Microsoft Study Guide

AZ-104: Microsoft Azure Administrator Study Guide

AZ-104: Microsoft Azure Administrator validates your ability to manage Azure identities and governance, storage, compute, virtual networking, and monitoring. It is aimed at administrators who implement, manage, and monitor an organization's Azure environment day to day, and assumes familiarity with the portal, Azure CLI, PowerShell, ARM/Bicep templates, and core Azure services.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice AZ-104 questions free Create free account

Domain 1: Manage Azure Identities and Governance

Key concepts you must know · 206 practice questions

Azure RBAC is additive - a user's effective permissions are the union of all their role assignments, so a Reader plus Contributor assignment yields Contributor-level access.
Role assignments inherit downward from management group to subscription to resource group to resource; an assignment at a parent scope applies to all child scopes.
Owner can manage resources AND assign roles; Contributor can manage resources but cannot grant access; User Access Administrator can only manage role assignments (the least-privilege choice for delegating access management).
Microsoft Entra dynamic groups use attribute-based membership rules (e.g. user.department -eq "Sales") to add/remove members automatically and require Entra ID P1 licensing.
Azure Policy with the Deny effect blocks non-compliant resource creation at deployment time; common built-ins include 'Allowed locations', 'Require a tag and its value on resources', and 'Allowed virtual machine size SKUs'.
Azure Policy assignments cascade to all child scopes, so placing multiple subscriptions under one management group lets a single assignment govern them all, including future subscriptions added later.
Conditional Access policies enforce controls such as requiring MFA, blocking sign-ins from named locations (countries/IP ranges), and can target directory roles like Global Administrator; Conditional Access requires Entra ID P1.
Privileged Identity Management (PIM) provides just-in-time, time-bound, approval-based activation of privileged Entra and Azure roles and requires Entra ID P2.
Self-service password reset (SSPR) can be scoped to a specific group; only direct members of that group can reset their password, and cloud-only SSPR also requires the user to register authentication methods.
A guest user is added via Entra B2B collaboration (invitation) to grant external partners access; you then assign RBAC roles such as Reader to control what they can do.
Resource locks come in two types: CanNotDelete (read and modify allowed, delete blocked) and ReadOnly (only read allowed); locks inherit to child resources and override RBAC permissions.
A user must have a Usage Location set before certain licenses can be assigned, and Entra Connect only syncs accounts within the configured sync scope (OU filtering can exclude accounts).
Azure Cost Management budgets trigger alert notifications at configured thresholds (e.g. 80% of spend) but do not stop spending; use Azure Policy to actually prevent expensive SKUs, and Azure Advisor for cost recommendations.
Custom RBAC roles let you grant a precise set of Actions (e.g. start, restart, deallocate a VM) at a chosen scope when no built-in role fits the least-privilege requirement.

Domain 2: Implement and Manage Storage

Key concepts you must know · 190 practice questions

Storage redundancy tiers: LRS (3 copies in one datacenter), ZRS (across 3 availability zones), GRS (LRS + async copy to paired region), and GZRS (ZRS + paired region); RA-GRS/RA-GZRS additionally expose a read-only secondary endpoint usable during a primary outage.
A user delegation SAS is signed with Microsoft Entra ID credentials (most secure); service and account SAS are signed with a storage account access key, so regenerating that key is the way to immediately invalidate compromised SAS tokens.
Blob access tiers are Hot, Cool, Cold, and Archive; default account tier can be Hot or Cool, Archive is set per-blob and is offline (requires rehydration to read), and minimum retention applies before early-deletion charges.
Blob lifecycle management policies automatically move blobs Hot->Cool->Archive and delete them based on days since last modified or created, reducing storage cost without manual intervention.
Azure Files supports identity-based authentication by joining the storage account to on-premises AD DS (or Entra Domain Services) so SMB clients use existing Kerberos credentials; you then set share-level RBAC plus NTFS permissions.
Azure File Sync uses a server endpoint on an on-premises Windows file server and a cloud endpoint pointing to an Azure file share, with cloud tiering to keep hot files local and tier cold files to Azure.
Storage account firewall: set 'Enabled from selected virtual networks and IP addresses', add allowed VNet subnets (via service endpoints) and IP ranges; service endpoints (Microsoft.Storage) keep traffic on the Azure backbone.
Private endpoints assign the storage account a private IP inside a VNet so access stays entirely off the public internet; combine with firewall rules denying public access for maximum isolation.
Immutable storage with a time-based retention policy (WORM) enforces a fixed immutability period (e.g. 7 years) during which blobs cannot be modified or deleted, satisfying compliance/legal-hold requirements.
Customer-managed keys require an Azure Key Vault with soft delete and purge protection enabled, plus a system-assigned managed identity on the storage account granted Get, Wrap Key, and Unwrap Key permissions.
Blob versioning and soft delete protect against accidental change/deletion; you recover by restoring a soft-deleted blob or promoting a previous version to current; both are enabled under Data protection.
AzCopy is the tool for bulk/scripted data transfer; use 'azcopy copy' with SAS tokens (or 'azcopy login' for Entra auth), and CLI/AzCopy must use --auth-mode login to authenticate with Entra ID instead of a key.
Azure Data Box is for offline bulk migration of large datasets (terabytes) where network transfer is impractical: order the device, copy data locally, ship it back to Azure.
Enable the static website feature to serve content from the $web container over a web endpoint, then front it with Azure CDN or Front Door for a custom domain and managed HTTPS certificate.

Domain 3: Deploy and Manage Azure Compute Resources

Key concepts you must know · 198 practice questions

Availability sets protect against rack/hardware failure within a datacenter using fault domains and update domains (99.95% SLA); availability zones span physically separate datacenters in a region for a 99.99% SLA.
ARM template/Bicep deployments are scoped to the target resource group; deploying the same template to a different resource group creates independent new resources rather than affecting the original.
Use 'az deployment group create --resource-group RG --template-file main.bicep' to deploy; preview changes safely with the what-if operation (PowerShell -WhatIf or 'az deployment group what-if').
Convert between formats with 'az bicep decompile --file template.json' (ARM JSON to Bicep) and 'az bicep build' (Bicep to ARM JSON).
A VM template's required sections include hardwareProfile (VM size), storageProfile (OS disk and image reference), osProfile (credentials/hostname), and networkProfile (NIC references).
Resizing a VM to a different size is instant if the target size is supported on the current host cluster; otherwise the VM must be stopped (deallocated) and may need redeployment to a cluster that offers the size.
The VM temporary disk (D: on Windows) is ephemeral - its data is wiped on deallocation or host migration, so never store persistent data there.
Azure Disk Encryption uses BitLocker (Windows) / DM-Crypt (Linux) and stores keys in Azure Key Vault; the VM references the vault to unlock disks at boot.
VM extensions run post-deployment configuration: Custom Script Extension downloads and runs scripts, and the Azure Monitor Agent collects telemetry.
Autoscale supports metric-based rules (e.g. scale out on CPU percentage) and scheduled rules (scale up for known peak hours) with configurable min/default/max instance counts; combine both for predictable peaks plus unexpected spikes.
App Service deployment slots require the Standard tier or higher; deploy to a non-production slot, validate, optionally route a percentage of traffic for testing, then swap for instant zero-downtime cutover.
App Service scale-up changes the plan tier/SKU (more CPU/RAM, features like slots and autoscale); scale-out adds instances - autoscale needs Standard (S1) or higher.
Container choices: Azure Container Instances (ACI) for simple single containers with set CPU/memory, Azure Container Apps for serverless containers that scale to zero via KEDA, and AKS for full Kubernetes orchestration.
Schedule VM cost control with the built-in Auto-shutdown feature for stopping, and an Azure Automation runbook on a schedule to start VMs (e.g. start 8 AM weekdays, shut down 6 PM).

Domain 4: Implement and Manage Virtual Networking

Key concepts you must know · 178 practice questions

VNet peering must be configured in BOTH directions to connect (one-sided peering shows 'Initiated', not 'Connected') and peered VNets must have non-overlapping address spaces.
VNet peering is non-transitive: if A peers B and B peers C, A cannot reach C automatically - create a direct A-to-C peering or route through a hub NVA/gateway; use global VNet peering to connect VNets across regions.
Hub-and-spoke gateway transit lets spokes use the hub's VPN/ExpressRoute gateway: enable 'Allow gateway transit' on the hub peering and 'Use remote gateways' on each spoke peering.
NSG rules are processed in priority order from lowest number first, and the first matching rule wins; a deny rule at priority 100 beats an allow at priority 200, so give the intended rule a lower number.
NSGs have default rules including a final deny-all inbound; to permit specific traffic you add allow rules (e.g. TCP 80/443 from Any) at a lower priority number than the defaults (which start at 65000).
A user-defined route (UDR) with address prefix 0.0.0.0/0 and next hop type Virtual Appliance forces all subnet traffic through an NVA or Azure Firewall; UDRs override Azure's default system routes.
Azure Firewall is deployed in a dedicated AzureFirewallSubnet and is combined with a UDR (0.0.0.0/0 to the firewall private IP) to inspect/control all outbound traffic centrally.
Azure Bastion requires a dedicated subnet named exactly 'AzureBastionSubnet' sized /26 or larger, and provides RDP/SSH through the portal over TLS 443 without public IPs on the VMs.
Standard SKU Load Balancer provides no default outbound internet access - you must add outbound rules or attach a NAT gateway; Standard public IPs are static and zone-redundant by default.
An Azure NAT gateway attached to a subnet provides scalable, predictable outbound connectivity using one or more static public IPs and is the recommended pattern for outbound SNAT.
Choose load balancing by layer: Azure Load Balancer (L4 TCP/UDP), Application Gateway (L7 HTTP/S with WAF and path/host routing), Front Door (global L7), and Traffic Manager (DNS-based global routing).
Application Gateway WAF uses the OWASP core rule set; set it to Prevention mode to actively block malicious requests (Detection mode only logs them).
Service endpoints (e.g. Microsoft.Sql, Microsoft.Storage) enabled on a subnet route traffic to PaaS services over the Azure backbone and let those services restrict access to specific subnets.
Azure Private DNS zones auto-register an A record for each VM (name to private IP) when autoregistration is on; alias records point to Azure resources and update automatically when the target's IP changes.

Domain 5: Monitor and Maintain Azure Resources

Key concepts you must know · 176 practice questions

A Log Analytics workspace stores log data and is required to run KQL (Kusto) queries; diagnostic logs must be sent there before you can query them in the Logs blade.
Diagnostic settings route platform logs and metrics to up to three destinations simultaneously: Log Analytics workspace (for KQL), a storage account (long-term archive), and an event hub (streaming to external SIEM).
Metric alerts fire on numeric platform/guest metrics (e.g. Http5xx > 10 over 5 minutes, CPU > 90%); use 'Split by dimensions' to evaluate a single rule per resource (e.g. each VM individually).
Activity log alerts trigger on control-plane operations recorded in the Activity Log, such as Microsoft.Compute/virtualMachines/delete for VM deletion.
Action groups define the notification/automation response to an alert: email, SMS, push, webhook, ITSM connector, Logic App, Automation runbook, or Azure Function.
Common KQL: the ago() function gives now minus a timespan (ago(24h) = 24 hours ago); typical pattern is 'Perf | where TimeGenerated > ago(24h) | summarize avg(CounterValue) by Computer'.
VM Insights (requires Azure Monitor Agent + Dependency Agent) provides the Map view to visualize VM process dependencies and network connections between machines and external services.
Azure Backup stores VM backups in a Recovery Services vault using a backup policy (schedule + retention); it takes application-consistent snapshots via VSS on Windows, and supports custom daily/weekly/monthly/yearly (GFS) retention.
Restore a VM from backup by selecting a recovery point from before the corruption in the Recovery Services vault and either creating a new VM or replacing the existing one; you can also restore individual files.
Azure Site Recovery replicates VMs to a secondary region for disaster recovery; during a regional outage you manually initiate a failover, which brings VMs online from the latest recovery point.
Network Watcher tools: IP Flow Verify checks whether NSG rules allow/deny a flow, Next Hop shows the routing decision for a packet, Connection Troubleshoot/Connection Monitor test end-to-end connectivity.
Azure Update Manager assesses, schedules, and deploys OS patches to VMs at scale and provides a centralized compliance dashboard, replacing the older Update Management solution.
Recovery Services vaults also back up Azure file shares: create the vault in the same region as the storage account, register the storage account, and apply a backup policy to the share.
Azure Monitor workbooks build interactive visual reports and can run cross-subscription queries to combine metrics and logs from multiple subscriptions in one view.

AZ-104 exam tips

Watch the scope in RBAC/Policy questions - management group vs subscription vs resource group determines inheritance; the single correct answer is usually the highest scope that satisfies the requirement without over-granting.
When a question asks for 'least privilege', prefer the narrowest built-in role (e.g. User Access Administrator over Owner) or a custom role over a broad one, even if a broader role technically works.
Memorize exact numbers and names: /26 for AzureBastionSubnet, 99.95% (availability set) vs 99.99% (availability zones) SLA, the four redundancy tiers, and SAS types - the exam tests precise details.
For networking troubleshooting, map the symptom to the right Network Watcher tool (IP Flow Verify for NSG, Next Hop for routing, Connection Troubleshoot for connectivity) and remember NSG rules are evaluated lowest-priority-number first.
Expect multiple-response, drag-and-drop, and case-study questions; read whether a question wants one answer or several, and in case studies note constraints (region, cost, compliance) before choosing.

Study guide FAQ

How is the AZ-104 exam scored and structured?

It uses a scaled score from 1 to 1000 with 700 required to pass; you get about 120 minutes for 40-60 questions including multiple choice, multiple response, drag-and-drop, and one or more case studies. A higher score does not require getting every question right.

Which domain should I focus on most?

Identities and Governance and Compute are the heaviest weighted, but storage and networking carry the most precise detail questions. Spread your study, but make sure RBAC, Azure Policy, VM/availability options, and VNet/NSG/peering rules are rock solid.

Do I need to know Azure CLI, PowerShell, and Bicep, or just the portal?

You need working familiarity with all of them. The exam includes command syntax (az deployment, az bicep, AzCopy, az storage) and template sections, so practice the common commands rather than only clicking through the portal.

How much hands-on practice do I need before sitting the exam?

Plan for real practice in a free or pay-as-you-go subscription: deploy VMs and scale sets, configure storage redundancy and SAS, set up VNet peering with NSGs and a UDR, and create alerts and backups. Hands-on repetition is what cements the exact behaviors the exam probes.

Test yourself: 948 AZ-104 practice questions