Notes to crack AZ-900 Certification

Ankit Agarwal
17 min readDec 23, 2020

I primarily focus on AI strategy and build Machine Leaning based solutions for the clients. However, with the emergence of AM/ML on cloud, it is inevitable to delve into the world of cloud computing and Microsoft Azure is certainly one of the leaders. Hence I thought of beginning my journey in the Cloud world with Azure fundamentals.

AZ-900 Microsoft Azure Fundamentals : Azure Fundamentals exam is an opportunity to prove knowledge of cloud concepts, Azure services, Azure workloads, security and privacy in Azure, as well as Azure pricing and support. Candidates should be familiar with the general technology concepts, including concepts of networking, storage, compute, application support, and application development.

Here is the high-level breakdown of the skills assessed as part of this exam -

  • Describe cloud concepts (20–25%)
  • Describe core Azure services (15–20%)
  • Describe core solutions and management tools on Azure (10–15%)
  • Describe general security and network security features (10–15%)
  • Describe identity, governance, privacy, and compliance features (20–25%)
  • Describe Azure cost management and Service Level Agreements (10–15%)

While I would highly encourage readers to visit Microsoft Certification Website and read in details about the areas that are assessed as part of this exam, I would also suggest to setup a free Azure account and do some hands-on practice to gain good experience of Azure environment.

Here are some notes, that I prepared, as part of my preparation for Azure fundamentals exam -

· A Content delivery Network is a distributed network of server that can efficiently deliver a web content to user.

· Azure Queue Storage is a service for storing large numbers of messages. You access messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue message can be up to 64 KB in size. A queue may contain millions of messages, up to the total capacity limit of a storage account. Queues are commonly used to create a backlog of work to process asynchronously.

· When a resource lock is applied, you must first remove the lock in order to perform that activity. Resource locks apply regardless of RBAC permissions. Even if you are an owner of the resource, you must still remove the lock before you’ll actually be able to perform the blocked activity

· To configure virtual machine named VM1 is accessible from the Internet over HTTP — Configure Firewall and open NSG port.

· Traffic Manager is used to distribute traffic at DNS level across different regions.

· Azure Government is a cloud environment specifically built to meet compliance and security requirements for US government. Azure Government uses physically isolated datacenters and networks (located in U.S. only).

· Azure AD Identity Protection “Identity Protection is a tool that allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to third-party utilities for further analysis.”

· Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Office 365 or Microsoft Intune.

· Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets

· A key advantage of using Azure Active Directory (Azure AD) with Azure Blob storage or Queue storage is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from the Microsoft identity platform (formerly Azure AD). Azure AD authenticates the security principal (a user, group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Blob storage or Queue storage.

· Meeting regulatory compliance obligations and complying with all the requirements of benchmark standards can be a significant challenge in a cloud or hybrid environment. Identifying which assessments to perform, evaluating the status, and resolving the gaps can be a very daunting task. Azure Security Center (ASC) now helps streamline this process with the new regulatory compliance dashboard, which was recently released to public preview.

· An Azure Information Protection policy contains the following elements that you can configure: Which labels are included that let administrators and users classify (and optionally, protect) documents and emails. Title and tooltip for the Information Protection bar that users see in their Office applications. The option to set a default label as a starting point for classifying documents and emails. The option to enforce classification when users save documents and send emails. The option to prompt users to provide a reason when they select a label that has a lower sensitivity level than the original. The option to automatically label an email message, based on its attachments. The option to control whether the Information Protection bar is displayed in Office applications. The option to control whether the “Do Not Forward button” is displayed in Outlook. The option to let users specify their own permissions for documents. The option to provide a custom help link for users.

· Serverless Computing = Managed Service

Serverless computing enables developers to build applications faster by eliminating the need for them to manage infrastructure. With serverless applications, the cloud service provider automatically provisions, scales and manages the infrastructure required to run the code.”

· Scale Set: Azure virtual machine scale sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Hence scale sets are used for scalling. So the scale sets can not be used for high availability if a single data center fails.

· FedRAMP : The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA), and to accelerate the adoption of secure cloud solutions by federal agencies.

· PCI DSS : compliant with Payment Card Industry (PCI) Data Security Standards (DSS). Designed to prevent fraud, PCI DSS is a global information security standard for protecting payment and cardholder data.

· ISO: The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world’s largest developer of voluntary international standards. ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS.

· HIPPA : The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information.

· Management Groups provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group. Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. For more information on management groups, see Organize your resources with Azure management groups.

· Azure policies: Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. This is used to help compliance of multiple resources within a subscription.

· Azure Active Directory is a completely managed service. You don’t need to provision any infrastructure to implement Azure Active Directory.

· Microsoft guarantees at least 99.9% availability of the Azure Active Directory Basic and Premier.

· Virtual Machine is Infrastructure as a Service (IaaS)

· SQL Server is PaaS

· The Azure CLI is available to install in Windows, macOS and Linux environments. It can also be run in a Docker container and Azure Cloud Shell

· The Azure portal is a web-based console and runs in the browser of all modern desktops and tablet devices. If you need to manage Azure resources from a mobile device, try the Azure mobile app. It’s available for iOS and Android.

· Azure PowerShell works with PowerShell 5.1 on Windows, and PowerShell 6.x and higher on all platforms.

· CLI commands/scripts are different from PowerShell once. Therefore, you can not use the Script of PowerShell on CLI of Linux.

· Needs PowerShell Core to run Powershell scripts. PowerShell Core can be installed on Windows,Linux and MacOS.

· The Basic support plan does not have any technical support for engineers. The Developer support plan has only technical support for engineers via email. The Standard, Professional Direct, and Premier support plans have technical support for engineers via email and phone.

· Azure service life cycle follows in this order generally -

Private previews → Public previews → Generally Available (GA)

· You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources

· Redis cache: Azure Cache for Redis can be used as an in-memory data structure store, a distributed non-relational database, and a message broker. Application performance is improved by taking advantage of the low-latency, high-throughput performance of the Redis engine.

· Data factories: Azure Data Factory is a cloud-based data integration service that allows you to create data-driven workflows in the cloud for orchestrating and automating data movement and data transformation. Azure Data Factory does not store any data itself.

· While a blob is in the archive access tier, it’s considered offline and can’t be read or modified. The blob metadata remains online and available, allowing you to list the blob and its properties. Reading and modifying blob data is only available with online tiers such as hot or cool. There are two options to retrieve and access data stored in the archive access tier.

#Rehydrate an archived blob to an online tier — Rehydrate an archive blob to hot or cool by changing its tier using the Set Blob Tier operation.

#Copy an archived blob to an online tier — Create a new copy of an archive blob by using the Copy Blob operation. Specify a different blob name and a destination tier of hot or cool.

· Azure Logic Apps: Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. Process and route orders across on-premises systems and cloud services.

· Azure Batch: Azure Batch Service is a cloud based job scheduling and compute management platform that enables running large-scale parallel and high performance computing applications efficiently in the cloud. Azure Batch Service provides job scheduling and in automatically scaling and managing virtual machines running those jobs

· Copying data to Azure is free of charge. Inbound data transfers (i.e. data going into Azure data centers): Free.

· Data transfer over the VPN are charged separately. Data transfers between two virtual networks are charged at the Inter-virtual network rates. Other data transfers over the VPN connections to your on-premises sites or the internet in general are charged separately at the regular data transfer rate.

· Outbound data transfers (i.e. data going out of Azure data centers): NOT FREE

· Generally available (GA) — After the public preview is completed, the feature is open for any licensed customer to use and is supported via all Microsoft support channels. Be aware when a new feature impacts existing functionality, it might change the way you or your users use the functionality

· Connect to Azure using an authenticated, browser-based shell experience that’s hosted in the cloud and accessible from virtually anywhere. Azure Cloud Shell gives you the flexibility of choosing the shell experience that best suits the way you work. Both Bash and PowerShell experiences are available

· Azure AD Connect Health : Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Office 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components.

· Azure AD Privileged Identity Management : Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization.Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.

· Azure Advanced Threat Protection (ATP) : Azure ATP is a cloud-based security solution that helps you detect and investigate security incidents across your networks. It supports the most demanding workloads of security analytics for the modern enterprise.

· Azure AD Identity Protection : Azure Active Directory (Azure AD) Identity Protection allows you to detect potential vulnerabilities affecting your organization’s identities, configure automated responses, and investigate incidents. The risk signals can trigger remediation efforts such as requiring users to: perform Azure Multi-Factor Authentication, reset their password using self-service password reset, or blocking until an administrator takes action.

· Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments.Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts.

· Virtual Network in Azure is free of charge. Every subscription is allowed to create up to 50 Virtual Networks across all regions. There is no additional charge of multiple network interfaces ( NICs ) , although the number of NICs is tied to VM SKUs. Hence removing the unused network interfaces will not reduce the costs for the company.

· Delete unassociated public IP addresses to save money

· Advisor identifies public IP addresses that are not currently associated to Azure resources such as Load Balancers or VMs. These public IP addresses come with a nominal charge. If you do not plan to use them, deleting them can result in cost savings.

· Azure Active Directory comes in four editions generally — Free, Office 365 apps edition, Premium P1, and Premium P2. The Free edition is included with an Azure subscription. The P1 and P2 comes with unlimited object limit. User accounts can be managed in FREE edition.

· Azure AD Connect : Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.Responsible for creating users, groups, and other objects and making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.

· Azure AD : Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources.

· Azure AD Join : Azure AD join allows you to join devices directly to Azure AD without the need to join to on-premises Active Directory while keeping your users productive and secure. Azure AD join is enterprise-ready for both at-scale and scoped deployments.

· Azure AD Domain services : Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication that is fully compatible with Windows Server Active Directory.ou use these domain services without the need to deploy, manage, and patch domain controllers in the cloud. Azure AD DS integrates with your existing Azure AD tenant, which makes it possible for users to sign in using their existing credentials.

· Azure Cloud Shell gives you the flexibility of choosing the shell experience that best suits the way you work. Both Bash and PowerShell experiences are available.Cloud shell can be opened in any supported browser on any operating system laptop.

· Virtual machines give you full control over the environment. Containers give you limited control. Serverless computing does not allow you to do any infrastructure configuration.

· Transferring of azure subscription is allowed but merging is not possible currently.

· The Service Trust Portal (STP) hosts the Compliance Manager application and is Microsoft’s public site for publishing audit reports and other compliance-related information related to Microsoft’s cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored whitepapers that provide details on how Microsoft builds and operates our cloud services.

· Bring your own license (BYOL): Bringing your own SQL Server license through License Mobility, also referred to as BYOL, means using an existing SQL Server Volume License with Software Assurance in an AzureVM. BYOL images require an Enterprise Agreement with Software Assurance.

· The Service Trust Portal (STP) hosts the Compliance Manager application and is Microsoft’s public site for publishing audit reports and other compliance-related information related to Microsoft’s cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored whitepapers that provide details on how Microsoft builds and operates our cloud services.

· You are only charged for the public IP addresses and not for the private IP addresses.

· Total cost of block blob storage depends on:

#Volume of data stored per month.

#Quantity and types of operations performed, along with any data transfer costs.

#Data redundancy option and storage region selected.

· For general-purpose v2 accounts, you are charged for write operations (per 10,000). For Blob storage accounts, there is no charge for Write operations.

· Content delivery network (CDN) : Azure Content Delivery Network (CDN) is a global CDN solution for delivering high-bandwidth content. It can be hosted in Azure or any other location. With Azure CDN, you can cache static objects loaded from Azure Blob storage, a web application, or any publicly accessible web server, by using the closest point of presence (POP) server. Azure CDN can also accelerate dynamic content, which cannot be cached, by leveraging various network and routing optimizations.

· If you go to Help + Support and then go to Service Health, then you can view if there are any issues to the underlying Azure Infrastructure.

· You can set up a total of five billing alerts per subscription, with a different threshold and up to two email recipients for each alert.

· A mantrap is a small room with an entry door on one wall and an exit door on the opposite wall. A visitor would be allowed entry into an enclosed vestibule, at which time the entry door would be locked and the visitor’s credentials examined.

· Data disks are VHDs that are attached to virtual machines. They are used to store application data and other data that needs to be kept. VHDs that are used in Azure are .vhd files that are stored as page blobs in either a standard or premium storage account in Azure. It’s also important to note that Azure only supports the fixed disk VHD format.

· Disk performance can be in below order.

Ultra disk SSD > Premium SSD > Standard SSD>Standard HDD

· Availability sets : An Availability Set is a logical grouping capability for isolating VM resources from each other when they’re deployed. Azure makes sure that the VMs you place within an Availability Set run across multiple physical servers, compute racks, storage units, and network switches.

· Update domain : An update domain is a logical group of underlying hardware that can undergo maintenance or be rebooted at the same time. As you create VMs within an availability set, the Azure platform automatically distributes your VMs across these update domains.

· Block blobs are composed of blocks and are ideal for storing text or binary files, and for uploading large files efficiently. Hence it is not used for storing virtual hard drive (VHD) files.

· Geo-redundant storage (with GRS or GZRS) replicates your data to another physical location in the secondary region to protect against regional outages. However, that data is available to be read only if the customer or Microsoft initiates a failover from the primary to secondary region.

· The Azure free account provides access to all Azure products and does not block customers from building their ideas into production. The Azure free account includes certain products — and specific quantities of those products — for free. To enable your production scenarios, you may need to use resources beyond the free amounts. You’ll be billed for those additional resources at the pay-as-you-go rates.

· Microsoft offers Service level credits if it does not meet the SLA targets.

· Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. All data stored by Azure Policy is encrypted at rest.

· Access management for cloud resources is a critical function for any organization that is using the cloud. Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

· RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

What can I do with RBAC?

Here are some examples of what you can do with RBAC:

# Allow one user to manage virtual machines in a subscription and another user to manage virtual networks

#Allow a DBA group to manage SQL databases in a subscription

#Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets

#Allow an application to access all resources in a resource group

· You can create a budget and get a notification if the costs are going beyond the budget.

· Initiative: They simplify by grouping a set of policies as one single item. For example, you could create an initiative titled Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center

· Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel is your birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution timeframes.

· Security Center is offered in two Pricing tiers:

#The Free tier is enabled on all your Azure subscriptions once you visit the Azure Security Center dashboard in the Azure portal for the first time, or if enabled programmatically via API. The free tier provides security policy, continuous security assessment, and actionable security recommendations to help you protect your Azure resources.

#The Standard tier extends the capabilities of the Free tier to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads. The standard tier also adds threat protection capabilities, which use built-in behavioral analytics and machine learning to identify attacks and zero-day exploits, access and application controls to reduce exposure to network attacks and malware, and more. In addition, standard tier adds vulnerability scanning for your virtual machines.

· The Microsoft Azure Virtual Machine Agent (VM Agent) is a secure, lightweight process that manages virtual machine (VM) interaction with the Azure Fabric Controller.

· VM Extensions enable post-deployment configuration of VM, such as installing and configuring software. It runs within Operating system

· Azure Synapse is a limitless analytics service that brings together enterprise data warehousing and Big Data analytics. It gives you the freedom to query data on your terms, using either serverless on-demand or provisioned resources — at scale. Azure Synapse brings these two worlds together with a unified experience to ingest, prepare, manage, and serve data for immediate BI and machine learning needs

Azure Synapse has four components:

#Synapse SQL: Complete T-SQL based analytics — Generally Available SQL pool (pay per DWU provisioned) SQL on-demand (pay per TB processed) — (Preview)

#Spark: Deeply integrated Apache Spark (Preview)

#Data Integration: Hybrid data integration (Preview)

#Studio: Unified user experience. (Preview)

· Azure monitor is not a global service and is region specific

· A firewall is a service that grants server access based on the originating IP address of each request. You create firewall rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server. Firewall rules, generally speaking, also include specific network protocol and port information. Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network resources.

· Azure Application Gateway is a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is designed to protect HTTP traffic.

· Network virtual appliances (NVAs) are ideal options for non-HTTP services or advanced configurations and are similar to hardware firewall appliances.

Hope these notes help you in scoring well in AZ-900 so you could move ahead in your journey to the mysterious world of Cloud computing.

Let me know if this helped you.

All the Best !