Learning Notes

My AZ-900 Journey: Fourth Practice Test - 78.38% and a Honest Wake-Up Call

April 11, 2026 8 min read
azure cloud certification az-900 microsoft practice-test

I will be direct about this one: I am not satisfied with this result. Set 3 brought a score of 78.38%, and more importantly, one category came in below the exam passing threshold. That is not a reason to panic, but it is exactly the kind of signal that practice tests exist to surface before the real thing.


The Result

Overall Score - Set 3
78.38%
58 out of 74 points
First attempt at Set 3
PASSED
50
Questions
40:16
Time Taken
70%
Pass Threshold


Breakdown by Category

Describe Cloud Concepts
85.71% was 92.31%
Describe Azure Architecture and Services
78.72% was 81.40%
Describe Azure Management and Governance
69.23% was 76.19%
Management and Governance dropped below the 70% exam threshold. This is the priority to fix before booking the exam.


Progress Across All Four Tests

Set 1, Run 1
83.78%
23:02
Set 1, Run 2
94.59%
23:38
Set 2, Run 1
81.82%
41:23
Set 3, Run 1
78.38%
40:16
Scores on Set 1 (repeated) are not directly comparable to Set 2 and Set 3 (fresh question banks).


What Happened

The overall score is still a pass, but this test exposed something that needs to be addressed before the real exam.

Management and Governance at 69.23% is below the 70% passing threshold. On the actual AZ-900 exam, the overall score determines pass or fail rather than individual category scores, but consistently scoring below threshold in this domain on practice tests is a clear signal. This category keeps showing up as the weakest area across multiple test sets, and this time it dipped to a level I cannot be comfortable with.

The Governance domain has a pattern of feeling familiar during study but then producing wrong answers under timed conditions. The concepts are not obscure, but the questions are designed to test precision at the level of exact behaviour, not general awareness.


Specific Gaps Identified

Going through the detailed explanations after this test, here are the areas that cost points.

Microsoft Entra ID Protection vs Entra Privileged Identity Management

These two services sound similar and operate in adjacent spaces, but they do completely different things:

  • Microsoft Entra ID Protection detects and responds to identity-based risks automatically. It handles scenarios like sign-ins from anonymous IP addresses, impossible travel detections, and leaked credentials. If a question mentions automatically blocking or prompting action based on risky sign-in behaviour, the answer is ID Protection.
  • Microsoft Entra Privileged Identity Management (PIM) handles time-based and approval-based access to privileged roles. It is about controlling who has elevated access and for how long, with just-in-time activation. If a question is about minimising standing privileged access, the answer is PIM.

The key distinction: ID Protection is about detecting risk signals. PIM is about controlling privileged access windows.

Resource Lock Types and Their Names

A question about lock types exposed an important detail. Azure has two lock types:

  • CanNotDelete (Delete lock in the portal) - users can read and modify the resource but cannot delete it.
  • ReadOnly (Read-only lock in the portal) - users can read the resource but cannot delete or modify it.

The naming inconsistency between what appears in the portal and the underlying API names is exactly the kind of detail that catches people out. Both names need to be known.

Storage Replication and Cross-Region Assumptions

A question about storage replication statements tested a subtle but important point: data uploaded to an Azure storage account is not automatically replicated to another region by default. Cross-region replication only happens when the storage account is configured with GRS (Geo-Redundant Storage) or GZRS (Geo-Zone-Redundant Storage). The default replication options, LRS and ZRS, keep all copies within the primary region.

At the same time, all storage accounts replicate data at least three times in the primary region, so the assumption that data is only copied once is also wrong.

NSG Attachment Points

A question confirmed that Network Security Groups can be attached to:

  • Subnets
  • Network interfaces

They cannot be attached directly to a virtual network. This is a detail that is easy to overlook but comes up repeatedly in practice questions.

Azure Policy Behaviour on Existing Resources

One question clarified an important point about how Azure Policy handles resources that were already in place before a policy was assigned. When a new policy is assigned that prohibits a certain resource type, any existing resources that violate that policy are flagged as non-compliant but are not deleted, moved, or modified. They continue to function normally. Only new resource creation attempts are blocked.


What I Am Doing Before the Next Test

Priority Revision Areas
1
Microsoft Entra ID Protection vs Privileged Identity Management
Nail the exact use case for each. ID Protection is for risk detection. PIM is for controlling privileged role access windows.
2
Resource Lock type names
Know both the portal names (Delete, Read-only) and the API names (CanNotDelete, ReadOnly) and understand exactly what each one permits.
3
Storage replication defaults and cross-region behaviour
LRS and ZRS keep data within the primary region only. GRS and GZRS are required for cross-region replication. No storage option copies data just once.
4
NSG attachment rules
NSGs attach to subnets and network interfaces only. Not to virtual networks directly.
5
Azure Policy effect on existing resources
A new policy marks existing non-compliant resources but does not touch them. Only new creation attempts are blocked.


The Bigger Picture

This result is uncomfortable to write about, but that is exactly why it is worth writing about. A 69.23% on Management and Governance in a practice test is more useful information than a 100% would have been, because it forces a specific revision focus before the exam rather than false confidence.

The exam is not booked yet. There is still time to address this. The plan is to go back through the Management and Governance material with targeted focus on identity services, governance tools, and resource management behaviour, sit another practice test, and only book the real exam when the scores reflect genuine readiness across all three domains.


If you are preparing for AZ-900 and navigating similar gaps, feel free to reach out.

Noble Antwi

Noble Worlanyo Antwi

Cloud Security Engineer · IAM Specialist · MSc Cybersecurity & Digital Forensics

Back to All Posts Get In Touch