- Domain 2 at a Glance: Why This Section Carries the Most Weight
- Exactly What Domain 2 Tests: The Full Topic Breakdown
- Azure Core Architecture Components
- Compute and Networking Services
- Azure Storage Services
- Identity, Access, and Security
- How Domain 2 Questions Are Actually Written
- A Domain-Specific Study Schedule for Domain 2
- Registration, Fees, and Exam Mechanics
- Frequently Asked Questions
- Domain 2 is the single largest section of the AZ-900 exam, accounting for 35-40% of your total scaled score.
- You need a scaled score of 700 or higher (on Microsoft's 1-1000 scale) to pass the full exam.
- The exam costs $99 USD in the United States; pricing varies by country and can be confirmed before booking via Pearson VUE.
- Microsoft Fundamentals certifications never expire, so passing AZ-900 is a permanent credential on your resume.
Domain 2 at a Glance: Why This Section Carries the Most Weight
Of the three domains on the AZ-900 exam, Domain 2-Describe Azure architecture and services-is the heaviest hitter. Microsoft allocates 35-40% of the exam to this content area, meaning roughly one in three questions you encounter will trace back to something covered here. If you invest equal time across all three domains, you are systematically under-preparing for the section that will most determine whether you walk away with a 700 or above on Microsoft's 1-1000 scaled score.
The exam is administered through Pearson VUE authorized test centers or Pearson OnVUE online proctoring, and you have 45 minutes of actual exam time within a 65-minute seat time window. That constraint makes depth of knowledge critical: you cannot afford to pause on every Azure service name and reason through it from scratch. Domain 2 rewards candidates who have internalized the purpose and relationships between services, not just memorized a glossary.
For full context on how all three domains fit together and how Domain 2 compares in weight and difficulty to the others, see the AZ-900 Exam Domains 2026: Complete Guide to All 3 Content Areas.
Exactly What Domain 2 Tests: The Full Topic Breakdown
Microsoft's official skills outline for the AZ-900 (skills measured as of July 20, 2026) organizes Domain 2 into four major sub-areas. Each one is testable, and the exam does not telegraph which sub-area a question belongs to-you simply see a scenario and need to select the correct Azure concept or service.
Domain 2 Sub-Areas at a Glance
The four clusters you must master within Domain 2:
- Describe the core architectural components of Azure - regions, availability zones, resource groups, subscriptions, management groups
- Describe Azure compute and networking services - Virtual Machines, App Service, Azure Functions, Containers, Azure Virtual Networks, VPN Gateway, ExpressRoute, DNS
- Describe Azure storage services - storage accounts, redundancy options, Azure Blob, Azure Files, Azure Migrate, Azure File Sync
- Describe Azure identity, access, and security - Microsoft Entra ID, authentication methods, Azure RBAC, Zero Trust, Microsoft Defender for Cloud
The breadth here is deliberate. Microsoft wants AZ-900 candidates to demonstrate a working mental model of how Azure is assembled from the ground up-physical infrastructure first, services layered on top, secured at the identity and access layer. Understanding that flow makes individual service questions far easier to answer correctly under time pressure.
Azure Core Architecture Components
Regions, Pairs, and Sovereign Clouds
An Azure region is a geographical area containing at least one-typically multiple-data centers networked together with low-latency connections. Microsoft organizes regions into region pairs so that if one region experiences an outage, Azure can fail services over to the paired region. Candidates often confuse regions with availability zones; the AZ-900 exam exploits that confusion directly.
Availability zones are physically separate data centers within a single region. They each have independent power, cooling, and networking. Zone-redundant resources are replicated across at least three zones within a region. The key exam distinction: regions protect against regional failures; availability zones protect against individual data center failures within a region.
The Azure Organizational Hierarchy
Understanding the administrative structure of Azure is a reliable source of questions in Domain 2. The hierarchy from broadest to most granular is:
- Management Groups - containers that help you manage access, policy, and compliance across multiple subscriptions
- Subscriptions - billing boundaries and access control boundaries; every Azure resource belongs to exactly one subscription
- Resource Groups - logical containers for Azure resources that share a lifecycle; deleting a resource group deletes everything in it
- Resources - individual service instances such as a virtual machine or storage account
Compute and Networking Services
Compute Options You Must Be Able to Compare
Domain 2 expects you to know not just what each compute service does, but when to choose it. The AZ-900 frequently presents a business scenario and asks which service is the best fit. Here is how the major options differ:
| Service | Best Fit Scenario | Key Characteristic |
|---|---|---|
| Azure Virtual Machines | Lift-and-shift migrations; full OS control needed | IaaS; you manage the OS and above |
| Azure App Service | Web apps, REST APIs, mobile backends | PaaS; Microsoft manages the runtime environment |
| Azure Functions | Event-driven tasks, short-lived code execution | Serverless; pay-per-execution billing model |
| Azure Container Instances | Simple containerized workloads without orchestration | Fast startup; no cluster management overhead |
| Azure Kubernetes Service (AKS) | Complex, multi-container applications at scale | Managed Kubernetes; handles orchestration complexity |
| Azure Virtual Desktop | Remote desktop and app virtualization | Runs on Azure; delivers Windows desktops to any device |
Networking: The Concepts That Trip Candidates Up
Azure networking questions in Domain 2 focus heavily on Azure Virtual Networks (VNets), VNet peering, VPN Gateway, and Azure ExpressRoute. The classic exam scenario: a company needs a private, dedicated connection to Azure that does not travel over the public internet-the answer is ExpressRoute, not VPN Gateway. VPN Gateway uses an encrypted tunnel over the public internet; ExpressRoute is a private circuit through a connectivity provider.
Azure DNS and Azure Load Balancer appear regularly as well. Know that Azure DNS hosts your DNS domains in Azure and provides name resolution using Microsoft's infrastructure, but it cannot be used to buy domain names-that distinction is exam-testable.
Azure Storage Services
Storage Account Types and Redundancy
The storage section of Domain 2 is denser than many candidates expect. A core concept is storage redundancy-how Azure replicates data to protect against failures at different scales:
Azure Storage Redundancy Options
Candidates must know what each option protects against and its geographic scope:
- LRS (Locally Redundant Storage) - 3 copies within a single data center; protects against drive/server failure
- ZRS (Zone-Redundant Storage) - 3 copies across availability zones in one region; protects against zone-level failure
- GRS (Geo-Redundant Storage) - LRS in primary region plus asynchronous replication to a secondary region
- GZRS (Geo-Zone-Redundant Storage) - ZRS in primary region plus replication to a secondary region; highest durability option
Azure Blob, Files, and Migration Tools
Azure Blob Storage is optimized for unstructured data-documents, images, videos, logs. Know the three access tiers: Hot (frequent access, higher storage cost), Cool (infrequent access, lower cost), and Archive (rarely accessed data, lowest cost with retrieval latency). The AZ-900 will test when each tier is appropriate.
Azure Files provides fully managed cloud file shares accessible via SMB or NFS protocols, making it a natural fit for lift-and-shift scenarios where applications rely on shared file systems.
Azure Migrate and Azure File Sync round out this sub-area. Azure Migrate is a hub of tools for assessing and migrating on-premises servers, databases, and web apps. Azure File Sync extends on-premises Windows file servers to Azure, enabling cloud tiering of infrequently accessed files.
Identity, Access, and Security
Microsoft Entra ID (Formerly Azure Active Directory)
Microsoft rebranded Azure Active Directory to Microsoft Entra ID-and the AZ-900 exam updated to reflect this. Entra ID is Microsoft's cloud-based identity and access management service. It is not the same as Windows Server Active Directory; it is built for cloud and multi-tenant SaaS applications. Key features to know: single sign-on (SSO), multi-factor authentication (MFA), and Conditional Access policies.
Azure RBAC and Zero Trust
Azure Role-Based Access Control (RBAC) is the authorization system for managing access to Azure resources. Roles are assigned to security principals (users, groups, service principals) at a scope. Three built-in roles the exam loves to reference: Owner, Contributor, and Reader-know exactly what each can and cannot do.
Zero Trust is a security model, not a specific Azure service. Its core principle: never assume trust, always verify. Domain 2 expects you to recognize Zero Trust components-verify explicitly, use least privilege access, assume breach-and connect them to Azure features that implement them.
Microsoft Defender for Cloud provides unified security management and advanced threat protection across hybrid cloud workloads. The AZ-900 level of knowledge required is conceptual: understand what it does and when you would use it, not how to configure it at a technical depth.
Key Takeaway
For Domain 2's identity section, the most common gap is confusing authentication (proving who you are) with authorization (determining what you can do). Microsoft Entra ID primarily handles authentication; Azure RBAC handles authorization. The exam draws this distinction deliberately.
How Domain 2 Questions Are Actually Written
The AZ-900 is a proctored, computer-based exam and Microsoft reserves the right to include interactive components-the exact item types are not pre-announced. In practice, Domain 2 questions typically follow three patterns:
- Scenario-to-service mapping: "A company needs to run containerized workloads without managing underlying infrastructure. Which service should they use?" The correct answer requires you to distinguish between AKS (cluster management involved) and Azure Container Instances (no cluster management).
- Feature-to-requirement matching: "Which storage redundancy option provides the highest durability and protects against both zone and regional failures?" Answer: GZRS.
- Concept identification: "A security team wants to ensure that no user or device is trusted by default, even inside the corporate network. Which security model does this describe?" Answer: Zero Trust.
There is no penalty for guessing on the AZ-900. If you are uncertain, eliminate obviously wrong answers and commit to the most likely option. Leaving an answer blank guarantees zero points; guessing gives you a chance at a correct score.
Microsoft also notes that Microsoft Learn access is not available during Fundamentals exams-you must know the material cold. Practicing with realistic, scenario-based questions before exam day is one of the most effective ways to build that recall. The AZ-900 practice tests available on this site are structured around the same domain weighting Microsoft uses, with Domain 2 questions proportionally represented at 35-40%.
For a full breakdown of what to expect across all question types, see Best AZ-900 Practice Questions 2026: What to Expect on the Exam.
A Domain-Specific Study Schedule for Domain 2
Given Domain 2's size and breadth, it warrants dedicated time in any study plan. Below is a focused schedule that respects the proportional weight of each sub-area within Domain 2 itself. This is not a complete AZ-900 study plan-for that, see the AZ-900 Study Guide 2026: How to Pass on Your First Attempt.
Core Architecture
- Map the region → availability zone → data center hierarchy on paper
- Draw and label the management group → subscription → resource group → resource hierarchy
- Identify the purpose and scope of each organizational layer
Compute and Networking
- Build a comparison table of all six compute options from memory
- Practice ExpressRoute vs. VPN Gateway scenario questions
- Study VNet peering and when private endpoints apply
Storage Services
- Memorize the four redundancy tiers and what each protects against
- Distinguish Blob access tiers (Hot, Cool, Archive) by use case
- Understand Azure Migrate vs. Azure File Sync use cases
Identity, Access, and Security
- Clarify Microsoft Entra ID vs. on-premises AD distinctions
- Practice RBAC scope inheritance scenarios
- Connect Zero Trust principles to specific Azure features
Domain 2 Practice and Review
- Run a full Domain 2 practice set on az900exam.com and review every incorrect answer
- Re-read explanations for any service you missed more than once
- Cross-reference weak areas with Domain 1 and Domain 3 before full exam simulations
Registration, Fees, and Exam Mechanics
The AZ-900 costs $99 USD in the United States. Pricing is based on the country or region where the exam is proctored, so if you are outside the US, verify the current fee on the Microsoft certification page before registering. For a full breakdown of pricing variables, discounts, and retake policies, see AZ-900 Certification Cost 2026: Complete Pricing Breakdown.
Scheduling is handled through Pearson VUE-either at an authorized test center or via Pearson OnVUE online proctoring. Certiport scheduling is available for students or educators in applicable programs. The exam window is 65 minutes of seat time with 45 minutes allocated to actual questions. The additional time covers check-in, instructions, and survey items.
One logistical detail that surprises candidates: if the exam is not available in your preferred language, Microsoft may offer a 30-minute language accommodation, bringing your total to 75 minutes of exam time. This is worth requesting if English is not your primary language and you qualify.
Unlike role-based Azure certifications, the AZ-900 has no prerequisites-you can register and sit the exam at any point. And once you pass, you never need to renew it. Microsoft Fundamentals certifications do not expire. That permanence makes the credential especially valuable as a career foundation, particularly when explored alongside broader questions like whether the AZ-900 is worth pursuing given your specific career goals.
For more on how candidates experience the exam's overall difficulty and what commonly trips people up across all domains, see How Hard Is the AZ-900 Exam? Complete Difficulty Guide 2026.
Frequently Asked Questions
Domain 2-Describe Azure architecture and services-accounts for 35-40% of the AZ-900 exam. It is the largest single domain, outweighing both Domain 1 (25-30%) and Domain 3 (30-35%). Prioritizing this domain in your study time directly impacts your final scaled score.
The AZ-900 is a fundamentals-level exam and does not require deep technical experience. However, Domain 2 questions are scenario-based, meaning you need to understand when to use a service, not just that it exists. Hands-on exploration through Azure's free tier is helpful but not required to pass.
The AZ-900 skills outline reflects Microsoft's rebranding. Azure Active Directory is now called Microsoft Entra ID. Both names may appear in study materials and potentially in exam content as Microsoft transitions, but you should recognize them as the same service. Study using the Entra ID terminology to match the current exam version.
VPN Gateway creates an encrypted tunnel between your on-premises network and Azure over the public internet. ExpressRoute is a private, dedicated connection to Azure through a connectivity provider that does not traverse the public internet. For scenarios requiring higher security, lower latency, and guaranteed bandwidth, ExpressRoute is the correct answer.
No. Microsoft explicitly states that Microsoft Learn access is not available on Fundamentals exams. The AZ-900 is a closed-book, proctored exam. You cannot access any external resources, notes, or websites during your 45-minute exam window. All knowledge must be recalled from memory, which makes thorough preparation across all four Domain 2 sub-areas essential.