Reference

Domain 2: Describe Azure Architecture and Services (35-40%)

Domain 2 is the largest domain on the AZ-900 Microsoft Azure Fundamentals exam, representing 35-40% of the total score -- roughly 14-24 questions out of the approximately 40-60 total. A score of 700 or greater (on a 1000-point scale) is required to pass. The exam was last updated January 14, 2026, with minor changes to the "Describe Azure identity, access, and security" sub-domain. (AZ-900 Study Guide)

This domain covers four sections:

Describe the core architectural components of Azure
Describe Azure compute and networking services
Describe Azure storage services
Describe Azure identity, access, and security

2.1 Describe the Core Architectural Components of Azure

Azure Regions

An Azure region is a set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network. Azure has 60+ regions across more than 140 countries, making it the cloud provider with the most global regions. (Azure Regions Overview)

Key facts for the exam:

Each region is a distinct geographic area containing one or more datacenters.
Not all Azure services are available in every region. When deploying resources, you choose a region based on service availability, compliance needs, and proximity to users.
Some resources are global (not tied to a region), such as Azure DNS, Microsoft Entra ID, Azure Front Door, and Azure Traffic Manager.

Examples of commonly referenced regions:

Region Name	Location	Notes
East US	Virginia	One of the largest, most feature-complete regions
West Europe	Netherlands	Primary region for European workloads
Southeast Asia	Singapore	Primary region for Asia-Pacific
Brazil South	Sao Paulo	Only South American region (paired with South Central US)

Region Pairs

Most Azure regions are paired with another region in the same geography, typically at least 300 miles (480 km) apart. Region pairs provide a foundation for disaster recovery. (Azure Region Pairs)

Key characteristics of region pairs:

Microsoft-selected: You cannot choose your own pair. The paired secondary region is determined by the primary region.
Sequential updates: During planned maintenance, Azure updates paired regions one at a time to minimize simultaneous downtime.
Data residency: Paired regions reside within the same geography (with one exception: Brazil South pairs with South Central US, which is outside Brazil).
Geo-redundant storage replication: GRS/RA-GRS and GZRS/RA-GZRS automatically replicate data to the paired region.

Common region pairs to know:

Primary Region	Paired Region
East US	West US
East US 2	Central US
West Europe	North Europe
Southeast Asia	East Asia
UK South	UK West
Brazil South	South Central US

**Exam trap:**Newer regions may not have a traditional pair. These nonpaired regions rely on availability zones and allow you to choose your own secondary region for geo-redundancy. Do not assume every region has a pair.

Sovereign Regions

Sovereign regions are physically and logically isolated instances of Azure that meet strict regulatory and compliance requirements for specific governments. They are separate from the commercial Azure cloud -- you cannot peer networks or transfer subscriptions between them. (Azure Regions Overview)

Sovereign Cloud	Regions	Operated By	Use Case
Azure Government	US Gov Virginia, US Gov Texas, US Gov Arizona, US DoD Central, US DoD East	Microsoft (US-screened personnel)	US federal, state, local, and tribal governments and their partners
Azure China	China East, China East 2, China North, China North 2	21Vianet (not Microsoft)	Organizations with data that must remain in China

**Exam trap:**Azure Government and Azure China are completely separate from commercial Azure. They have separate portals, separate subscriptions, and separate identity systems. Azure China is operated by 21Vianet, not Microsoft directly.

Availability Zones

Availability zones are physically separate locations within an Azure region, each with independent power, cooling, and networking. A region that supports availability zones has a minimum of three separate zones. They are designed so that if one zone fails, the remaining zones continue operating. (Availability Zones Overview)

Key facts:

Zones within a region are typically separated by several kilometers but are within 100 km of each other.
Inter-zone latency target: less than approximately 2 milliseconds round-trip.
Azure does not charge for data transfer between availability zones in the same region.
Zone numbers are logical, not physical. Zone 1 in your subscription may map to a different physical datacenter than Zone 1 in another subscription.
Not all regions support availability zones. Check the regions list.

Zone-redundant vs. Zonal resources:

Deployment Type	Description	Who Manages Failover	Example
Zone-redundant	Data/resources are automatically replicated or distributed across multiple zones	Microsoft (automatic)	Zone-redundant Storage (ZRS), SQL Database zone-redundant
Zonal	Resource is deployed to a specific zone you choose	You (manual)	A VM pinned to Zone 2
Nonzonal (regional)	Resource has no zone affinity; Azure places it anywhere in the region	Neither (no zone guarantee)	A VM with no zone specified

**Exam trap:**Do not confuse availability zones with availability sets. Availability zones protect against entire datacenter failures (zone-level). Availability sets protect against rack-level failures within a single datacenter using fault domains and update domains. Zones are the stronger protection.

Azure Datacenters

Azure datacenters are the physical buildings that house servers, networking equipment, and storage. They are the foundation of Azure's global infrastructure. You never interact with datacenters directly -- you interact with regions and zones. Key exam point: a single availability zone can contain one or more datacenters. (Availability Zones Overview)

Azure Resources and Resource Groups

An Azure resource is any manageable item in Azure: a VM, storage account, database, virtual network, web app, etc. A resource group is a logical container that holds related resources. (Azure Resource Manager Overview)

Rules to memorize:

Rule	Detail
One group only	A resource can belong to exactly one resource group at a time
Cross-region	A resource group can contain resources from multiple regions
Group region	The resource group itself has a region (stores metadata there), but resources inside it can be in any region
Cannot nest	Resource groups cannot be nested inside other resource groups
Deletable	Deleting a resource group deletes all resources inside it
RBAC scoping	Permissions can be applied at the resource group level and inherited by all resources within

**Exam trap:**The resource group's location does not restrict where resources inside it can be deployed. A resource group in East US can contain VMs in West Europe.

Subscriptions

An Azure subscription is a logical unit of Azure services linked to an Azure account. It serves as both a billing boundary (charges are aggregated and billed per subscription) and an access control boundary (you can apply policies and RBAC at the subscription level). (Azure Subscription Overview)

Key points:

An Azure account can have multiple subscriptions (e.g., separate subscriptions for Dev, Test, and Production).
Each subscription has limits/quotas (e.g., maximum number of VMs, storage accounts per region).
Subscriptions can be used to separate environments, departments, or billing owners.

Management Groups

Management groups provide a level of scope above subscriptions. You organize subscriptions into management groups and apply governance conditions (Azure Policy, RBAC) to the management group. All subscriptions within a management group automatically inherit those conditions. (Management Groups Overview)

Key facts:

Up to six levels of depth (not counting the root or subscription level).
A single directory (tenant) supports up to 10,000 management groups.
Each management group can have multiple children but only one parent.
The root management group is at the top; it cannot be moved or deleted.

The Resource Hierarchy

The complete hierarchy from top to bottom:

Azure AD Tenant (Microsoft Entra ID)
  └── Root Management Group
        └── Management Groups (up to 6 levels deep)
              └── Subscriptions
                    └── Resource Groups
                          └── Resources

Policies and RBAC assignments inherit downward. A policy applied at a management group is inherited by all subscriptions, resource groups, and resources beneath it.

**Exam trap:**You cannot move a subscription between Azure AD tenants easily. The hierarchy is: Management Groups > Subscriptions > Resource Groups > Resources. Management Groups are optional -- many organizations use subscriptions directly under the root.

2.2 Describe Azure Compute and Networking Services

Compute Types Comparison

Feature	Virtual Machines	Containers	Azure Functions
Service model	IaaS	PaaS (ACI) / PaaS+IaaS (AKS)	Serverless (FaaS)
OS management	You manage the full OS	Runtime environment only	None -- code only
Startup time	Minutes	Seconds	Milliseconds to seconds
Scaling	VM Scale Sets (manual/auto)	Container orchestration (AKS)	Automatic, event-driven
Billing	Per-second while running	Per-second of container runtime	Per execution + execution time
Best for	Lift-and-shift, full OS control	Microservices, rapid deployment	Event-driven, intermittent tasks

(Azure Compute Overview)

Virtual Machine Options

Azure Virtual Machines are on-demand, scalable computing resources that give you the flexibility of virtualization without having to buy and maintain physical hardware. (Azure VMs Overview)

Azure Virtual Machine Scale Sets let you create and manage a group of identical, load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or on a defined schedule. Scale Sets provide high availability by distributing VMs across fault domains and availability zones.

Availability Sets group VMs to protect against hardware failures within a single datacenter. They use two mechanisms:

Mechanism	Purpose	Default Count
Fault domains	Separate VMs across different physical racks (separate power/network)	Up to 3
Update domains	Ensure only one group of VMs is rebooted during planned maintenance at a time	Up to 20

Azure Virtual Desktop (AVD) is a desktop and app virtualization service running in the cloud. It provides a full Windows desktop experience accessible from any device. Key points: supports multi-session Windows 11/10, integrates with Microsoft 365 Apps, and allows you to reduce costs through multi-session capabilities.

Resources Required for a VM

When you create a VM, Azure also requires or creates:

Resource	Required?	Purpose
Virtual network (VNet) and subnet	Yes	Network connectivity
Network interface (NIC)	Yes	Connects VM to VNet
OS disk (managed disk)	Yes	Stores the operating system
Public IP address	Optional	Allows internet-facing access
Network Security Group (NSG)	Recommended	Firewall rules (inbound/outbound)
Data disks	Optional	Additional storage

**Exam trap:**A VM always requires a VNet, NIC, and OS disk. A public IP is optional -- many VMs only need private connectivity.

Application Hosting Options

Azure App Service is a fully managed PaaS for hosting web apps, REST APIs, and mobile back ends. It supports multiple languages (.NET, Java, Node.js, Python, PHP, Ruby). Key features: built-in autoscaling, CI/CD integration, deployment slots for staging, and custom domain/SSL support. You pay for the App Service Plan, not individual apps.

Azure Container Instances (ACI) is the fastest and simplest way to run a container in Azure without managing VMs. It is a PaaS offering supporting both Linux and Windows containers. Best for simple scenarios, burst workloads, or short-lived tasks. (ACI Overview)

Azure Kubernetes Service (AKS) is a managed Kubernetes container orchestration service. Azure manages the Kubernetes control plane; you manage the worker nodes. Best for complex microservices architectures that need advanced scaling, networking, and service discovery.

Hosting Option	Model	Control Level	Best For
Azure App Service	PaaS	Low (managed)	Web apps, APIs, mobile backends
Azure Container Instances	PaaS	Medium	Simple containers, burst tasks
Azure Kubernetes Service	Managed orchestrator	High	Complex microservices at scale
Azure Virtual Machines	IaaS	Full	Lift-and-shift, custom OS needs

Virtual Networking

Azure Virtual Network (VNet) is the fundamental building block for private networking in Azure. VNets enable Azure resources to securely communicate with each other, the internet, and on-premises networks. VNets are scoped to a single region but can connect to VNets in other regions via peering. (VNet Overview)

Subnets segment a VNet into smaller address ranges. Each subnet can have its own NSG and route table. Resources within different subnets of the same VNet can communicate by default.

VNet Peering connects two VNets so resources in either VNet can communicate with each other. Traffic uses the Microsoft backbone network (private, not the public internet). Two types:

Type	Scope	Latency
Regional peering	Same Azure region	Lowest
Global VNet peering	Different Azure regions	Slightly higher (but still backbone)

Peering is non-transitive: if VNet A peers with VNet B and VNet B peers with VNet C, VNet A cannot reach VNet C unless A also peers with C (or you configure gateway transit). (VNet Peering)

Azure DNS is a hosting service for DNS domains that provides name resolution using Microsoft Azure infrastructure. It does not let you buy domain names -- you must purchase them from a third-party registrar. Azure DNS supports both public DNS zones (internet-facing) and private DNS zones (VNet-internal resolution). (Azure DNS Overview)

Azure VPN Gateway sends encrypted traffic between an Azure VNet and an on-premises location over the public internet, or between Azure VNets. Two connection types to know:

Type	Description	Use Case
Site-to-site (S2S)	Connects an on-premises network to an Azure VNet over an IPsec/IKE tunnel	Branch office to Azure
Point-to-site (P2S)	Connects a single device to an Azure VNet	Remote worker's laptop to Azure

VPN Gateway uses the public internet but encrypts all traffic. Maximum throughput varies by SKU (up to ~10 Gbps for VpnGw5).

Azure ExpressRoute provides a private, dedicated connection between your on-premises infrastructure and Azure through a connectivity provider. Traffic does not traverse the public internet. (ExpressRoute Overview)

Key ExpressRoute facts:

Bandwidth options from 50 Mbps to 100 Gbps.
Higher reliability, faster speeds, lower latencies than VPN.
Supports access to Microsoft 365, Dynamics 365, and Azure services.
More expensive than VPN Gateway.
Requires a connectivity provider (e.g., Equinix, AT&T, Verizon).

Feature	VPN Gateway	ExpressRoute
Connection	Over public internet (encrypted)	Private dedicated circuit
Bandwidth	Up to ~10 Gbps	Up to 100 Gbps
Latency	Variable (internet-dependent)	Consistent, low
Cost	Lower	Higher
Encryption	Built-in IPsec	Not encrypted by default (optional)

**Exam trap:**ExpressRoute is not encrypted by default. If you need encryption over ExpressRoute, you can configure a VPN tunnel over the ExpressRoute circuit (ExpressRoute + VPN). Many candidates assume "private connection" means "encrypted" -- it does not.

Load Balancing Options

Azure provides two primary load balancing services. The key distinction is the OSI layer at which they operate. (Azure Load Balancing Overview)

Feature	Azure Load Balancer	Azure Application Gateway
OSI Layer	Layer 4 (Transport — TCP/UDP)	Layer 7 (Application — HTTP/HTTPS)
Traffic type	Any TCP/UDP traffic	HTTP/HTTPS web traffic only
Routing decisions	Based on IP address and port	Based on URL path, host headers, cookies
SSL/TLS termination	No	Yes (offloads SSL from backend servers)
Web Application Firewall (WAF)	No	Yes (optional, protects against OWASP threats)
Health probes	TCP, HTTP, HTTPS	HTTP, HTTPS
Use case	Non-HTTP workloads, database tiers, general TCP/UDP balancing	Web applications, API gateways, URL-based routing

**Exam trap:**Application Gateway operates at Layer 7 (HTTP/HTTPS-aware) and can make routing decisions based on URL paths. Load Balancer operates at Layer 4 and routes based only on IP and port. If a question mentions URL-based routing or WAF, the answer is Application Gateway. If it mentions general TCP/UDP balancing, the answer is Load Balancer.

Public and Private Endpoints

A public endpoint is accessible from the public internet via a public IP address. By default, many Azure PaaS services (Storage, SQL Database) have public endpoints.

A private endpoint uses a private IP address from your VNet to access an Azure service. Traffic between your VNet and the service travels over the Microsoft backbone network, eliminating exposure to the public internet. Private endpoints use Azure Private Link. (Private Link Overview)

**Exam trap:**Private endpoints do not replace the service -- they provide a private IP path to the same service. You can disable public access entirely, forcing all traffic through the private endpoint.

2.3 Describe Azure Storage Services

Azure Storage Services Comparison

Azure Storage provides several data services accessible through a single storage account. (Azure Storage Overview)

Service	Data Type	Protocol	Use Case
Blob Storage	Unstructured (objects)	REST/HTTP(S)	Images, videos, backups, documents, big data
Azure Files	File shares	SMB, NFS, REST	Lift-and-shift file shares, shared config files
Queue Storage	Messages (up to 64 KB each)	REST/HTTP(S)	Decoupling application components, async processing
Table Storage	Structured NoSQL (key-value)	REST/HTTP(S)	User data, device info, metadata catalogs
Disk Storage	Block-level volumes	Attached to VMs	OS disks, data disks for Azure VMs

Blob Storage types:

Blob Type	Use Case
Block blobs	Store text and binary data (most common -- documents, media)
Append blobs	Optimized for append operations (logging)
Page blobs	Random read/write operations (VHD files, disks)

Storage Tiers

Azure Blob Storage offers four access tiers. The tradeoff: colder tiers have lower storage costs but higher access/transaction costs. (Access Tiers Overview)

Tier	Storage Cost	Access Cost	Min Retention	Availability	Online/Offline
Hot	Highest	Lowest	None	99.9% (RA: 99.99%)	Online
Cool	Lower	Higher	30 days	99% (RA: 99.9%)	Online
Cold	Lower still	Higher still	90 days	99% (RA: 99.9%)	Online
Archive	Lowest	Highest	180 days	N/A (offline)	Offline

Key details:

Hot: Default tier. Best for data accessed frequently.
Cool: Data accessed infrequently but must be available immediately when needed. Minimum 30-day retention; early deletion charges apply.
Cold: Similar to Cool but for data accessed even less frequently. Minimum 90-day retention. Added to Azure as a tier between Cool and Archive.
Archive: Lowest cost storage, but data is offline. To read archived data, you must rehydrate it to an online tier (Hot, Cool, or Cold). Rehydration can take up to 15 hours (standard priority) or under 1 hour (high priority, at higher cost). Minimum 180-day retention.

**Exam trap:**Archive tier data is not accessible until rehydrated. It is not just "slow" -- it is completely offline. Also, the Archive tier is currently not supported with ZRS, GZRS, or RA-GZRS redundancy.

Storage Redundancy Options

Azure Storage always stores multiple copies of your data. The redundancy option determines how many copies, where, and whether you get read access to the secondary. (Azure Storage Redundancy)

Option	Copies	Primary Region	Secondary Region	Read Access (Secondary)	Durability (annual)
LRS	3	Single datacenter	None	N/A	11 nines (99.999999999%)
ZRS	3	3 availability zones	None	N/A	12 nines (99.9999999999%)
GRS	6	Single datacenter (LRS)	Single datacenter (LRS)	Only after failover	16 nines (99.99999999999999%)
RA-GRS	6	Single datacenter (LRS)	Single datacenter (LRS)	Yes (read-only, always)	16 nines
GZRS	6	3 availability zones (ZRS)	Single datacenter (LRS)	Only after failover	16 nines
RA-GZRS	6	3 availability zones (ZRS)	Single datacenter (LRS)	Yes (read-only, always)	16 nines

How to read the acronyms:

L = Locally (single datacenter), Z = Zone (across availability zones), G = Geo (to a secondary region), RA = Read-Access (read from secondary without failover)

Outage protection comparison:

Scenario	LRS	ZRS	GRS/RA-GRS	GZRS/RA-GZRS
Node failure in datacenter	Yes	Yes	Yes	Yes
Entire datacenter unavailable	No	Yes	Yes	Yes
Region-wide outage	No	No	Yes (failover needed)	Yes (failover needed)
Read access during primary outage	No	No	RA-GRS only	RA-GZRS only

Key details:

Geo-replication is asynchronous. There is a recovery point objective (RPO) -- typically less than 15 minutes for block blobs -- meaning recent writes may be lost if the primary region fails catastrophically.
The secondary endpoint for RA-GRS/RA-GZRS appends -secondary to the account name (e.g., myaccount-secondary.blob.core.windows.net).
Azure Files does not support RA-GRS or RA-GZRS.
Unmanaged disks do not support ZRS or GZRS.

**Exam trap:**The secondary region in GRS/GZRS is determined by the region pair and cannot be changed. Also, GRS without the RA prefix does not provide read access to the secondary until you initiate a failover. Many candidates confuse GRS with RA-GRS.

Storage Account Types

Account Type	Supported Services	Redundancy Options	Notes
Standard general-purpose v2	Blob, File, Queue, Table	LRS, ZRS, GRS, RA-GRS, GZRS, RA-GZRS	Recommended for most scenarios
Premium block blobs	Blob (block blobs only)	LRS, ZRS	Low-latency, high transaction rates
Premium file shares	Azure Files only	LRS, ZRS	SSD-backed file shares
Premium page blobs	Page blobs only	LRS	High-performance unmanaged disks

**Exam trap:**Standard general-purpose v2 is the recommended account type. It supports all storage services and all redundancy options. Premium accounts support only LRS or ZRS (no geo-redundancy).

File Movement Tools

Tool	Type	Use Case
AzCopy	Command-line utility	Copy data to/from/between storage accounts; scriptable, supports SAS tokens and Azure AD auth
Azure Storage Explorer	GUI application (desktop)	Visual management of blobs, files, queues, tables across subscriptions; uses AzCopy under the hood
Azure File Sync	Sync service	Centralizes file shares in Azure Files while keeping local caching on Windows Server; multi-site sync

AzCopy is unidirectional (copy, not sync, though it has a sync command). Azure File Sync is ongoing synchronization between on-premises Windows file servers and Azure Files, with cloud tiering to keep frequently accessed files local and cold files in the cloud.

Migration Options

Tool	Use Case	Method
Azure Migrate	Discover, assess, and migrate on-premises servers, databases, web apps, and virtual desktops to Azure	Agent-based or agentless discovery; generates migration plans; supports VMware, Hyper-V, physical servers
Azure Data Box	Transfer large amounts of data (terabytes to petabytes) when network bandwidth is limited or costly	Physical device shipped to you; you load data onto it and ship it back to Microsoft; data is uploaded to Azure Storage

Azure Data Box variants:

Variant	Capacity	Use Case
Data Box Disk	Up to 35 TB (per order)	Smaller migrations
Data Box	Up to 80 TB	Medium migrations
Data Box Heavy	Up to 1 PB	Large-scale migrations

**Exam trap:**Azure Data Box is a physical (offline) transfer solution. It is not a network-based tool. Use it when transferring data over the network would take too long or cost too much.

2.4 Describe Azure Identity, Access, and Security

Microsoft Entra ID (formerly Azure AD)

Microsoft Entra ID is Microsoft's cloud-based identity and access management (IAM) service. Every Azure subscription is associated with a Microsoft Entra ID tenant. It is the identity backbone for Azure, Microsoft 365, and thousands of third-party SaaS applications. (What is Microsoft Entra ID)

Core capabilities:

Authentication: Verifies identity when signing in to applications and resources.
Single Sign-On (SSO): One set of credentials grants access to multiple applications.
Application management: Register and manage cloud and on-premises apps.
Device management: Register devices and apply policies via Intune integration.
B2B and B2C: External identity management for partners and customers.

Microsoft Entra ID vs. On-Premises AD DS:

Aspect	Microsoft Entra ID	Active Directory Domain Services (AD DS)
Deployment	Cloud-based (SaaS)	On-premises servers
Protocol	OAuth 2.0, OpenID Connect, SAML	Kerberos, NTLM, LDAP
Structure	Flat (no OUs, GPOs, forests, domains)	Hierarchical (OUs, GPOs, forests, domains, trusts)
Authentication	Internet-based, modern auth	Network-based, traditional auth
Queried via	Microsoft Graph API (REST)	LDAP queries
Federation	Built-in support for thousands of SaaS apps	Requires ADFS for cloud federation

**Exam trap:**Microsoft Entra ID is not a cloud version of Active Directory Domain Services. It is a fundamentally different service using different protocols. There is no LDAP, no Kerberos (natively), no Group Policy, and no OU structure in Entra ID.

Microsoft Entra Domain Services

Microsoft Entra Domain Services provides managed domain services -- domain join, group policy, LDAP, and Kerberos/NTLM authentication -- without deploying and managing domain controllers. It is designed for legacy applications that cannot use modern authentication protocols. (Entra Domain Services Overview)

Key point: Entra Domain Services syncs identities from Microsoft Entra ID. You do not manage the domain controllers -- Microsoft does.

Authentication Methods

Single Sign-On (SSO): Users authenticate once and get access to all connected applications without re-entering credentials. SSO reduces password fatigue and improves security by centralizing authentication. (SSO Overview)

Multifactor Authentication (MFA): Requires two or more verification factors from these categories:

Factor	Category	Examples
Something you know	Knowledge	Password, PIN
Something you have	Possession	Phone, hardware token, security key
Something you are	Inherence	Fingerprint, face scan, iris

MFA dramatically reduces the risk of compromised accounts. Microsoft reports MFA blocks over 99.9% of account compromise attacks.

Passwordless Authentication: Eliminates passwords entirely, replacing them with something you have plus something you are or know.

Method	Type	How It Works
Windows Hello for Business	Platform authenticator	Biometric (face/fingerprint) or PIN tied to the device; keys stored in TPM
FIDO2 security keys	Roaming authenticator (hardware)	Physical USB/NFC key; supports passkeys; phishing-resistant
Microsoft Authenticator app	Roaming authenticator (software)	Phone-based sign-in with biometric or PIN confirmation

(Passwordless Authentication)

External Identities

Microsoft Entra External ID handles identity for people outside your organization:

Type	Audience	Use Case
B2B collaboration	Partners, vendors, suppliers	Invite external users to access your apps using their own credentials (Gmail, corporate account)
B2C	Customers (consumers)	Build customer-facing apps with customizable sign-up/sign-in experiences

B2B users appear as guest users in your directory. B2C uses a separate, dedicated Entra External ID tenant.

Microsoft Entra Conditional Access

Conditional Access is the policy engine in Microsoft Entra ID. It evaluates signals during sign-in and enforces access controls based on those signals. Think of it as "if-then" rules for authentication. (Conditional Access Overview)

Signals (conditions) evaluated:

User or group membership
IP location (named locations, trusted networks)
Device platform and state (compliant, managed)
Application being accessed
Sign-in risk level (real-time risk detection)
Client application type

Decisions (access controls) enforced:

Allow access (no additional requirements)
Allow access with conditions (require MFA, require compliant device, require password change)
Block access (deny sign-in entirely)

Example: "If a user signs in from outside the corporate network, require MFA. If sign-in risk is high, block access entirely."

**Exam trap:**Conditional Access requires Microsoft Entra ID P1 or P2 licensing. It is not available in the Free tier. Also, Conditional Access evaluates signals and makes decisions at sign-in time, not continuously during a session (by default).

Azure Role-Based Access Control (RBAC)

Azure RBAC provides fine-grained access management for Azure resources. It follows the principle of least privilege. (RBAC Overview)

Three core concepts:

Concept	Description	Example
Security principal	Who needs access	User, group, service principal, managed identity
Role definition	What permissions are granted	Owner, Contributor, Reader, custom role
Scope	Where the permissions apply	Management group, subscription, resource group, or resource

Built-in roles to know:

Role	Permissions
Owner	Full access to all resources + can delegate access to others
Contributor	Can create and manage all resources but cannot assign roles
Reader	Can view resources but cannot make changes
User Access Administrator	Can manage user access (assign roles) but cannot manage resources

Scope hierarchy (broadest to narrowest):

Management Group → Subscription → Resource Group → Resource

RBAC assignments inherit downward. A Contributor role assigned at the subscription scope applies to all resource groups and resources within that subscription.

**Exam trap:**The key difference between Owner and Contributor is that Contributor cannot assign roles to other users. Both can create and manage resources. Also, RBAC is an allow model -- you assign allowed actions. There are also deny assignments, but they are less common and typically applied by Azure Blueprints.

Zero Trust Model

Zero Trust is a security model that assumes no implicit trust. Every request is fully authenticated, authorized, and encrypted before granting access. (Zero Trust Security)

The three guiding principles:

Principle	Meaning	Azure Implementation
Verify explicitly	Always authenticate and authorize based on all available data points	Conditional Access evaluating user, location, device, risk level
Least privilege access	Limit access to only what is needed, only when needed	Azure RBAC, Just-In-Time access, Privileged Identity Management
Assume breach	Minimize blast radius and segment access; verify end-to-end encryption; use analytics for threat detection	Network segmentation, micro-segmentation, continuous monitoring

Zero Trust applies to all layers: identity, endpoints, applications, data, infrastructure, and network.

Defense-in-Depth Model

Defense-in-depth is a layered security strategy where if one layer fails, subsequent layers prevent further exposure. Each layer provides protection, so an attacker must breach multiple layers to access data. (Defense in Depth)

The seven layers (outside to inside):

Layer	Purpose	Examples
Physical security	Protect physical datacenter access	Biometric access, security cameras (Microsoft's responsibility)
Identity and access	Control access to infrastructure	MFA, Conditional Access, RBAC
Perimeter	Protect against network-based attacks	DDoS protection, firewalls, Azure Firewall
Network	Limit communication between resources	NSGs, VNet segmentation, private endpoints
Compute	Secure access to VMs and compute resources	Endpoint protection, patching, OS hardening
Application	Ensure applications are secure and free of vulnerabilities	Secure coding, application-level firewalls
Data	Protect data confidentiality and integrity (the ultimate target)	Encryption at rest and in transit, access controls

**Exam trap:**The layers go from physical (outermost) to data (innermost). The data layer is at the center because data is ultimately what attackers are after. Physical security is Microsoft's responsibility; the other layers are shared responsibility depending on the service model (IaaS/PaaS/SaaS).

Microsoft Defender for Cloud

Microsoft Defender for Cloud is a Cloud-Native Application Protection Platform (CNAPP) that provides security posture management and threat protection for workloads running in Azure, on-premises, and in other clouds (AWS, GCP). (Defender for Cloud Overview)

Two core pillars for the exam:

Pillar	Full Name	Purpose
CSPM	Cloud Security Posture Management	Continuously assess security configuration, identify misconfigurations, provide recommendations, assign a Secure Score
CWP	Cloud Workload Protection	Threat detection and protection for specific workloads (VMs, containers, databases, storage, App Service)

Key capabilities:

Secure Score: A numerical score (0-100%) representing your security posture. Higher is better. Recommendations increase your score when implemented.
Security recommendations: Actionable guidance to fix misconfigurations (e.g., "Enable MFA for accounts with owner permissions").
Regulatory compliance dashboard: Track compliance against standards like NIST, ISO 27001, PCI DSS.
Threat protection alerts: Real-time alerts when suspicious activity is detected on your resources.
Multi-cloud support: Connects to AWS and GCP via native connectors (not limited to Azure).

Defender for Cloud has a free tier (Foundational CSPM, enabled by default) and paid plans (Defender CSPM, Defender for Servers, Defender for Containers, etc.) for advanced features.

**Exam trap:**Defender for Cloud is not just for Azure. It supports multi-cloud environments (AWS, GCP) and hybrid (on-premises via Azure Arc). Also, the free tier provides basic CSPM (recommendations, Secure Score), but workload protection (CWP) requires paid Defender plans.

Exam Tips for Domain 2

Memorize the hierarchy: Management Groups > Subscriptions > Resource Groups > Resources. Know that policies and RBAC inherit downward.
Know the redundancy table: LRS/ZRS/GRS/GZRS and the RA- variants. Understand copies, scope, and when to use each.
Distinguish availability zones from availability sets: Zones protect against datacenter failures (stronger). Sets protect against rack failures within a datacenter.
ExpressRoute is not encrypted: Private does not mean encrypted. This is a frequently tested misconception.
Entra ID is not AD DS in the cloud: No Kerberos, no LDAP, no GPOs, no OUs natively in Entra ID.
GRS vs. RA-GRS: Without the RA prefix, you cannot read from the secondary until a failover. With RA, you get read-only access at all times.
Archive tier is offline: Data must be rehydrated before you can read it. Rehydration takes hours.
Contributor cannot assign roles: Only Owner and User Access Administrator can assign RBAC roles.
Conditional Access requires P1/P2: It is not in the Free tier of Microsoft Entra ID.
Defender for Cloud is multi-cloud: It works with AWS and GCP, not just Azure.