1. Home
  2. Training Library
  3. AZ-900 Exam Prep - Additional Topics

AZ-900 Exam Prep - Additional Topics


AZ-900 Exam Prep
Additional Topics
PREVIEW12m 44s

The course is part of this learning path

Additional Topics

This short course covers some additional topics you should review before taking the Microsoft AZ-900 exam.


Congratulations on making it all the way through this learning path. If you’re preparing to write the Microsoft AZ-900 exam, bear in mind that although we’ve covered all of the major topics in the exam guide, there are a few details that weren’t covered. I’ll go over them briefly here.

Microsoft has dozens of Azure regions around the world, and these regions are grouped into geographies. Each geography meets data residency and compliance requirements. For example, the United Kingdom geography has data centers in the UK, so data stored in that geography will comply with UK data residency requirements.

The UK geography contains two regions: UK South and UK West. These two regions are paired regions. That means that if there’s an Azure outage that affects multiple regions, then at least one region in each regional pair will be prioritized for recovery. So if you have redundant resources in both regions in a regional pair, then you’ll have a good chance that at least one of those regions will be recovered quickly in the event of an outage.

A resource group is used to organize a set of related resources, such as virtual machines and database instances, that are part of a particular application. This seems pretty straightforward, but there are lots of little details about resource groups that you should know.

  • You can’t put a resource in more than one resource group.

  • You can move a resource from one resource group to another. You can even move a resource from one subscription to another.

  • Resources don’t need to be in the same region as the resource group they’re in.

  • Tags are simply labels that you can apply to resources for management purposes. One common use is to apply organizational tags, such as Engineering and Marketing, to resources. That way, you can easily figure out how much to charge each department for their resource usage. You can apply tags to a resource group, but bear in mind that those tags do not get inherited by the resources in that resource group. So if you want to apply a tag to all of the resources in a resource group, you’ll have to apply it to them individually.

  • When you delete a resource group, all of the resources in it get deleted, too. This is a very useful way of making sure you delete all of the resources related to a particular application or project.

If you have multiple virtual networks, then they’ll be isolated from each other by default. The easiest way to allow resources in two VNets to communicate with each other is called virtual network peering. This connects two VNets together so that traffic between them goes through Microsoft’s backbone network instead of over the internet. Not only does this make the connection faster, but it also makes it more secure. You can even connect VNets located in two different regions by using global virtual network peering.

Azure Storage has three tiers: hot, cool, and archive. Data in the hot and cool tiers can be accessed immediately because it’s stored online. It takes much longer to access data in the archive tier because it’s stored offline. Before it can be accessed, archive data must be “rehydrated”, a process that can take several hours. This rehydration process is why it costs more to retrieve data in archive storage than in hot or cool storage. Ideally, archive storage should be used for files that rarely need to be retrieved, such as long-term backups and compliance data.

If you’re moving your SQL Server databases to Azure, and you want to use a managed service that will take care of tasks such as keeping the software up-to-date, then you have two options: SQL Database and SQL Managed Instance. SQL Database has the most robust cloud features, such as support for autoscaling and availability zones, but it’s not 100% compatible with SQL Server. SQL Managed Instance has the highest compatibility with SQL Server, but it supports fewer cloud features. So, if you need to migrate an existing SQL Server database to Azure, then Managed Instance will be the easiest, but you won’t be able to use some of Azure’s most sophisticated features.

GitHub is a website where people can store and share software code and other types of files. Its main uses are version control and collaboration. GitHub Actions can help you automate your software workflows. For example, you could use it to build, test, and deploy your code. This is something that would normally be done by a separate continuous integration / continuous deployment system, but now you can do it directly from GitHub.

Azure provides three types of platform logs that can help with troubleshooting and auditing. Resource logs (formerly known as diagnostic logs) contain information about things that happened within an Azure resource, such as accessing a database. Activity logs contain information at the subscription level about activities that were performed on a resource from the outside, such as shutting down a database instance. Azure Active Directory logs contain information about activities specifically related to Azure Active Directory, such as recent logins and new users added.

Normally, when you deploy an Azure virtual machine, it gets provisioned on a physical server that’s shared with other Microsoft customers. From a security point of view, this isn’t a concern because Azure ensures that your VMs are not accessible by other customers. Nonetheless, Microsoft provides a service called Azure Dedicated Host that lets you deploy VMs to a server that is dedicated to your subscription, so other customers can’t deploy their VMs to it. If you really need to have your VMs on a non-shared server, you can use a Dedicated Host to do it.

Even though Azure virtual networks already had a firewall-like feature called network security groups, Microsoft released a new service called Azure Firewall. The advantage of using Azure Firewall is that it’s more feature-rich. For example, you can tell it to allow outbound traffic only to certain domain names. NSGs can’t do that. They only allow you to specify IP addresses, not entire domains. An Azure Firewall is centralized, so it works across virtual networks and even across subscriptions.

Most hacker attacks are intended to get inside your systems rather than take them down. One service you can use to help deal with these attacks is Azure Advanced Threat Protection or ATP. Azure ATP monitors user activities and looks for anomalies. For example, if an attacker seizes control of a user account, they’ll probably try to gain access to internal resources or other accounts. This sort of activity can often be spotted by ATP, which will send an alert to your administrators. It can also inform administrators of potential weaknesses in your account security before you’re compromised by an attacker.

Even if you do a good job of protecting your systems from attackers, your legitimate users might accidentally reveal confidential information. Azure Information Protection, or AIP, can help with that. AIP lets you label information as confidential, either manually or using rules you create. This, alone, will help keep people from inadvertently sending confidential information outside of the organization, but you can also configure AIP to actually prevent it from happening. For example, if someone attaches a confidential document to an email and then tries to send that email to a person outside of the company, AIP can stop the email from being sent.

When a user accidentally modifies or deletes a resource, such as a virtual machine, it can have catastrophic consequences, so Microsoft provides a handy way to prevent this from happening. An administrator can apply a resource lock to important resources.

There are two types of locks: Delete and Read-only. A Delete lock, of course, prevents a resource from being deleted. A read-only lock prevents a resource from being deleted or modified, so it’s more restrictive than a Delete lock. If two different administrators add locks to the same resource, then the most restrictive lock is applied. Even an administrator can’t delete a locked resource, so they have to delete the lock (or locks) before they can delete the resource.

If you want to apply a lock to all of the resources in a resource group, you only have to apply the lock to the resource group itself, and all of the resources in it will inherit the lock. You can even do this at the subscription level for all resources in a subscription.

To enforce a wide variety of governance policies, you can use the Azure Policy service. For example, suppose your company has a European division that is legally required to store its data only in European data centers. You could create a policy that only allows SQL Database instances to be created in European regions and assign that policy to the resource group for that division of the company. You’d also need to create similar policies for other data storage services, such as SQL Data Warehouse and Data Lake Storage.

Now suppose you need to assign the same policies to a number of different resource groups or subscriptions. To make it easier, you can group related policies into what’s called an initiative and then assign that initiative to various subscriptions, resource groups, and management groups.

Speaking of management groups, what are they? If your organization has a lot of subscriptions, you’ll likely want to apply the same policies or policy initiatives to many of them. This would normally require applying them to each subscription individually, but there’s an easier way. You can put your subscriptions in management groups. Then when you apply a policy or a role assignment to a management group, it will be inherited by all of the subscriptions in that management group.

Microsoft’s Cloud Adoption Framework is designed to help organizations migrate their IT resources to Azure. It’s a set of best practices, documentation, and tools you can use to take advantage of what other organizations have learned when moving to the cloud.

Since security, privacy, compliance, and trust are responsibilities that your organization shares with its service providers, Microsoft provides lots of resources to help you understand how they take care of their side of the arrangement.

The Microsoft Privacy Statement “explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.” This actually applies to all of Microsoft’s services, not just Azure. To save you some typing, I put all of the links from this video in the transcript below.

When you subscribe to an Online Service through a Microsoft Commercial Licensing program, the terms for how you can use the service can be found on Microsoft’s Product Terms site.

The Data Protection Addendum is an addition to the product terms that explains Microsoft’s obligations regarding the processing and security of customer data and personal data in connection with the Online Services.

The Trust Center contains a collection of links to resources about how Microsoft handles security, privacy, compliance, and transparency.

The Service Trust Portal is focused specifically on compliance. For example, it has links to Azure audit reports for regulatory standards like SOC, FedRAMP, and ISO27001. These will be helpful if your organization is going through these compliance audits. There’s also a link to a site called “Compliance Manager”.

This is a great tool that helps you achieve compliance. It creates assessments for different Microsoft services. It shows how compliant your organization is and how compliant Microsoft is for a particular area. For example, here’s a GDPR assessment for Office 365. You’ll notice that Microsoft Managed Actions is at 100%, which is always the case. In this example, Customer Managed Actions is at 0%. To find out how to move your organization into compliance, you can click on the assessment, and it will bring up a list of steps to complete. In most cases, you’ll need to upload evidence of your compliance. The main value of the Compliance Manager is that it helps you organize and track your compliance efforts.

If you’re involved in cloud solutions for the US government, then be aware that Microsoft provides Azure Government services that are in physically isolated data centers and networks. Azure Government is available to US government agencies at the federal, state, and local levels, as well as to their partners. To use these services, your organization has to meet eligibility requirements.

Microsoft also provides a physically separated Azure instance in China. It’s operated by 21Vianet.

That’s it for additional topics for the AZ-900 exam. If you have any questions or comments, please let us know. 

Thanks and good luck on the exam!


Cloud Adoption Framework: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/

Microsoft Privacy Statement: https://privacy.microsoft.com/privacystatement

Online Services Terms: https://www.microsoft.com/en-us/licensing/product-licensing/products

Data Protection Addendum: https://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=17880

Microsoft Trust Center: https://www.microsoft.com/trustcenter

Microsoft Service Trust Portal: https://servicetrust.microsoft.com/

About the Author
Guy Hummel
Azure and Google Cloud Content Lead
Learning Paths

Guy launched his first training website in 1995 and he's been helping people learn IT technologies ever since. He has been a sysadmin, instructor, sales engineer, IT manager, and entrepreneur. In his most recent venture, he founded and led a cloud-based training infrastructure company that provided virtual labs for some of the largest software vendors in the world. Guy’s passion is making complex technology easy to understand. His activities outside of work have included riding an elephant and skydiving (although not at the same time).