Security is one of the most heavily tested areas of the AZ-900 exam, and for good reason: cloud security is fundamentally different from on-premises security. Microsoft's approach is built on the Zero Trust model, which abandons the idea of a trusted internal network and instead verifies every user, every device, and every request — explicitly, every time.
The Zero Trust Security Model
Traditional security assumed that anything inside the corporate network could be trusted. Zero Trust flips this assumption entirely. Its three core principles are:
- Verify explicitly — Always authenticate and authorise based on all available data points: identity, location, device health, service, workload, and data classification.
- Use least privilege access — Limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA), risk-based adaptive policies, and data protection.
- Assume breach — Minimise blast radius. Segment access. Encrypt everything. Use analytics to detect threats and improve defences.
For the AZ-900 exam, you must recognise Zero Trust as Microsoft's guiding security philosophy and understand how Azure services implement it.
Microsoft Entra ID (formerly Azure Active Directory)
Microsoft Entra ID is the identity and access management foundation for Azure. Every Azure account is backed by an Entra ID tenant. It provides:
- User and group management
- Single sign-on (SSO) to cloud and on-premises applications
- Multi-Factor Authentication (MFA)
- Conditional Access policies
- B2B and B2C external identity scenarios
Multi-Factor Authentication (MFA)
MFA requires users to prove their identity using two or more factors:
- Something you know — password or PIN
- Something you have — authenticator app, hardware token, SMS code
- Something you are — fingerprint, face recognition
Azure MFA is enforced through Conditional Access policies. For example, you can require MFA only when a user signs in from outside the corporate network, or when they access sensitive applications. This balances security with usability.
Exam tip: MFA is not just for administrators. Best practice is to enforce it for all users. Security defaults in Entra ID enable MFA for all users in new tenants.
Role-Based Access Control (RBAC)
RBAC is how Azure enforces least-privilege access to resources. Instead of giving users administrative accounts, you assign specific roles that grant exactly the permissions needed for the job.
The three built-in roles you must know for AZ-900:
- Owner — Full access to all resources, including the ability to assign roles to others.
- Contributor — Can create and manage all types of Azure resources, but cannot grant roles.
- Reader — Can view existing resources but cannot make any changes.
RBAC is applied at a specific scope: management group, subscription, resource group, or individual resource. Permissions are inherited downwards — a Contributor at the subscription level has Contributor access to all resource groups and resources within that subscription.
How Roles Are Assigned
A role assignment connects three things:
- A security principal (user, group, service principal, or managed identity)
- A role definition (a set of permissions)
- A scope (the resource or container the role applies to)
Best practice: Assign roles to groups rather than individual users. Adding a new employee to a group automatically grants them the correct access without creating individual role assignments.
Microsoft Defender for Cloud
Microsoft Defender for Cloud is a unified security management and threat protection platform. For AZ-900, you need to understand its two main functions:
Cloud Security Posture Management (CSPM)
Defender for Cloud continuously assesses your Azure resources against security best practices and provides a Secure Score — a percentage representing how well your environment follows Microsoft's recommendations. Recommendations include things like:
- Enable MFA for accounts with owner permissions
- Apply system updates to VMs
- Restrict public access to storage accounts
Each recommendation has a potential score increase, so you can prioritise the highest-impact improvements.
Cloud Workload Protection (CWP)
Defender for Cloud also provides threat detection and alerting for specific resource types: VMs, SQL databases, storage accounts, containers, and more. It uses threat intelligence and anomaly detection to identify suspicious activity, such as a VM communicating with a known malicious IP address.
Defence in Depth
Microsoft describes security as a layered model — defence in depth. Each layer provides protection if another layer is breached:
- Physical security — Azure data centres with biometric access controls
- Identity and access — Entra ID, MFA, Conditional Access
- Perimeter — DDoS Protection, Azure Firewall
- Network — Network Security Groups, VNet segmentation
- Compute — VM patching, endpoint protection
- Application — Secure development practices, WAF
- Data — Encryption at rest and in transit
The AZ-900 exam may ask you to identify which layer a given security control belongs to. Memorise this model — it provides the conceptual framework for many exam questions.
Exam Practice Questions
- "A company wants to require employees to use an authenticator app in addition to their password when logging in from home. What should they configure?" — Conditional Access policy with MFA.
- "A user needs to create and manage Azure VMs but must not be able to assign roles to other users. What role should they be assigned?" — Contributor.
- "What feature of Microsoft Defender for Cloud gives a numerical score representing adherence to security best practices?" — Secure Score.
Security questions on AZ-900 are scenario-based and reward clear conceptual understanding over memorised definitions. Know what each tool does, when to use it, and what problem it solves.