AZ-900 Exam Prep - Additional Topics
Additional Topics

This short course covers some additional topics you should review before taking the Microsoft AZ-900 exam.


Congratulations on making it all the way through this learning path. If you’re preparing to write the Microsoft AZ-900 exam, bear in mind that although we’ve covered all of the major topics in the exam guide, there are a few details that weren’t covered. I’ll go over them briefly here.

Microsoft has dozens of Azure regions around the world, and these regions are grouped into geographies. Each geography meets data residency and compliance requirements. For example, the United Kingdom geography has data centers in the UK, so data stored in that geography will comply with UK data residency requirements.

The UK geography contains two regions: UK South and UK West. These two regions are paired regions. That means that if there’s an Azure outage that affects multiple regions, then at least one region in each regional pair will be prioritized for recovery. So if you have redundant resources in both regions in a regional pair, then you’ll have a good chance that at least one of those regions will be recovered quickly in the event of an outage.

A resource group is used to organize a set of related resources, such as virtual machines and database instances, that are part of a particular application. This seems pretty straightforward, but there are lots of little details about resource groups that you should know.

  • You can’t put a resource in more than one resource group.

  • You can move a resource from one resource group to another. You can even move a resource from one subscription to another.

  • Resources don’t need to be in the same region as the resource group they’re in.

  • Tags are simply labels that you can apply to resources for management purposes. One common use is to apply organizational tags, such as Engineering and Marketing, to resources. That way, you can easily figure out how much to charge each department for their resource usage. You can apply tags to a resource group, but bear in mind that those tags do not get inherited by the resources in that resource group. So if you want to apply a tag to all of the resources in a resource group, you’ll have to apply it to them individually.

  • When you delete a resource group, all of the resources in it get deleted, too. This is a very useful way of making sure you delete all of the resources related to a particular application or project.

Azure provides three types of platform logs that can help with troubleshooting and auditing. Resource logs (formerly known as diagnostic logs) contain information about things that happened within an Azure resource, such as accessing a database. Activity logs contain information at the subscription level about activities that were performed on a resource from the outside, such as shutting down a database instance. Azure Active Directory logs contain information about activities specifically related to Azure Active Directory, such as recent logins and new users added.

When a user accidentally modifies or deletes a resource, such as a virtual machine, it can have catastrophic consequences, so Microsoft provides a handy way to prevent this from happening. An administrator can apply a resource lock to important resources.

There are two types of locks: Delete and Read-only. A Delete lock, of course, prevents a resource from being deleted. A read-only lock prevents a resource from being deleted or modified, so it’s more restrictive than a Delete lock. If two different administrators add locks to the same resource, then the most restrictive lock is applied. Even an administrator can’t delete a locked resource, so they have to delete the lock (or locks) before they can delete the resource.

If you want to apply a lock to all of the resources in a resource group, you only have to apply the lock to the resource group itself, and all of the resources in it will inherit the lock. You can even do this at the subscription level for all resources in a subscription.

To enforce a wide variety of governance policies, you can use the Azure Policy service. For example, suppose your company has a European division that is legally required to store its data only in European data centers. You could create a policy that only allows SQL Database instances to be created in European regions and assign that policy to the resource group for that division of the company. You’d also need to create similar policies for other data storage services, such as SQL Data Warehouse and Data Lake Storage.

Now suppose you need to assign the same policies to a number of different resource groups or subscriptions. To make it easier, you can group related policies into what’s called an initiative and then assign that initiative to various subscriptions, resource groups, and management groups.

Speaking of management groups, what are they? If your organization has a lot of subscriptions, you’ll likely want to apply the same policies or policy initiatives to many of them. This would normally require applying them to each subscription individually, but there’s an easier way. You can put your subscriptions in management groups. Then when you apply a policy or a role assignment to a management group, it will be inherited by all of the subscriptions in that management group.

Since security, privacy, compliance, and trust are responsibilities that your organization shares with its service providers, Microsoft provides lots of resources to help you understand how they take care of their side of the arrangement. The Trust Center contains a collection of links to resources about how Microsoft handles security, privacy, compliance, and transparency.

The Service Trust Portal is focused specifically on compliance. For example, it has links to Azure audit reports for regulatory standards like SOC, FedRAMP, and ISO27001. These will be helpful if your organization is going through these compliance audits. There’s also a link to a site called “Compliance Manager”.

This is a great tool that helps you achieve compliance. It creates assessments for different Microsoft services. It shows how compliant your organization is and how compliant Microsoft is for a particular area. For example, here’s a GDPR assessment for Office 365. You’ll notice that Microsoft Managed Actions is at 100%, which is always the case. In this example, Customer Managed Actions is at 0%. To find out how to move your organization into compliance, you can click on the assessment, and it will bring up a list of steps to complete. In most cases, you’ll need to upload evidence of your compliance. The main value of the Compliance Manager is that it helps you organize and track your compliance efforts.

If you’re involved in cloud solutions for the US government, then be aware that Microsoft provides Azure Government services that are in physically isolated data centers and networks. Azure Government is available to US government agencies at the federal, state, and local levels, as well as to their partners. To use these services, your organization has to meet eligibility requirements.

Microsoft also provides a physically separated Azure instance in China. It’s operated by 21Vianet.

That’s it for additional topics for the AZ-900 exam. If you have any questions or comments, please let us know. 

Thanks and good luck on the exam!

Microsoft Trust Center:

Microsoft Service Trust Portal:

About the Author
Learning Paths

Guy launched his first training website in 1995 and he's been helping people learn IT technologies ever since. He has been a sysadmin, instructor, sales engineer, IT manager, and entrepreneur. In his most recent venture, he founded and led a cloud-based training infrastructure company that provided virtual labs for some of the largest software vendors in the world. Guy’s passion is making complex technology easy to understand. His activities outside of work have included riding an elephant and skydiving (although not at the same time).