AZ-204: Azure Developer Associate Study Guide
AZ-204 validates your ability to design, build, test, deploy, and maintain cloud applications and services on Microsoft Azure across compute, storage, security, monitoring, and service integration. It targets developers with one-to-two years of professional development experience and hands-on Azure SDK, CLI, and portal experience. You should be comfortable with at least one Azure-supported language (C#, Java, JavaScript/Node, Python) and with REST APIs, JSON, and authentication concepts.
Domain 1: Develop Azure Compute Solutions
- Azure App Service WebJobs of type Continuous start automatically with the app and run indefinitely (ideal for queue-processing loops); Triggered WebJobs run on demand or on a CRON schedule. Continuous WebJobs need 'Always On' enabled (not available on the Free/Shared tiers).
- Deployment slots let you deploy to a non-production slot (e.g., staging), warm it up and validate, then swap into production with no downtime; swap with preview applies production app settings first so you can verify before completing. Slots are a Standard tier or higher feature.
- App settings and connection strings can be marked as deployment-slot settings (sticky), so they stay with the slot and do not move during a swap.
- Azure Functions Consumption plan scales from zero and bills per execution, execution time (GB-seconds), and memory; it has a default 5-minute timeout (max 10). Premium plan adds pre-warmed (always-ready) instances to eliminate cold starts, VNet integration, and longer/unbounded timeouts.
- A Functions Timer trigger uses NCRONTAB with six fields {second} {minute} {hour} {day} {month} {day-of-week}; for example '0 0 3 * * *' runs daily at 03:00.
- Blob trigger default polling can lag several minutes detecting new/changed blobs; configuring Event Grid as the source gives near-real-time, low-latency triggering and scales better for high blob volumes.
- In the in-process Functions model, write output to Blob Storage with the [Blob(..., FileAccess.Write)] binding or the [BlobOutput] attribute on a method parameter; bindings remove the need to write storage SDK plumbing.
- Durable Functions orchestrate stateful workflows: use the async HTTP API (HTTP 202 with a status-query URL) for long-running operations, plus patterns like function chaining, fan-out/fan-in, and human interaction.
- Azure Container Instances (ACI) is serverless, per-second-billed containers with fast startup and no VM/orchestrator management; a restart policy of Never makes a container run once to completion (good for batch jobs). Container groups co-schedule multiple containers sharing lifecycle, network, and storage.
- Mount persistent storage into ACI with the azureFile volume type to attach an Azure Files share into the container.
- Azure Container Registry (ACR) is a managed private OCI/Docker v2 registry; the recommended way for AKS to pull images is to enable a managed identity on the cluster and assign it the AcrPull role on the registry (no stored credentials).
- ACR Tasks can build images automatically: a source-code commit trigger rebuilds an image on each Git commit, and base-image-update triggers rebuild when a dependent base image changes.
- Azure Container Apps provides KEDA-based event-driven autoscaling (e.g., scale on Azure Storage Queue length, Service Bus message count, HTTP traffic) and built-in Dapr for service-to-service invocation, state, and pub/sub.
- To run a Web App for Containers from a custom image, set the linuxFxVersion site configuration (or DOCKER_CUSTOM_IMAGE_NAME) and configure the container settings with the ACR image URL plus pull credentials or a managed identity.
Domain 2: Develop for Azure Storage
- Block blobs store unstructured data (files, images, video) up to roughly 190.7 TiB with current service versions; upload large content with Put Block to stage blocks then Put Block List to commit them in order.
- Blob access tiers are Hot (frequent access), Cool (infrequent, 30-day min), Cold (90-day min), and Archive (offline, 180-day min, rehydration required to read).
- Blob lifecycle management policies are rule-based JSON actions on the storage account that automatically move blobs between tiers (e.g., Hot to Cool after N days) or delete blobs/versions based on days since last modification or creation.
- Authorize blob data access with Microsoft Entra ID plus RBAC role assignments (preferred), Shared Access Signatures (SAS) with an expiry, or account/Shared Key; a user delegation SAS is signed with Entra ID credentials rather than the account key and is more secure.
- Copy a blob asynchronously server-side with BlobClient.StartCopyFromUri; the source can be in another account if accessible (anonymous or via SAS).
- Blob leases provide exclusive write/delete access; a finite lease must be 15 to 60 seconds, or you can request an infinite lease and release it explicitly.
- Azure Cosmos DB for NoSQL is the native first-party API storing JSON documents with single-digit-millisecond reads/writes, a SQL-like query language, and automatic indexing.
- Choose a Cosmos DB partition key with high cardinality, even traffic distribution (avoid hot partitions), and that is frequently used in query WHERE clauses; for example, customer ID or a composite key like userId + documentType.
- Cosmos DB offers five consistency levels: Strong, Bounded Staleness, Session (default), Consistent Prefix, and Eventual; Consistent Prefix guarantees reads never see writes out of order, while Strong gives linearizable reads at higher latency/cost.
- Request Unit (RU) cost of an operation scales with item size and query complexity (number of indexed properties, filters, joins); a query that filters on the partition key is a single-partition query and is the cheapest.
- The Cosmos DB change feed is a persistent, ordered log of inserts and updates; consume it with the change feed processor (which uses a lease container to track progress) or an Azure Functions Cosmos DB trigger.
- Optimize Cosmos DB queries by adding the right indexes: a composite index supports queries that filter and order on multiple properties, and the indexing policy must include any property used in filters.
- Cross-partition queries fan out to every physical partition and cost more RUs; design queries to include the partition key in the WHERE clause whenever possible.
- Cosmos DB also exposes compatibility APIs (MongoDB, Cassandra, Gremlin, Table); choose Cosmos DB for MongoDB to migrate an existing MongoDB workload with minimal application changes.
Domain 3: Implement Azure Security
- App registration supported account types control sign-in scope; to allow work/school accounts from any tenant plus personal Microsoft accounts choose the multitenant + personal accounts option.
- Single-page browser apps must use the OAuth 2.0 authorization code flow with PKCE (the implicit flow is deprecated); PKCE protects against authorization-code interception.
- The OAuth 2.0 client credentials flow is for daemons/background services with no signed-in user; a confidential client authenticates as itself with a client secret or, more securely, a certificate.
- Delegated permissions act on behalf of a signed-in user; application permissions are used by apps running without a user and require admin consent. The token's aud (audience) claim identifies the intended recipient API.
- System-assigned managed identities are tied to a single resource's lifecycle (created/deleted with it); user-assigned managed identities are standalone resources that can be shared across multiple resources. Both eliminate stored credentials.
- Grant an App Service or Function a managed identity, then assign it Key Vault access so it can read secrets at runtime without credentials in code or config.
- Azure Key Vault access can be controlled by Azure RBAC (recommended) or by legacy vault access policies; you choose one permission model per vault.
- App Service and Functions can reference Key Vault secrets directly in app settings using the syntax @Microsoft.KeyVault(SecretUri=https://<vault>.vault.azure.net/secrets/<name>/); the platform resolves it via the app's managed identity.
- Enable App Service authentication (Easy Auth) by setting unauthenticated requests to 'Require authentication' with Microsoft Entra ID as the identity provider, so the platform handles sign-in before requests reach your code.
- Call Microsoft Graph for the signed-in user's profile with GET https://graph.microsoft.com/v1.0/me and the User.Read delegated scope.
- MSAL's AcquireTokenSilent retrieves a cached, valid token without prompting; fall back to interactive acquisition only when silent acquisition fails.
- Enforce mutual TLS by setting client certificate mode to Require in App Service General settings, then validate the forwarded client certificate in your app.
- Set certificate or secret expiration appropriately (for example an Expires date 90 days out) and rotate before expiry; certificates are preferred over secrets for confidential clients.
- Authenticate Azure SDK clients to services using DefaultAzureCredential, which tries managed identity, environment variables, Azure CLI, and other sources in order, so the same code works locally and in Azure.
Domain 4: Monitor, Troubleshoot, and Optimize Azure Solutions
- Application Insights auto-collects request telemetry (incoming HTTP), dependency telemetry (outgoing calls to SQL/HTTP/storage), and exception telemetry (unhandled exceptions); use the Failures blade and Application Map to diagnose latency and errors.
- Track custom business events with TrackEvent (with properties and measurements), custom metrics with TrackMetric, and use the distributed Application Map to visualize dependency call durations.
- Query telemetry with Kusto Query Language (KQL); e.g., 'requests | where timestamp > ago(24h) | where duration > 5000' finds requests slower than 5 seconds, and '... | top 10 by duration desc' returns the slowest ten.
- Set up availability tests in Application Insights: a URL ping test for a simple endpoint check and a Standard test that supports HTTP verbs, custom headers, and SSL validation.
- Create metric alerts with static thresholds (or dynamic thresholds) on signals like response time, failures, or CPU to trigger action groups (email, SMS, webhook, Logic App).
- Build resiliency for transient faults (throttling, brief outages) with the Polly library: configure retry policies with exponential backoff, and use the CircuitBreaker policy to stop hammering a failing dependency.
- Azure Cache for Redis tiers: Basic (single node, no SLA), Standard (replicated two-node, SLA), and Premium (clustering, larger sizes, VNet, and data persistence). Use Premium with persistence to survive failures/maintenance without data loss.
- Redis persistence options are RDB (point-in-time snapshots at intervals) and AOF (append-only file logging every write for lower data-loss risk).
- Configure Redis eviction with maxmemory-policy: allkeys-lru evicts the least-recently-used key across all keys, allkeys-random evicts a random key, and volatile-* variants apply only to keys that have a TTL.
- Implement the cache-aside (lazy loading) pattern: read from cache; on a miss, read from the database, populate the cache, then return the value. Serialize complex objects to JSON and store them as a Redis String.
- Reduce origin load and bandwidth with conditional HTTP requests using ETag and If-None-Match (a 304 Not Modified avoids resending unchanged bodies).
- Azure CDN caching is controlled by origin Cache-Control / Expires headers; set caching rules to honor origin headers, and immediately invalidate stale content by purging the endpoint for specific content paths.
- Application Insights sampling reduces telemetry volume and cost; adaptive sampling is on by default and keeps related telemetry items together so end-to-end traces stay correct.
- Use Live Metrics for real-time monitoring during deployments, and connection-string-based configuration (not the legacy instrumentation key alone) when wiring up the Application Insights SDK.
Domain 5: Connect to and Consume Azure Services
- Azure Service Bus is an enterprise message broker (queues for point-to-point, topics/subscriptions for publish-subscribe) supporting AMQP 1.0 and HTTP/HTTPS, transactions, and dead-lettering.
- Enable Service Bus sessions to get guaranteed FIFO ordering for a group of related messages sharing a session ID; the EventProcessor/receiver locks a session so messages process in order.
- Service Bus subscription filters route messages: correlation filters match on system/user properties (e.g., Priority = High) efficiently, while SQL filters allow richer boolean expressions on message properties.
- Service Bus duplicate detection discards messages with a repeated MessageId within a configured time window; set maxDeliveryCount (e.g., 5) so messages exceeding the delivery attempts move to the dead-letter queue.
- Azure Event Grid is a discrete-event routing service for reactive, event-driven apps with advanced filtering (event type, subject prefix/suffix, numeric/string operators) and supports the CloudEvents v1.0 schema for interoperability.
- Event Grid delivers with exponential-backoff retries and supports dead-lettering to a storage account for events that cannot be delivered within the retry/TTL window; use one custom topic and differentiate consumers via event types and subject filtering.
- Azure Event Hubs is a high-throughput streaming ingestion service (millions of events/second) for telemetry/IoT and clickstream analytics; it uses partitions and consumer groups, with the EventProcessorClient providing checkpointing and load balancing across consumers.
- Choose the right messaging service: Service Bus for ordered/transactional enterprise messaging, Event Grid for discrete event notifications and routing, and Event Hubs for high-volume event streaming.
- Azure API Management policies run in scoped pipeline sections: inbound (before backend), backend, outbound (after backend response), and on-error; outbound is where you transform the response body, headers, or status before returning to the client.
- Throttle in APIM with rate-limit (fixed-window throttling per subscription key) and rate-limit-by-key (custom key such as client IP or user); also use validate-jwt to authenticate callers in the inbound pipeline.
- Cache responses in APIM with cache-lookup in the inbound section and cache-store in the outbound section to reduce backend load for repeatable GET requests.
- APIM Products group APIs with their own policies, subscription requirements, and approval workflow, and the built-in developer portal auto-generates interactive API documentation.
- Use the APIM send-request policy to call an external service mid-pipeline and compose its result into the response (response composition / aggregation) in the outbound section.
- Expose a legacy SOAP service through APIM by importing its WSDL, then apply transformation policies (such as SOAP-to-REST or xml-to-json) to convert requests and responses.
AZ-204 exam tips
- Watch for the 'right service' decision questions in domain 5: Service Bus = ordered/transactional enterprise messaging, Event Grid = discrete event routing with filtering, Event Hubs = high-volume telemetry streaming. Pick by the verbs in the scenario (ordering, FIFO, dead-letter vs. react-to-event vs. millions/second).
- Default to managed identities and Key Vault references for any 'no credentials in code/config' scenario; if asked which identity to use, system-assigned ties to one resource's lifecycle and user-assigned is shareable across resources.
- Memorize Functions plan trade-offs and the NCRONTAB six-field format. Remember Blob triggers can lag minutes on default polling but are near-real-time with Event Grid, a common 'reduce latency' answer.
- For Cosmos DB, the partition-key answer is almost always high cardinality, even distribution, and used in WHERE clauses; cross-partition queries cost more RUs, so single-partition queries that filter on the partition key are the optimization.
- Expect KQL snippets in monitoring questions; know that requests/dependencies/exceptions are separate tables, duration is in milliseconds, and ago() defines the time window. Pair Polly retry/circuit-breaker with transient-fault scenarios.
Study guide FAQ
What is the passing score and exam format for AZ-204?
You need 700 on a 1000-point scale to pass. Expect roughly 40-60 questions in about 120 minutes, including multiple choice, multiple response, drag-and-drop ordering, and one or more case studies. Some items use Azure CLI, PowerShell, or C#/code snippets, so read the exact wording (and any 'NOT' or 'least privilege' qualifiers) carefully.
How much coding is on the exam and which languages are tested?
AZ-204 is a developer exam, so you will see code: function bindings and attributes, SDK calls, MSAL token acquisition, KQL queries, and APIM policy XML. C# is the most common language in samples, but concepts (bindings, triggers, SAS, RBAC, retries) are language-agnostic. You do not need to write code from scratch, but you must recognize correct attribute usage, method names like AcquireTokenSilent and StartCopyFromUri, and configuration syntax.
Which domain carries the most weight and where should I focus?
By the sampled question counts, 'Connect to and Consume Azure Services' (domain 5) is the largest, followed closely by compute, storage, and monitoring; security is also heavily tested. Prioritize messaging/integration (Service Bus, Event Grid, Event Hubs, API Management) and compute (Functions, App Service slots, containers), then make sure Key Vault + managed identity and Cosmos DB partitioning are solid.
What hands-on experience should I have before sitting the exam?
Microsoft recommends one-to-two years of professional development plus practical Azure experience. Before the exam, build and deploy a Function app and a containerized web app, configure a deployment slot swap, store and read a secret from Key Vault via managed identity, partition data in Cosmos DB, instrument an app with Application Insights and run KQL queries, and wire up Service Bus, Event Grid, and an API Management policy. Hands-on practice is the fastest path to the scenario-based questions.