good governance is really your safety net—it’s what stops your Azure environment from turning into the Wild West as you add more projects, teams, and resources. Really, governance is just making sure everything stays locked down, compliant, and—honestly—doesn’t run away with your budget while you’re not looking.

Management Hierarchy

Management Groups └── Subscriptions └── Resource Groups └── Resources (think VMs, databases, storage accounts—basically, the building blocks that actually do the work)

Management Groups: Organize subscriptions by business unit, region, or compliance boundary. And here’s the best part—once your management groups are set up, you can apply policies and access rules across everything in one shot, instead of painstakingly repeating the same steps for every single subscription.

Azure Lighthouse: For service providers or multi-tenant governance, Azure Lighthouse enables secure, cross-tenant management.

Azure Policy—Automated Guardrails

Azure Policy enforces organizational standards with rules that can audit, deny, append, modify, or deployIfNotExists resources. Example effects:

  • Deny: Block non-compliant resource creation (e.g., unapproved VM size).
  • Audit: Flag non-compliant resources but allow deployment.
  • Append: Add tags or properties.
  • DeployIfNotExists: Automatically deploy supporting resources (e.g., log analytics workspace).
  • Modify: Change existing resources to comply (e.g., enforce encryption settings).

Remediation Tasks: Use policy remediation to bring existing resources into compliance after policy assignment.

Custom Policies: Define your own rules in JSON. Example: Only allow storage accounts with HTTPS enforced.

{ "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", "equals": "false" } ] }, "then": { "effect": "deny" } }

Policy Troubleshooting: Use compliance blade in the portal, or query “policyEvents” in Log Analytics for deployment failures or non-compliance.

Performance: Assigning too many policies at high scopes (e.g., management group) can slow down deployments. Review policy assignment hierarchy for efficiency.

Azure Blueprints (Retiring) & Alternatives

Note: Azure Blueprints is being retired (retirement planned for July 2026). For new deployments, use Azure Policy, ARM/Bicep templates, and Azure Landing Zones (from the Cloud Adoption Framework) to automate compliant environments. The cool thing is, these tools mean you can turn your whole resource structure—plus all your policies and permissions—into code. That way, you can crank out secure and compliant environments with the push of a button, every time.

Resource Locks—Preventing Accidental Changes

  • ReadOnly: Prevents modification/deletion, but allows resource listing and reading properties.
  • Delete: Prevents deletion, allows updates.

Resource locks are vital for production databases and critical infrastructure. Always confirm which lock types are appropriate for each resource.

Resource Tagging & Cost Management

Tags are just labels—think of them as sticky notes you slap on resources to keep track of who owns what, which department pays for it, or what it’s for. Example: Tag all resources with Environment=Production and CostCenter=Finance for reporting and policy enforcement.

Azure Cost Management and Billing tools leverage tags to help you analyze spend and optimize resource allocation.

Security Baselines & Cloud Adoption Framework

There’s some really thorough documentation from Microsoft on Azure Security Baselines and the Cloud Adoption Framework, and honestly, if you need a blueprint for building a rock-solid, compliant Azure environment, that’s where you start.

Zero Trust Security in Azure

Zero Trust is a security model built on three principles: verify explicitly (always authenticate and authorize), least privilege access (limit access to what’s needed), and assume breach (design as if attackers are already in). For Azure, that means layering on Conditional Access, turning on MFA, leveraging PIM, putting up Network Security Groups, using Just-in-Time VM access, and—seriously—monitoring everything, everywhere. Gone are the days of 'I’ve got a firewall so I’m good.'

Zero Trust Implementation Example: A company shifts from open on-premises access to Zero Trust by:

  • Enforcing MFA and Conditional Access for all users
  • Using PIM for admin roles
  • Applying NSGs and Azure Firewall to restrict network flow
  • Monitoring everything with Microsoft Defender for Cloud and Sentinel

Monitoring, Auditing & Security Posture—Staying One Step Ahead

Continuous monitoring gives you visibility and control. Azure’s security and audit tooling includes:

  • Microsoft Defender for Cloud: (formerly Azure Security Center) Unified security management and threat protection for workloads. It’s always on the lookout—scanning your environment for problems, handing you a punch list of what to fix, and showing you exactly where you stand when it comes to security and compliance.
  • Azure Monitor & Log Analytics: Collects and analyzes telemetry, logs, and metrics across Azure resources for troubleshooting, performance, and alerting.
  • Azure Activity Logs: Audit every control plane operation (who did what, where, and when) for tracking changes and incident response.
  • Microsoft Sentinel: Cloud-native SIEM (Security Information and Event Management). Sentinel pulls in logs from all over—the cloud, your old on-prem servers, even other cloud providers—so you can really dig into threat hunting, connect the dots, even kick off automatic fixes. You’ll spend a lot less time running in circles or playing catch-up.

Incident Response: Set up alerts in Defender for Cloud and Sentinel to detect suspicious activity (e.g., mass deletion, privilege escalation). And with playbooks, you can actually automate the cleanup—so you’re not scrambling at 2am because something slipped through.

Monitoring Lab Example:

  1. In the Azure Portal, search for Defender for Cloud.
  2. Enable Defender plans for your subscription.
  3. Go through the security recommendations, and please, set up those email or SMS alerts for anything high-risk—you do not want to miss those.
  4. If you want to take it up a notch, hook into Microsoft Sentinel and really start hunting down threats and fine-tuning your incident response game.

Diagnostic: Setting Up Log Alerts

  1. Open Azure Monitor > Alerts > New Alert Rule
  2. Select a resource (e.g., Storage Account) and condition (e.g., “Delete Blob” event)
  3. Set action group (email, webhook, etc.)
  4. Validate alert with a test event

Privacy and Compliance in Azure

Look, these days, you just can’t afford to wing it when it comes to privacy and compliance—the cloud is no exception. Luckily, Microsoft has woven privacy and compliance right into Azure’s core, making it a lot easier to tick those boxes for things like GDPR, HIPAA, and all the other acronyms that keep us up at night.

Where Your Data Lives, Who Controls It, and How Sensitive It Really Is

  • Data Residency: Choose the Azure region where your data is stored, ensuring compliance with local regulations (e.g., GDPR, Australian Privacy Act).
  • Data Sovereignty: Some organizations require that only local authorities can access data; Azure’s regional boundaries support this.
  • Data Classification: Labeling data by sensitivity (Public, Confidential, Highly Confidential) using Azure Information Protection (AIP) enables automated controls and access policies. By the way, AIP plays nicely with Microsoft Purview, so you can manage everything from one place instead of jumping between ten portals.

Example: Automating Classification with AIP

  1. Admin sets up classification labels in AIP (e.g., Confidential, Internal).
  2. Users apply labels in Office apps or via auto-labeling policies.
  3. Once labeled, all your documents and emails get wrapped with the right encryption, DLP, and access controls—so you’re not relying on people to remember security rules.

Peeking Under the Hood: How Azure Keeps Your Data Locked Down

Encryption at Rest: Most Azure services enable encryption at rest by default using Microsoft-managed keys (e.g., Azure Storage Service Encryption, SQL Database Transparent Data Encryption). For advanced needs, configure Customer-Managed Keys via Azure Key Vault for full control.

Encryption in Transit: Enforced via HTTPS/TLS across Azure services. Just don’t take it for granted—always pop into the docs to see what’s default and what needs a little extra configuration.

Azure Key Vault Lab: Securely store secrets and keys, then permit only selected apps/users to access them.

az keyvault create --name MyKeyVault --resource-group MyRG --location westus // Super quick way to spin up a new vault az keyvault secret set --vault-name MyKeyVault --name "DbConnectionString" --value "Server=..." az keyvault set-policy --name MyKeyVault --spn  --secret-permissions get

Customer Lockbox: For regulated industries, Customer Lockbox requires explicit customer approval before Microsoft support engineers can access your data during a support incident.

Data Subject Rights (GDPR): Azure provides tools to help fulfill data subject requests for access, export, or deletion of personal data.

Data Loss Prevention (DLP): Integrate Azure Information Protection and Microsoft Purview DLP to automatically detect and block sharing of sensitive data.

Compliance Automation & Microsoft Purview Compliance Manager

Compliance Manager (part of Microsoft Purview) tracks your compliance status (e.g., GDPR, ISO 27001) across Microsoft 365, Azure, and Dynamics 365. It provides actionable improvement actions and evidence collection for audits.

  1. Access Compliance Manager via Microsoft Purview.
  2. Select your compliance standard (e.g., HIPAA).
  3. Review your compliance score and prioritized improvement actions.
  4. Upload evidence and track remediation tasks for audit readiness.

Service Trust Portal: Download audit reports, compliance guides, and certifications. Note: Some reports require Azure tenant admin privileges and an active subscription.

Shared Responsibility Model in Practice

|---------------------|-------------------------|----------------| | Service Type | Microsoft Manages | You Manage | |---------------------|-------------------------|----------------| | IaaS (VMs) | Physical, Host, Network | OS, Apps, Data | | PaaS (App Service) | Host, OS, Platform | App, Data | | SaaS (O365) | Everything but Data | Your Data | |---------------------|-------------------------|----------------|

Scenario: In IaaS, you patch your own VMs; in PaaS, Microsoft handles patching, you secure your app and data; in SaaS, you focus on configuring security settings and managing your data.

Tip: Review shared responsibility details for complex services (e.g., serverless, containers) as boundaries can vary.

Network Security Fundamentals

Securing Azure workloads requires robust network controls.

  • Network Security Groups (NSGs): Control inbound/outbound traffic to VMs or subnets. Define allow/deny rules by source, destination, port, and protocol.
  • Azure Firewall: Managed, scalable firewall as a service. Centralizes traffic filtering and logging for your Azure Virtual Network.
  • Private Endpoints: Securely connect to Azure services over a private IP address, eliminating exposure to the public internet.

Industry Scenarios and Case Studies—Bringing It All Together

  • MFA for Remote Workers (Finance): A regional bank enforced Conditional Access to require MFA for all users outside their corporate network. Outcome: Account compromise attempts dropped to zero, and regulatory auditors praised their controls.
  • VM Size Policy (R&D Firm): New developers were spinning up expensive, unnecessary VMs. With Azure Policy, only approved VM sizes could be used—reducing costs by 25% and keeping R&D projects within budget.
  • GDPR Compliance (Retailer): By using Azure regional data residency, Information Protection labels, and Purview DLP, a retailer proved to auditors that customer data never left the EU and access was tightly controlled. Passed audit with zero findings.
  • RBAC for Healthcare Admins: Only clinical staff could access patient data, while IT admins managed infrastructure. Implemented via Resource Group-level custom RBAC roles and access reviews in PIM—ensuring both privacy and operational efficiency.

Each scenario demonstrates how identity, governance, privacy, and compliance features map directly to real-world success.

Hands-on Labs & Practical Demos

Lab 1: Assign an RBAC Role in the Azure Portal

  1. Go to portal.azure.com and log in.
  2. Navigate to your Resource Group (e.g., “RG-DevTeam”).
  3. Click Access control (IAM).
  4. Click Add > Add role assignment.
  5. Select a role (e.g., ‘Contributor’). Click Next.
  6. Choose the assignee (user/group/service principal). Click Review + assign.

Tip: Double-check scope! Assigning at the wrong level can grant excessive access.

This process involves several key steps that work together to assign a role to a user or group within the Azure Portal, ensuring proper access control.

Lab 2: Create a Conditional Access Policy

  1. In the Azure Portal, search for Microsoft Entra ID (Azure AD).
  2. Click Security > Conditional Access.
  3. Click + New policy.
  4. Name your policy (e.g., “MFA for Admins”).
  5. Under Assignments, select Users or workload identities (e.g., “Directory roles > Global administrators”).
  6. Under Cloud apps or actions, select “All cloud apps”.
  7. Under Access controls > Grant, select “Require multi-factor authentication”.
  8. Set Enable policy to “On” and Create.

Test by logging in as an admin—MFA should be enforced automatically.

Lab 3: Create and Assign a Custom Azure Policy

  1. In the Azure Portal, search for Policy.
  2. Click Definitions > + Policy definition.
  3. Enter a name and paste your custom JSON policy (see example above).
  4. Assign the policy to a Subscription or Resource Group.
  5. Monitor compliance results and configure remediation tasks if needed.

This process involves defining a custom policy, assigning it, and monitoring compliance, ensuring resources adhere to organizational standards.

Lab 4: Access a Compliance Report in Service Trust Portal

  1. Open the Microsoft Service Trust Portal. Log in with an Azure tenant admin account.
  2. Click Compliance Reports.
  3. Search for “ISO 27001” or the relevant certification.
  4. Request/download reports for audit or internal review. Store securely.

Accessing compliance reports involves navigating the Service Trust Portal, searching for specific certifications, and securely storing the downloaded documentation for audits.

Lab 5: Azure Key Vault—Store and Access a Secret

  1. In the Portal, create a Key Vault.
  2. Add a secret (e.g., database connection string).
  3. Assign a managed identity to an Azure Function.
  4. Grant the managed identity access to the secret.
  5. In your function code, access the secret securely (no credentials in code).

CLI Quick Reference

az role assignment create --assignee user@contoso.com --role Reader --resource-group myResourceGroup az policy assignment create --policy "policyDefinitionId" --scope "/subscriptions/xxxxxxxx" az security pricing create --name VirtualMachines --tier Standard az monitor activity-log list --resource-group myResourceGroup --status Succeeded --operation-name "Delete Virtual Machine"

Common Pitfalls & Troubleshooting Tips

  • Over-Permissioning: Avoid assigning Owner at high scopes. Use least privilege and review access regularly.
  • MFA/Conditional Access Not Working: Check policy assignments, user groups, and ensure policies are enabled. Use sign-in logs to diagnose.
  • Policy Assignments Failing: Review JSON syntax, assignment scope, and permissions. Use “policyEvents” in Log Analytics for diagnostics.
  • Access Denied Errors: Use “Check Access” in the portal, verify RBAC and group memberships. Look for Deny assignments or conflicting policies.
  • Blueprints Deprecated: Don’t start new deployments with Blueprints. Use Policy, ARM/Bicep, and Landing Zones.
  • Compliance Reports Inaccessible: Ensure you have the right Azure admin role and a valid subscription.
  • Encryption Not Configured: Double-check encryption at rest/in transit for each service; enable Customer-Managed Keys where required.

Summary & Exam Tips—Tying It All Together

You’ve now got a comprehensive foundation for both the AZ-900 exam and practical Azure administration:

  • Understand Microsoft Entra ID (Azure AD) tenants, users, groups, managed identities, and SSO.
  • Master authentication, authorization, MFA, Conditional Access, and PIM.
  • Use RBAC (built-in/custom roles) and assign at the narrowest scope possible.
  • Automate compliance with Azure Policy, ARM/Bicep, tagging, and remediation tasks.
  • Monitor, audit, and respond with Microsoft Defender for Cloud, Azure Monitor, and Sentinel.
  • Classify, encrypt, and protect data using AIP, Purview, Key Vault, and DLP.
  • Apply Zero Trust principles everywhere—assume breach, verify explicitly, restrict by default.
  • Prepare for audits using Compliance Manager and Service Trust Portal resources.
  • Troubleshoot common issues using built-in diagnostics, logs, and access reviews.

Quick Reference Tables

RBAC Role Built-in Scope Common Use Case
Owner Any Full control, including access assignment. Use sparingly.
Contributor Any Manage resources, but cannot assign roles.
Reader Any View resources only.
User Access Admin Any Manage user/group access only.


Compliance Cert Industry Azure Feature Audit Evidence
GDPR General / EU Data residency, encryption, DSR support Service Trust Portal, Purview, AIP
HIPAA Healthcare (US) Key Vault, Customer Lockbox, DLP Compliance Manager, Trust Portal
ISO 27001 General Defender for Cloud, Policy, Logging Compliance Manager, Trust Portal

Practice Scenarios

  • Scenario: A contractor needs to manage VMs but not networking or billing.
    Answer: Assign “Virtual Machine Contributor” role at the Resource Group scope.
  • Scenario: Your company wants to block access to Azure from untrusted countries.
    Answer: Create a Conditional Access policy to block sign-ins from specified locations.
  • Scenario: You must ensure all storage accounts have encryption enabled.
    Answer: Assign a built-in or custom Azure Policy enforcing encryption at rest.

Exam Tips Checklist

  • Understand the difference between authentication and authorization.
  • Memorize key RBAC roles, scopes, and least privilege principle.
  • Practice hands-on labs in the Azure Portal and CLI.
  • Review the Shared Responsibility Model diagram.
  • Know major compliance certifications and how Azure features help achieve them.
  • Read up on Conditional Access, PIM, and managed identities—even if not all are tested in-depth, they’re foundational knowledge.
  • Use Microsoft Learn paths and practice exams (see resources below).

Knowledge Check

  • Which Azure service provides just-in-time access for privileged roles? Answer: Privileged Identity Management (PIM)
  • How do you enforce MFA for all users? Answer: Conditional Access policy in Microsoft Entra ID.
  • What tool would you use to classify and protect documents in Azure? Answer: Azure Information Protection (AIP)
  • Where do you find audit-ready compliance evidence? Answer: Microsoft Service Trust Portal
  • The official AZ-900 Exam Page provides the most current exam objectives and details.
  • Microsoft Learn – Azure Fundamentals Learning Path offers comprehensive, interactive modules for exam preparation.
  • Microsoft Tech Community & Learn Blog shares updates, tips, and community insights for Azure learners.
  • Practice exams from providers such as MeasureUp, Whizlabs, or Microsoft’s official sample questions offer realistic test simulations.
  • Community study groups, including those found on popular professional networking platforms or local user groups, can provide peer support and shared learning experiences.

Final Thought: AZ-900 is the beginning of your Azure journey—it’s about understanding the “why” and “how” of cloud security, governance, and compliance. Build muscle memory with hands-on labs, stay curious, and never hesitate to ask questions (the “dumb” ones are often the most important!). When you pass the exam, know you’ve built a foundation for a successful, secure cloud career. Good luck!