AZ-900 Deep Dive: Azure Architecture and Services — The Biggest Domain Explained
Domain 2 of the AZ-900 exam covers 35-40% of all questions and is where most candidates lose marks. This deep dive breaks down every compute service, all four storage redundancy options, Microsoft Entra ID vs Entra Domain Services, Conditional Access, networking fundamentals, and Azure Arc — with comparison tables and exam-ready explanations.
If you are studying for the AZ-900 Microsoft Azure Fundamentals exam, there is one domain that will make or break your score: Domain 2 — Describe Azure Architecture and Services. At 35-40% of the exam, it carries more weight than either of the other two domains. It is also the domain where questions shift from "understand the concept" to "know the specific service" — and that is where candidates who relied on general cloud knowledge start losing marks.
This guide is a deep dive into every major topic in Domain 2. We cover compute services with their IaaS/PaaS classifications, storage redundancy options, the identity trap that catches the most candidates, Conditional Access, networking fundamentals, and Azure Arc. Every section includes comparison tables designed for rapid exam review.
Why Domain 2 Is Where Candidates Fail
Domain 1 (Cloud Concepts, 25-30%) tests general cloud knowledge — IaaS vs PaaS vs SaaS, CapEx vs OpEx, shared responsibility. Most candidates find this intuitive. Domain 3 (Management and Governance, 30-35%) tests tools and pricing concepts that are easier to memorize with flashcards.
Domain 2 is different. It requires you to know specific Azure services by name, understand what category they belong to, and distinguish between services that sound similar but serve different purposes. "Which compute service runs containers without managing the underlying infrastructure?" has four plausible answers depending on whether you understand ACI vs AKS vs App Service vs Functions.
The math is simple: if Domain 2 is 40% of a 1000-point exam, that is 400 points. You need 700 to pass. If you perform poorly on Domain 2, you would need near-perfect scores on Domains 1 and 3 to compensate — which almost never happens.
Azure Compute Services Comparison
The AZ-900 tests six core compute services. You need to know what each one does, whether it is IaaS or PaaS, and when to use it. Here is the complete comparison:
| Service | Type | What It Does | You Manage | Azure Manages |
|---|---|---|---|---|
| Virtual Machines | IaaS | Full server with OS. Maximum control. | OS, runtime, apps, data, patching | Hardware, networking, virtualization |
| Azure App Service | PaaS | Hosts web apps, REST APIs, mobile backends. | Application code, configuration | OS, runtime, scaling, patching |
| Azure Functions | PaaS (Serverless) | Event-driven code execution. Pay per execution. | Function code only | Everything else (OS, scaling, infrastructure) |
| Azure Container Instances (ACI) | PaaS | Run containers without managing VMs. Simplest container option. | Container image, configuration | Host OS, orchestration, infrastructure |
| Azure Kubernetes Service (AKS) | PaaS | Managed Kubernetes for complex container orchestration. | Pod definitions, deployments, services | Kubernetes control plane, node OS updates |
| Azure Virtual Desktop | PaaS | Desktop and app virtualization. Runs Windows in the cloud. | User profiles, application deployment | Infrastructure, host pool management, broker |
If the exam asks "which compute service gives you the MOST control over the operating system," the answer is always Virtual Machines — the only IaaS compute option. Every other compute service is PaaS, meaning Azure manages the OS. This distinction appears in at least 2-3 questions per exam sitting.
Storage Redundancy: LRS, ZRS, GRS, GZRS
Azure storage redundancy is one of the most table-friendly topics on the AZ-900. You need to know four options, how many copies each creates, and what failure scenarios each protects against:
| Option | Full Name | Copies | Regions | Protects Against |
|---|---|---|---|---|
| LRS | Locally Redundant Storage | 3 copies | 1 region, 1 datacenter | Server rack and drive failures |
| ZRS | Zone-Redundant Storage | 3 copies | 1 region, 3 availability zones | Single datacenter failure |
| GRS | Geo-Redundant Storage | 6 copies | 2 regions (primary LRS + secondary LRS) | Entire region outage |
| GZRS | Geo-Zone-Redundant Storage | 6 copies | 2 regions (primary ZRS + secondary LRS) | Datacenter failure + entire region outage |
If the exam asks for the highest level of redundancy or protection against a regional disaster, the answer is GZRS. It combines zone redundancy in the primary region with geo-replication to a secondary region — the best of both worlds. GRS also protects against regional failure but does not protect against a datacenter failure within the primary region (it uses LRS locally).
Storage Access Tiers
Alongside redundancy, the exam tests storage access tiers. These control cost and retrieval speed:
| Tier | Storage Cost | Access Cost | Best For |
|---|---|---|---|
| Hot | Highest | Lowest | Frequently accessed data |
| Cool | Lower | Higher | Infrequent access, stored 30+ days |
| Cold | Even lower | Even higher | Rarely accessed, stored 90+ days |
| Archive | Lowest | Highest (hours to retrieve) | Long-term backups, compliance archives stored 180+ days |
Microsoft Entra ID vs. Entra Domain Services — The #1 Identity Trap
This is the single most confused topic on the AZ-900. Candidates who studied with older materials that reference "Azure AD" struggle even more because the rebranding obscures the already-subtle difference.
Microsoft Entra ID (formerly Azure Active Directory)
Microsoft Entra ID is a cloud-based identity and access management service. It handles:
- Authentication (proving who you are) via passwords, MFA, passwordless methods
- Single Sign-On (SSO) to thousands of SaaS applications
- Conditional Access policies (discussed in the next section)
- Application registration and management
- B2B and B2C identity scenarios
Think of Entra ID as the modern, cloud-native identity platform. It uses protocols like OAuth 2.0, OpenID Connect, and SAML. It does NOT support legacy protocols like NTLM, Kerberos, or LDAP natively.
Microsoft Entra Domain Services (formerly Azure AD Domain Services)
Microsoft Entra Domain Services provides managed domain services that support legacy protocols:
- LDAP, NTLM, and Kerberos authentication
- Domain join for Azure VMs
- Group Policy management
Think of Entra Domain Services as a managed on-premises Active Directory replacement in the cloud. You use it when you have legacy applications that require domain join or LDAP — applications that cannot use modern OAuth/SAML protocols.
| Feature | Microsoft Entra ID | Microsoft Entra Domain Services |
|---|---|---|
| Primary Use | Cloud identity and SSO | Legacy domain services in the cloud |
| Protocols | OAuth 2.0, OpenID Connect, SAML | LDAP, NTLM, Kerberos |
| Domain Join | No (uses Entra Join instead) | Yes — traditional domain join |
| Group Policy | No (uses Intune/Conditional Access) | Yes |
| Management | Fully managed by Microsoft | Managed domain controllers (you do not manage DCs) |
| When to Use | Modern cloud and SaaS applications | Lift-and-shift legacy apps that need LDAP/Kerberos |
If the question mentions LDAP, Kerberos, NTLM, domain join, or Group Policy, the answer involves Microsoft Entra Domain Services. If it mentions SSO, OAuth, SAML, Conditional Access, or modern authentication, the answer is Microsoft Entra ID. This single rule solves most identity questions on the exam.
Conditional Access Explained
Conditional Access is a feature of Microsoft Entra ID that the January 2026 update added increased emphasis to. You need to understand what it is, what signals it evaluates, and how it differs from RBAC.
What Conditional Access Does
Conditional Access policies are "if-then" statements that evaluate signals during sign-in and enforce access decisions. When a user tries to authenticate, Conditional Access checks the context of that sign-in and decides whether to allow access, require additional verification, or block access entirely.
Signals Evaluated
| Signal | Example |
|---|---|
| User or group membership | Apply MFA only to the "Administrators" group |
| IP location | Block sign-ins from countries where the company has no operations |
| Device | Require compliant device for accessing sensitive data |
| Application | Require MFA for Azure portal access but not for general email |
| Risk detection | Force password reset when a sign-in is flagged as high risk |
Conditional Access vs. RBAC
This distinction is critical for the exam:
- Conditional Access controls authentication — it decides whether you can sign in at all, and under what conditions.
- RBAC (Role-Based Access Control) controls authorization — after you have signed in, it decides what resources you can access and what actions you can perform.
They work in sequence: Conditional Access first, then RBAC. A user could pass Conditional Access (signed in from a trusted location with MFA) but still be denied access to a specific resource group because they lack the required RBAC role.
Networking: VNet, VPN Gateway, ExpressRoute
Azure networking on the AZ-900 is tested at a conceptual level. You do not need to configure subnets or write routing rules, but you need to understand what each component does and when to use it.
Azure Virtual Network (VNet)
A VNet is the fundamental building block of networking in Azure. It enables Azure resources to communicate with each other, the internet, and on-premises networks. Key facts for the exam:
- VNets are scoped to a single region
- VNets can be connected to each other via VNet peering (even across regions — called global VNet peering)
- Subnets segment a VNet into smaller address ranges
- Network Security Groups (NSGs) filter traffic at the subnet or NIC level
VPN Gateway vs. ExpressRoute
| Feature | VPN Gateway | ExpressRoute |
|---|---|---|
| Connection Type | Encrypted tunnel over the public internet | Private, dedicated connection (does NOT traverse the internet) |
| Bandwidth | Up to ~1.25 Gbps | Up to 100 Gbps |
| Latency | Variable (internet-dependent) | Low, consistent, predictable |
| Cost | Lower | Significantly higher |
| Best For | Small to medium workloads, dev/test | Mission-critical, high-bandwidth, low-latency workloads |
If the question says "private connection that does not go over the public internet," the answer is ExpressRoute. If it mentions "encrypted tunnel over the internet" or "site-to-site VPN," the answer is VPN Gateway. The exam tests this distinction frequently.
Azure Arc: Extending Azure Beyond Azure
Azure Arc is a relatively new addition to the AZ-900 blueprint that gained more emphasis in the January 2026 update. It bridges the gap between Azure and non-Azure environments.
What Azure Arc Does
Azure Arc lets you project non-Azure resources into Azure Resource Manager. This means you can manage on-premises servers, Kubernetes clusters running anywhere, and even resources in AWS or GCP as if they were native Azure resources. Once a resource is Arc-enabled, you can:
- Apply Azure Policy for compliance
- Assign RBAC roles for access control
- Use Azure tags for organization and billing
- Monitor with Azure Monitor
- Deploy configurations with Azure Automation
What Arc Can Manage
| Resource Type | Description |
|---|---|
| Arc-enabled servers | Physical and virtual servers running Windows or Linux outside of Azure |
| Arc-enabled Kubernetes | Kubernetes clusters running on-premises or in other clouds |
| Arc-enabled data services | Azure SQL Managed Instance and PostgreSQL running outside Azure |
Domain 2 Cheat Sheet
Use this quick-reference summary for your final review before the exam:
| Topic | Key Fact to Remember |
|---|---|
| Only IaaS compute | Virtual Machines |
| Serverless compute | Azure Functions (event-driven, pay per execution) |
| Simplest container option | Azure Container Instances (no orchestration) |
| Highest storage redundancy | GZRS (zone + geo replication, 6 copies) |
| Legacy protocols (LDAP/Kerberos) | Microsoft Entra Domain Services |
| Modern identity and SSO | Microsoft Entra ID |
| Gates authentication (sign-in) | Conditional Access |
| Gates authorization (resources) | RBAC |
| Private, dedicated connection | ExpressRoute |
| Encrypted tunnel over internet | VPN Gateway |
| Manage non-Azure resources from Azure | Azure Arc |
| Cheapest storage, slowest retrieval | Archive tier |
Master these distinctions and you will be well-prepared for Domain 2. Combined with solid preparation on Domains 1 and 3, this knowledge will get you past the 700-point threshold with room to spare.
Comments
No comments yet. Be the first!
Comments are reviewed before publication.