AZ-900 Exam Traps: Management, Governance and Pricing Questions Most Candidates Get Wrong
Five common AZ-900 traps that catch even well-prepared candidates. Covers Azure Policy vs RBAC vs Resource Locks, the ReadOnly lock surprise, Pricing Calculator vs TCO Calculator vs Cost Management, IaaS vs PaaS classification errors, and availability zones vs availability sets. Includes quick-reference tables and 5 practice questions with full explanations.
You have studied all three AZ-900 domains. You know the difference between IaaS and PaaS, you can name the storage redundancy options, and you understand Microsoft Entra ID. Then you sit down on exam day and encounter questions that seem designed to trick you — because they are.
The AZ-900 Microsoft Azure Fundamentals exam includes questions that test subtle distinctions, not just surface-level knowledge. Domain 3 (Management and Governance, 30-35%) is particularly dangerous because many of its tools sound similar but serve completely different purposes. This guide covers the five most common traps that cause candidates to fail, with quick-reference tables and 5 practice questions in exam format.
Trap #1: Azure Policy vs. RBAC vs. Resource Locks — Different Mechanisms, Different Purposes
This is the single most confused topic in Domain 3. All three are governance tools. All three restrict what can happen in your Azure environment. But they work in completely different ways and answer completely different questions.
| Tool | Question It Answers | What It Does | Example |
|---|---|---|---|
| Azure Policy | "What resources are ALLOWED to exist?" | Enforces rules about resource properties. Evaluates compliance. Can deny creation, audit, or auto-remediate. | "All storage accounts must use HTTPS." "VMs can only be created in East US." |
| RBAC | "WHO can do WHAT?" | Controls user permissions on Azure resources. Assigns roles (Reader, Contributor, Owner) at a scope. | "User A can read VMs in Resource Group X." "User B can manage storage accounts in Subscription Y." |
| Resource Locks | "Can this resource be CHANGED or DELETED?" | Prevents accidental modification or deletion. Two types: ReadOnly and Delete. | "The production database cannot be deleted by anyone." "The VNet cannot be modified." |
"Enforce compliance" or "allowed locations" = Azure Policy
"Who can access" or "role assignment" = RBAC
"Prevent deletion" or "prevent changes" = Resource Locks
Memorize these keywords and you will answer 90% of governance questions correctly.
The trap: exam questions will describe a scenario where a company wants to "prevent users from creating virtual machines in unauthorized regions." Students who focus on the word "prevent" choose Resource Locks. But this is about which resources can exist and their properties — that is Azure Policy. Resource Locks prevent changes to existing resources; Azure Policy controls what properties new (and existing) resources can have.
Trap #2: Resource Lock ReadOnly — Even Owner Cannot Modify
Most candidates understand the Delete lock: it prevents anyone from deleting a resource. Simple enough. The trap is the ReadOnly lock, which behaves in a way that surprises even experienced Azure administrators.
A ReadOnly lock does exactly what the name says: it makes the resource read-only. This means:
- No one can modify the resource — not Contributors, not Owners, not even Global Administrators
- To make any change, someone must first remove the lock, make the change, then reapply the lock
- The lock applies regardless of RBAC permissions — even the Owner role is restricted
| Lock Type | Can Read? | Can Modify? | Can Delete? |
|---|---|---|---|
| No lock | Yes (with RBAC) | Yes (with RBAC) | Yes (with RBAC) |
| Delete lock | Yes (with RBAC) | Yes (with RBAC) | No — must remove lock first |
| ReadOnly lock | Yes (with RBAC) | No — must remove lock first | No — must remove lock first |
If the question says "a user with the Owner role tries to modify a resource that has a ReadOnly lock," the answer is: the modification fails. The lock overrides RBAC. This catches candidates who assume Owner can do anything. Locks are a separate layer from RBAC.
Trap #3: Pricing Calculator vs. TCO Calculator vs. Cost Management
Azure has three cost-related tools that candidates routinely mix up. Each one serves a different purpose at a different stage of your cloud journey:
| Tool | Purpose | When You Use It | Requires Azure Subscription? |
|---|---|---|---|
| Azure Pricing Calculator | Estimate cost of specific Azure services | Before deployment — planning what to buy | No — free web tool |
| TCO Calculator | Compare cost of on-premises vs Azure | Before migration — building a business case | No — free web tool |
| Microsoft Cost Management | Monitor, analyze, and optimize current Azure spending | After deployment — tracking what you are spending | Yes — built into the Azure portal |
The trap appears in two forms:
- Form 1: "A company wants to estimate how much they will save by migrating their on-premises datacenter to Azure." Many candidates pick the Pricing Calculator. Wrong — TCO (Total Cost of Ownership) Calculator is specifically designed to compare on-prem costs against Azure costs, including hidden on-prem expenses like power, cooling, and staffing.
- Form 2: "A company wants to analyze their current Azure spending and set budget alerts." Candidates who remember "calculator" pick one of the calculators. Wrong — this is about monitoring existing spend, which is Microsoft Cost Management.
Comparing on-prem vs cloud (before migration) = TCO Calculator
Estimating cost of new Azure services (before deployment) = Pricing Calculator
Monitoring and optimizing current spend (after deployment) = Cost Management
Think of it as a timeline: TCO first (should we migrate?), Pricing Calculator second (what will it cost?), Cost Management third (how do we optimize?).
Trap #4: IaaS vs. PaaS Classification — Who Patches the OS?
The IaaS vs PaaS distinction seems straightforward until the exam gives you a specific service and asks you to classify it. The trap is that candidates memorize "IaaS means more control" without understanding the practical test: who is responsible for patching the operating system?
| Service | Classification | Who Patches the OS? |
|---|---|---|
| Azure Virtual Machines | IaaS | Customer |
| Azure App Service | PaaS | Azure |
| Azure SQL Database | PaaS | Azure |
| Azure Functions | PaaS (Serverless) | Azure |
| SQL Server on Azure VM | IaaS | Customer |
| Microsoft 365 | SaaS | Microsoft |
| Azure Kubernetes Service (AKS) | PaaS | Azure (node OS images) |
| Azure Virtual Desktop | PaaS | Azure (infrastructure); Customer (session host images) |
The key trap: SQL Server on an Azure VM is IaaS, not PaaS. The customer is responsible for patching the OS and the SQL Server engine. But Azure SQL Database is PaaS — Microsoft manages everything underneath. The exam loves to test this distinction because the words "SQL" and "Azure" appear in both.
Trap #5: Availability Zones vs. Availability Sets
Both protect against failures. Both improve uptime. But they protect against different types of failures at different scales:
| Feature | Availability Zones | Availability Sets |
|---|---|---|
| What It Is | Physically separate datacenters within a region | Logical grouping of VMs within a single datacenter |
| Protects Against | Entire datacenter failure (power, cooling, networking) | Hardware failures and planned maintenance within a datacenter |
| SLA | 99.99% (with 2+ VMs across 2+ zones) | 99.95% (with 2+ VMs in the set) |
| Minimum Zones/Domains | 3 zones per supported region | Up to 3 fault domains, up to 20 update domains |
| Scale | Region level (across datacenters) | Datacenter level (within a single datacenter) |
| When to Use | Mission-critical workloads that need highest availability | Workloads in regions that do not support availability zones, or legacy configurations |
Think of availability zones as separate buildings (datacenters) in the same city (region). Think of availability sets as separate racks within the same building. Zones protect against a building going down. Sets protect against a rack going down. If the question mentions "datacenter failure" or "highest SLA," the answer is availability zones.
Quick-Reference Tables
Service Classification (IaaS / PaaS / SaaS)
| IaaS | PaaS | SaaS |
|---|---|---|
| Virtual Machines | Azure App Service | Microsoft 365 |
| Azure Disk Storage | Azure SQL Database | Microsoft Teams |
| Azure Virtual Network | Azure Functions | Dynamics 365 |
| Azure Load Balancer | Azure Cosmos DB | Power BI (service) |
| SQL Server on Azure VM | Azure Kubernetes Service | Azure DevOps (hosted) |
Governance Tools
| Tool | Purpose | Keyword Trigger |
|---|---|---|
| Azure Policy | Enforce standards and compliance on resources | "enforce," "compliance," "allowed locations," "require tags" |
| RBAC | Control who can access and manage resources | "role," "permission," "who can," "access control" |
| Resource Locks | Prevent accidental deletion or modification | "prevent deletion," "accidental change," "lock" |
| Azure Blueprints | Package policies, RBAC, ARM templates for repeatable environments | "repeatable environment," "subscription setup," "governance package" |
| Management Groups | Organize subscriptions and apply governance across them | "multiple subscriptions," "hierarchy," "organization-wide" |
| Tags | Organize and categorize resources with metadata | "categorize," "cost allocation," "department tracking" |
Monitoring Tools
| Tool | Purpose |
|---|---|
| Azure Monitor | Collect and analyze telemetry from Azure resources. Metrics, logs, alerts. |
| Azure Service Health | Track Azure platform incidents, planned maintenance, and health advisories. |
| Azure Advisor | Personalized recommendations for cost, security, reliability, performance, operational excellence. |
| Microsoft Cost Management | Analyze spending, set budgets, create spending alerts. |
5 Practice Questions
Test yourself with these exam-format questions. Each one targets a specific trap discussed in this guide.
A company wants to ensure that all Azure virtual machines are deployed only in the West Europe and North Europe regions. Which Azure feature should they use?
A. Azure Resource Locks
B. Azure RBAC
C. Azure Policy
D. Azure Blueprints
Azure Policy enforces rules about resource properties, including allowed locations. You create a policy with the "Allowed locations" built-in definition and assign it to the subscription. Resource Locks prevent changes to existing resources, not where new resources can be created. RBAC controls who can perform actions, not which regions are allowed. Azure Blueprints can include policies, but the specific mechanism is Azure Policy itself.
A user with the Owner role on a resource group tries to delete a storage account that has a Delete lock applied. What happens?
A. The storage account is deleted because Owner has full permissions
B. The deletion fails and the user must first remove the lock
C. The deletion succeeds but is logged as a warning in Azure Monitor
D. The deletion is queued and completes after 24 hours
Resource locks override RBAC permissions. Even the Owner role cannot delete a resource with a Delete lock. The user must first remove the lock (which requires the Microsoft.Authorization/locks/* permission), then delete the resource. This is by design — locks exist precisely to prevent accidental actions by users who have permission to perform those actions.
A company is evaluating whether to migrate their on-premises datacenter to Azure. They need to compare the total cost of running workloads on-premises versus running them in Azure, including factors like electricity, cooling, and IT staff. Which tool should they use?
A. Azure Pricing Calculator
B. Microsoft Cost Management
C. Azure TCO Calculator
D. Azure Advisor
The TCO (Total Cost of Ownership) Calculator is designed specifically for comparing on-premises costs against Azure costs. It accounts for hidden on-premises expenses like electricity, cooling, networking hardware, IT labor, and datacenter space. The Pricing Calculator estimates costs for specific Azure services but does not model on-premises costs. Cost Management monitors existing Azure spending. Azure Advisor provides optimization recommendations for resources already running in Azure.
A company runs SQL Server on an Azure Virtual Machine. Which cloud service model best describes this deployment, and who is responsible for patching the operating system?
A. PaaS — Microsoft is responsible for patching the OS
B. IaaS — The customer is responsible for patching the OS
C. SaaS — Microsoft is responsible for patching the OS
D. IaaS — Microsoft is responsible for patching the OS
SQL Server running on an Azure Virtual Machine is IaaS. The customer has full control over the VM, including the operating system and the SQL Server installation. This means the customer is responsible for patching both the OS and the SQL Server engine. This is different from Azure SQL Database (PaaS), where Microsoft manages the underlying infrastructure, OS, and database engine patching. The key distinction: if it runs ON a VM, it is IaaS regardless of what software is installed.
A company needs to deploy a mission-critical application with the highest possible availability SLA in Azure. The application runs on multiple virtual machines. Which feature should they use to distribute VMs across physically separate datacenters within the same Azure region?
A. Availability sets
B. Availability zones
C. Azure region pairs
D. Update domains
Availability zones are physically separate datacenters within an Azure region. Each zone has independent power, cooling, and networking. Deploying VMs across 2+ availability zones provides a 99.99% SLA — the highest for VM deployments. Availability sets distribute VMs across fault domains and update domains within a single datacenter (99.95% SLA). Region pairs are for disaster recovery across different geographic areas, not high availability within a region. Update domains are a component of availability sets, not a standalone feature.
If you got all five questions right, you have a strong grasp of the AZ-900 governance and management traps. If you missed any, review the corresponding trap section above and practice more questions on that topic before taking the real exam.
Comments
No comments yet. Be the first!
Comments are reviewed before publication.