Cert-Pass
Log in Sign up
arrow_back Cert

Microsoft AZ-104 Azure Administrator Associate

🔥 0 streak
0%
timer Mock Exam lock Pro menu_book Course description 3-Page download Free
menu_book

AZ-104 Azure Administrator Associate

Compressed Course

AZ-104 Microsoft Azure Administrator Associate

Compressed Complete Study Guide

Exam: AZ-104: Microsoft Azure Administrator
Certification: Microsoft Certified: Azure Administrator Associate
Blueprint version used: Skills measured as of April 17, 2026
Purpose: A practical, scenario-focused course for rapid learning, realistic revision, and exam-day decision making.


Table of Contents

  1. Exam Overview
  2. Exam Domains
  3. Start-to-Finish Study Path
  4. Core Concepts by Domain
  5. Service Selection Guide
  6. Architecture Patterns
  7. Exam Traps
  8. Quick Memory Rules
  9. Final Revision Notes
  10. Exam-Day Checklist

1. Exam Overview

AZ-104 tests whether you can operate an Azure environment safely and efficiently. It is not mainly a memorization exam. Most scenarios ask you to choose the most appropriate administrative action while balancing:

  • Least privilege
  • Minimum operational effort
  • Scope
  • Availability
  • Security
  • Recoverability
  • Cost
  • Troubleshooting efficiency

A passing score is 700 or greater. Microsoft periodically updates the exam. This guide follows the skills measured as of April 17, 2026.

What an Azure administrator is expected to manage

You should be comfortable administering:

  • Microsoft Entra users, groups, licenses, and external identities
  • Azure role-based access control (Azure RBAC)
  • Subscriptions, management groups, policies, locks, tags, budgets, and Advisor recommendations
  • Azure Storage accounts, blobs, Azure Files, access controls, replication, tiers, and recovery controls
  • Azure virtual machines, disks, availability, scale sets, templates, and Bicep
  • Azure Container Registry, Azure Container Instances, and Azure Container Apps
  • Azure App Service plans, apps, TLS, DNS, deployment slots, backups, networking, and scaling
  • Virtual networks, subnets, peering, routes, NSGs, Bastion, private endpoints, service endpoints, DNS, and load balancers
  • Azure Monitor, Log Analytics, alerts, Network Watcher, Backup, and Site Recovery

The core AZ-104 mindset

When a scenario gives several valid-looking options, ask:

  1. What exact requirement is being tested?
  2. Is the requirement about management-plane control, data-plane access, routing, filtering, monitoring, availability, or recovery?
  3. What is the smallest scope that meets the requirement?
  4. Does the chosen feature solve the requirement directly, or is it only related?
  5. Is there an Azure-native feature that avoids a manual workaround?

A common exam pattern is to offer a distractor that is technically useful but solves the wrong layer of the problem.


2. Exam Domains

Domain Official Weight Study Priority Main Question Style
Manage Azure identities and governance 20–25% Very high Scope, roles, policy, locks, costs
Implement and manage storage 15–20% High Access, redundancy, data protection, tiering
Deploy and manage Azure compute resources 20–25% Very high Deployment, availability, scaling, App Service, containers
Implement and manage virtual networking 15–20% High Routing, filtering, private access, DNS, load balancing
Monitor and maintain Azure resources 10–15% High Logs, alerts, insights, Backup, Site Recovery

Suggested effort allocation

Because the official weights are ranges, use this revision split:

Domain Recommended Revision Time
Identities and governance 24%
Storage 18%
Compute 25%
Networking 19%
Monitoring and recovery 14%

Highest-value cross-domain themes

These themes appear repeatedly because they connect multiple domains:

  • Scope inheritance: tenant, management group, subscription, resource group, resource
  • Least privilege: choose the smallest role and smallest scope
  • Private access: private endpoint versus service endpoint
  • Traffic flow: DNS → route → NSG → load balancer → backend health
  • Availability: availability zones, availability sets, scale sets, backups, and Site Recovery solve different problems
  • Recoverability: soft delete, versioning, snapshots, Backup, and Site Recovery are not interchangeable
  • Automation: prefer ARM templates or Bicep for repeatable deployments
  • Monitoring pipeline: collect → query → evaluate → notify

3. Start-to-Finish Study Path

Phase 1 — Build the Azure mental model

Learn the basic Azure hierarchy first:

Microsoft Entra tenant
└── Management groups
    └── Subscriptions
        └── Resource groups
            └── Resources

Then separate two types of access:

Access Type Meaning Examples
Management plane Manage the Azure resource configuration Create a VM, change an NSG, assign a policy
Data plane Access the data inside a service Read blobs, upload files, query stored data

This distinction eliminates many wrong answers. For example, Reader can view a storage account configuration but does not automatically grant permission to read blobs.

Phase 2 — Master service selection

Build quick decision rules:

  • Need to prevent a deployment? Azure Policy
  • Need to stop accidental deletion? CanNotDelete lock
  • Need to block changes and deletion? ReadOnly lock
  • Need time-limited delegated storage access? SAS
  • Need storage access through a private IP? Private endpoint
  • Need selected subnet access while using a public PaaS endpoint? Service endpoint
  • Need secure RDP or SSH without VM public IP addresses? Azure Bastion
  • Need multiple identical VMs with autoscale? Virtual Machine Scale Sets
  • Need revisions and scale-to-zero for containerized microservices? Azure Container Apps
  • Need simple fast serverless container execution? Azure Container Instances
  • Need logs sent to Log Analytics? Diagnostic settings
  • Need threshold-based notification? Alert rule + action group
  • Need regional disaster recovery orchestration? Azure Site Recovery

Phase 3 — Learn the major comparison tables

Spend time on the comparisons that generate the most exam traps:

  • Azure RBAC versus Azure Policy versus locks
  • Availability zones versus availability sets versus backups versus Site Recovery
  • Private endpoints versus service endpoints
  • Blob soft delete versus container soft delete versus blob versioning versus snapshots
  • Azure Container Instances versus Azure Container Apps versus Virtual Machine Scale Sets versus App Service
  • Metrics versus logs versus Activity Log
  • Recovery Services vault versus Backup vault

Phase 4 — Practice layered troubleshooting

For network failures, use this sequence:

Name resolution
→ Route selection
→ NSG filtering
→ Public/private endpoint design
→ Load balancer probe
→ Backend application state

For monitoring failures, use:

Telemetry source
→ Diagnostic setting or agent
→ Workspace destination
→ KQL query
→ Alert rule
→ Action group
→ Alert processing rule

For access failures, use:

Identity
→ Group membership
→ Role
→ Scope
→ Inheritance
→ Data-plane permission
→ Network restriction

Phase 5 — Final revision

Before the exam:

  • Re-read the quick memory rules
  • Rebuild each architecture pattern from memory
  • Practice explaining why the strongest distractor is wrong
  • Review high-value traps
  • Use the exam sandbox to understand the interface

4. Core Concepts by Domain

Domain 1 — Manage Azure Identities and Governance

4.1 Microsoft Entra users and groups

Microsoft Entra ID manages identities used across Azure.

User types

User Type Use Case
Member user Internal workforce identity
Guest user External collaborator using an external identity
Cloud-only user Identity created directly in Microsoft Entra ID
Synchronized user Identity synchronized from an external directory

Groups

Group Type Best Use
Security group Assign permissions, licenses, or access
Microsoft 365 group Collaboration scenarios
Assigned membership Manually maintained membership
Dynamic user membership Automatically include users based on attributes
Dynamic device membership Automatically include devices based on attributes

Decision rule

When the question says:

Membership must update automatically when the user's department changes.

Choose:

A dynamic Microsoft Entra security group with a membership rule based on the department attribute.

Do not choose an assigned group. Assigned membership requires manual maintenance.

Group-based licensing

Group-based licensing applies licenses to members of a Microsoft Entra group. If assignment fails:

  1. Review license assignment errors.
  2. Identify conflicting service plans or missing prerequisites.
  3. Resolve the license issue.
  4. Reprocess the assignment.

Do not confuse Azure resource roles with Microsoft Entra license management.

External users

Use Microsoft Entra B2B guest invitations when external partners should authenticate with their existing organizational identities.

Avoid:

  • Sharing one internal account
  • Sending passwords manually
  • Creating unnecessary cloud-only member users for partners

Self-service password reset

Use SSPR when users must reset their own passwords.

Key exam clue:

Enable the feature for a pilot group only.

Answer:

Enable SSPR for selected users and choose the pilot group.


4.2 Azure RBAC

Azure RBAC controls who can perform actions on Azure resources.

Role assignment model

Security principal + Role definition + Scope
Component Meaning
Security principal User, group, service principal, or managed identity
Role definition Allowed actions
Scope Where the permissions apply

Scope hierarchy

Management group
→ Subscription
→ Resource group
→ Resource

Permissions inherit downward. Prefer the smallest scope that meets the requirement.

Important built-in roles

Role What It Allows Common Trap
Reader View Azure resources Does not modify resources
Contributor Create and manage resources Cannot manage role assignments by default
Owner Full management plus role assignment control Usually broader than necessary
User Access Administrator Manage access assignments Does not provide general resource modification
Virtual Machine Contributor Manage VMs Does not grant broad subscription management
Storage Blob Data Reader Read blob data Data-plane role
Storage Blob Data Contributor Read, write, and delete blob data Data-plane role

Additive permissions

Azure RBAC assignments are additive.

Example:

  • Reader at subscription scope
  • Contributor at resource-group scope

Result:

  • Contributor within that resource group
  • Reader elsewhere in the subscription

The Reader role does not override Contributor.

Least-privilege pattern

Question:

A developer must upload blobs to one storage account only.

Best answer:

Assign Storage Blob Data Contributor at the storage-account scope.

Wrong answer:

Assign Contributor at subscription scope.

Why wrong:

  • Contributor is broader
  • Subscription scope affects unrelated resources
  • A management-plane role may not be the best fit for blob data access

4.3 Azure Policy, locks, and tags

These are frequently confused.

Feature Purpose Example
Azure Policy Enforce or audit configuration rules Deny resources outside approved regions
Resource lock Protect resources from accidental changes or deletion Prevent deletion of a production database
Tag Add metadata for organization and cost analysis Owner=Finance
Azure RBAC Control who can perform actions Grant VM restart permissions

Azure Policy

Use Azure Policy to:

  • Deny unsupported regions
  • Require tags
  • Audit configurations
  • Deploy required settings when missing
  • Modify supported properties
  • Apply governance at scale

Policy effects

Effect Typical Use
Deny Block noncompliant deployment
Audit Report noncompliance
Append Add supported fields
Modify Adjust supported fields
DeployIfNotExists Deploy a related configuration when missing
AuditIfNotExists Report when related configuration is missing

Remediation

A DeployIfNotExists or Modify policy may need a remediation task for existing resources.

Decision rule:

New deployments are corrected, but existing resources remain noncompliant.

Choose:

Create a remediation task.

Policy initiatives

An initiative groups related policy definitions.

Use an initiative when several policies should be managed together, such as:

  • Allowed locations
  • Required tags
  • Diagnostic settings
  • Encryption controls

Policy exclusions and exemptions

Option Best Use
Excluded scope Do not evaluate a child scope under the assignment
Policy exemption Document an approved exception while preserving the broader assignment

Resource locks

Lock Prevents Deletion Prevents Modification
CanNotDelete Yes No
ReadOnly Yes Yes

Memory rule:

  • Protect from deletion only: CanNotDelete
  • Freeze configuration: ReadOnly

Tags

Use tags for:

  • Cost allocation
  • Ownership
  • Environment labeling
  • Operational grouping
  • Reporting

Examples:

Environment=Production
Owner=Finance
Application=Billing
CostCenter=CC-2040

Do not treat tags as security boundaries. Tags do not isolate resources or enforce network access.


4.4 Resource groups, subscriptions, and management groups

Resource groups

A resource group is a lifecycle and management container for Azure resources.

Use resource groups to:

  • Organize related resources
  • Apply RBAC
  • Apply policies
  • Apply locks
  • Move compatible resources when supported

Before moving a resource:

  • Check whether the resource type supports the move
  • Identify dependencies
  • Select required dependent resources
  • Validate before committing

Subscriptions

Subscriptions provide boundaries for:

  • Billing
  • Quotas
  • Governance
  • Access control
  • Environment separation

Typical pattern:

Production subscription
Development subscription
Shared services subscription
Sandbox subscription

Management groups

Management groups sit above subscriptions.

Use management groups to:

  • Apply policy across subscriptions
  • Apply Azure RBAC across subscriptions
  • Build governance hierarchies

Example:

Tenant root
├── Production management group
│   ├── Production subscription A
│   └── Production subscription B
└── Non-production management group
    ├── Development subscription
    └── Sandbox subscription

Cost management

Use:

Requirement Feature
Notify when actual or forecasted cost reaches a threshold Cost Management budget
Review optimization recommendations Azure Advisor
Analyze spending by department Tags plus cost analysis
Separate billing boundaries Separate subscriptions

Domain 1 Exam Traps

  • Contributor cannot manage Azure RBAC assignments by default.
  • Owner is often correct but too broad.
  • A lock does not replace Azure Policy.
  • A tag does not enforce anything.
  • A resource group does not span subscriptions.
  • A management group governs subscriptions; it does not hold application resources directly.
  • Azure RBAC permissions are additive.
  • Storage configuration access and blob data access are different.

Domain 2 — Implement and Manage Storage

4.5 Storage account fundamentals

Common storage services

Service Purpose
Blob Storage Object storage for unstructured data
Azure Files Managed file shares using supported file protocols
Queue Storage Message queues
Table Storage Key-value NoSQL data
Managed disks Block storage for VMs

Storage account kind

For general-purpose support of blobs, files, queues, and tables, choose:

StorageV2

Redundancy options

Option Replication Scope Typical Use
LRS Copies in one datacenter Lowest cost, limited resilience
ZRS Copies across availability zones in one region Zone-level resilience
GRS Primary region plus paired secondary region Regional replication
RA-GRS GRS plus read access to secondary endpoint Read from secondary before failover
GZRS Zone redundancy in primary plus geo-replication Higher resilience
RA-GZRS GZRS plus readable secondary Higher resilience with secondary reads

Fast selection rules

  • Need zone resilience in one region? ZRS
  • Need geo-replication? GRS
  • Need readable secondary endpoint? RA-GRS or RA-GZRS
  • Need minimum cost only? LRS

4.6 Storage access control

Storage security is layered.

Identity permission
+ SAS or key strategy
+ Network restriction
+ Encryption

Storage firewalls and virtual network rules

Use storage networking settings to:

  • Allow selected public IP ranges
  • Allow selected virtual networks
  • Restrict public access
  • Configure private endpoint access

Access keys

Storage accounts have access keys. Treat them like high-value secrets.

Rotation pattern:

  1. Regenerate the unused key.
  2. Update applications to use the new key.
  3. Validate access.
  4. Regenerate the exposed or old key.

Do not rotate both keys simultaneously unless downtime is acceptable.

Shared access signatures

A SAS provides delegated, time-limited access.

Use SAS when:

  • A vendor needs temporary blob access
  • A client should upload files for a limited period
  • Sharing the full account key would be too broad

Limit:

  • Resource scope
  • Permissions
  • Start time
  • Expiry time
  • Allowed protocol
  • Allowed IP range when appropriate

Stored access policies

Use a stored access policy when multiple service SAS tokens need centralized revocation or modification.

Decision rule:

Revoke several SAS tokens before their individual expiry times.

Choose:

Associate SAS tokens with a stored access policy.

Identity-based access for Azure Files

Use identity-based authentication for Azure Files when users should access SMB shares using identities instead of shared keys.


4.7 Blob Storage

Containers

A blob container organizes blob objects.

Use blobs for:

  • Images
  • Documents
  • Backups
  • Logs
  • Static content
  • Data lake objects

Access tiers

Tier Access Pattern Key Characteristic
Hot Frequently accessed Higher storage cost, lower access cost
Cool Infrequently accessed but online Immediate access
Cold Less frequent access, still online Lower storage cost than Cool
Archive Rarely accessed Offline; requires rehydration

Decision rule:

  • Rare access but immediate retrieval required → Cool or Cold, depending on expected retention and economics
  • Long-term archive with acceptable retrieval delay → Archive

Lifecycle management

Lifecycle rules automate:

  • Tier changes
  • Deletion
  • Retention behavior based on age and conditions

Example:

Move blobs to Cool after 30 days
Move blobs to Archive after 180 days
Delete blobs after 730 days

Blob protection features

Feature Protects Against Best Use
Blob soft delete Accidental blob deletion Restore deleted blobs during retention window
Container soft delete Accidental container deletion Restore deleted blob containers
Blob versioning Overwrite or modification Restore an earlier blob version
Lifecycle management Aging data Automate tier transitions and deletion
Object replication Need copy in another storage account Async copy of supported blobs

Important distinction

Question:

Users overwrite documents and need to recover earlier values.

Choose:

Blob versioning.

Question:

An entire container was deleted accidentally.

Choose:

Container soft delete.

Question:

A blob was deleted accidentally.

Choose:

Blob soft delete.


4.8 Azure Files

Azure Files provides managed file shares.

Use it when applications or users need:

  • Shared file-system access
  • SMB-based access
  • Managed cloud file shares
  • Mountable shares for multiple clients

Azure Files protection

Feature Purpose
Share snapshot Read-only point-in-time copy
Soft delete for Azure file shares Recover accidentally deleted file shares
Identity-based access Avoid shared key use for SMB access

Snapshot versus soft delete

  • Need a known point-in-time copy before a change? Share snapshot
  • Need recovery after accidental deletion? Soft delete

4.9 Data movement and encryption

Tools

Tool Best Use
AzCopy Command-line bulk data transfer
Azure Storage Explorer Graphical browsing and management
Azure portal Basic administrative actions

Encryption

Azure Storage encrypts data at rest. If the scenario requires control over the encryption key, use:

Customer-managed key stored in a supported key-management service such as Azure Key Vault.

Do not confuse access delegation with encryption. A SAS token controls access; it does not select the encryption key.


Domain 2 Exam Traps

  • Blob versioning is not the same as blob soft delete.
  • Blob soft delete does not specifically recover an entire deleted container.
  • Archive is not immediately readable.
  • GRS replicates to a secondary region, but RA-GRS provides read access to the secondary endpoint.
  • A SAS is safer than sharing an account key for limited delegated access.
  • A stored access policy helps centrally revoke service SAS tokens.
  • AzCopy is a command-line transfer tool; Storage Explorer is a graphical management tool.
  • A private endpoint provides a private IP; a service endpoint does not.

Domain 3 — Deploy and Manage Azure Compute Resources

4.10 ARM templates and Bicep

Infrastructure as code makes deployments repeatable.

ARM templates

ARM templates are declarative JSON files.

Bicep

Bicep is an Azure-native declarative language that compiles to ARM JSON.

Use Bicep when you want:

  • Cleaner syntax
  • Reusable modules
  • Parameters
  • Outputs
  • Repeatable deployment
  • Easier maintenance than raw JSON

Common deployment tasks

You should be able to:

  • Interpret ARM templates or Bicep files
  • Modify parameters
  • Modify resources
  • Deploy resources
  • Export existing deployments
  • Convert an ARM template to Bicep
  • Use reusable modules

Deployment modes

Mode Behavior
Incremental Adds or updates declared resources; leaves unrelated resources
Complete Can remove resources not declared in the template at the deployment scope

Exam rule:

Resources not listed in the template must remain.

Choose:

Incremental mode.

Export and decompile

Use export as a starting point for infrastructure as code. Review generated templates before production use.

Possible workflow:

Existing Azure resources
→ Export ARM template
→ Refine template
→ Optionally decompile to Bicep
→ Parameterize
→ Deploy repeatedly

4.11 Virtual machines

VM components

A VM commonly includes:

  • VM resource
  • Network interface
  • Virtual network and subnet
  • OS disk
  • Optional data disks
  • Optional public IP
  • Optional NSG
  • Boot diagnostics
  • Optional availability configuration

Resize a VM

Resize when you need more CPU or memory while keeping existing disks and configuration.

Managed disks

Change disk size or SKU when you need more capacity or performance.

Encryption at host

Use encryption at host when security policy requires host-level encryption for:

  • Temporary disks
  • Disk caches
  • Data paths on the host

Do not confuse this with only encrypting managed disks at rest.

Moving VMs

Before moving a VM:

  • Check move support
  • Check dependent resources
  • Include required NICs, disks, and related resources
  • Validate before committing

A move between regions is different from a move between resource groups.


4.12 VM availability and scale

Availability options solve different failure modes.

Feature Purpose Scale Automatically? Regional DR?
Availability set Spread VMs across fault and update domains No No
Availability zones Spread VMs across separate datacenters in a region No No
Virtual Machine Scale Sets Manage multiple similar VM instances and autoscale Yes Not by itself
Azure Backup Restore from recovery points No Not active failover
Azure Site Recovery Replicate and orchestrate failover No Yes

Availability sets

Use when:

  • Multiple VMs must reduce correlated host-failure and maintenance risk
  • Availability zones are not used or not available for the workload

Availability zones

Use when:

  • Datacenter-level fault isolation is required within one Azure region
  • The region and service support zones

Virtual Machine Scale Sets

Use when:

  • Instances are similar
  • Scale-out and scale-in are required
  • Workload is stateless or appropriately designed
  • Autoscale rules should change instance count

Memory rule:

  • Availability set: resilient placement
  • Availability zones: datacenter separation
  • Scale set: resilient group plus scaling

4.13 Containers

Azure Container Registry

Use Azure Container Registry (ACR) to store private container images and artifacts.

Azure Container Instances

Use Azure Container Instances (ACI) when you need:

  • Fast container execution
  • No server administration
  • No orchestrator management
  • A simple batch or utility workload
  • Explicit CPU and memory sizing for a container group

Azure Container Apps

Use Azure Container Apps when you need:

  • Managed microservices
  • Revisions
  • Ingress
  • Replica scaling
  • Scale-to-zero behavior
  • Event-driven or HTTP-based scaling

Service comparison

Requirement Best Fit
Run one container quickly Azure Container Instances
Scale a microservice based on traffic Azure Container Apps
Store private container images Azure Container Registry
Scale groups of VMs Virtual Machine Scale Sets
Host web apps without managing servers Azure App Service

Container sizing versus scaling

  • Sizing: CPU and memory requested for a container
  • Scaling: Number of replicas or instances

Do not confuse adding replicas with increasing the resources of one container.


4.14 Azure App Service

App Service hosts web applications and APIs without requiring VM management.

App Service plan

The App Service plan defines:

  • Region
  • Pricing tier
  • Compute capacity
  • Scaling features
  • Shared hosting capacity for apps

Scale up versus scale out

Action Meaning
Scale up Move to a larger or more capable pricing tier
Scale out Increase the number of instances
Scale in Reduce the number of instances

Question:

Add instances when CPU rises and remove them when load falls.

Choose:

Autoscale rules on the App Service plan.

TLS and custom domains

To serve a custom domain securely:

  1. Configure the DNS mapping.
  2. Add the custom domain.
  3. Bind an appropriate TLS certificate.
  4. Enforce HTTPS.

A DNS record alone does not configure TLS.

App Service networking

Requirement Feature
App needs outbound access to private VNet resources VNet integration
Clients need inbound private access to the app Private endpoint, where supported and appropriate
Restrict inbound access Access restrictions and networking controls
Validate new app release safely Deployment slot

Deployment slots

Use slots when you need:

  • Pre-production validation
  • Minimal-downtime release
  • Fast rollback
  • Controlled slot swap

Pattern:

Deploy to staging slot
→ Validate
→ Swap staging with production
→ Roll back with another swap if necessary

App Service backup

Configure App Service backups when supported by the selected tier and workload requirements.


Domain 3 Exam Traps

  • Incremental mode preserves unrelated resources; Complete mode can remove undeclared resources.
  • Resize changes VM compute size; it does not require rebuilding the VM.
  • Encryption at host is specifically important for temporary disks and caches.
  • Availability zones and availability sets are not autoscaling solutions.
  • Scale sets scale VMs, not App Service plans.
  • Azure Container Instances is simpler than Azure Container Apps.
  • Azure Container Apps is better for revisions, ingress, replica scaling, and scale-to-zero.
  • VNet integration is for App Service outbound connectivity.
  • A deployment slot supports safer releases; it is not a scaling feature.

Domain 4 — Implement and Manage Virtual Networking

4.15 Virtual networks and subnets

A virtual network is an isolated Azure network. Subnets divide the VNet into segments.

Use subnets to separate:

  • Web tier
  • Application tier
  • Database tier
  • Management tier
  • Private endpoint subnet
  • Bastion subnet

Addressing

Avoid overlapping address spaces when networks must be connected.

Example:

Hub VNet:   10.0.0.0/16
Spoke A:    10.10.0.0/16
Spoke B:    10.20.0.0/16
On-prem:    172.16.0.0/16

VNet peering

Use peering for private communication between VNets over the Microsoft backbone.

Key rule:

VNet peering is not transitive by default.

If:

VNet-A ↔ VNet-B
VNet-B ↔ VNet-C

Do not assume:

VNet-A ↔ VNet-C

Gateway transit

In hub-and-spoke networks:

  • Hub peering: allow gateway transit
  • Spoke peering: use remote gateways

This allows a spoke to use the hub gateway when supported and correctly configured.


4.16 Routing

Azure uses routes to determine the next hop.

User-defined routes

Use a route table with a UDR when traffic must be directed through:

  • A network virtual appliance
  • A firewall
  • A gateway
  • A specific next hop

Pattern:

Subnet
→ Route table
→ UDR
→ Next hop: virtual appliance

Effective routes

When troubleshooting, inspect effective routes on the NIC to see applied routes and selected paths.

Route versus NSG

Feature Purpose
Route table / UDR Determines where traffic goes
NSG Determines whether traffic is allowed
DNS Determines which IP address a name resolves to
Load balancer Distributes traffic to healthy backends

4.17 NSGs and application security groups

NSGs

Network security groups filter inbound and outbound traffic.

An NSG rule includes:

  • Source
  • Source port
  • Destination
  • Destination port
  • Protocol
  • Direction
  • Priority
  • Allow or deny

Priority

Lower number = higher priority.

If both rules match:

Priority 100: Allow TCP 443
Priority 200: Deny TCP 443

The priority 100 allow rule applies first.

Effective security rules

A NIC can be affected by:

  • Subnet NSG
  • NIC NSG

Review effective security rules to see the combined result.

Application security groups

Use application security groups (ASGs) when NSG rules should refer to logical application groups rather than individual IP addresses.

Example:

ASG-Web → allow TCP 1433 → ASG-Database

This is easier to maintain than listing changing VM IP addresses.


4.18 Azure Bastion

Use Azure Bastion for RDP and SSH access to VMs without assigning public IP addresses directly to the VMs.

Choose Bastion when the question says:

  • Administrators need browser-based secure access
  • VMs must not expose public IP addresses
  • RDP or SSH is required

Do not create public IP addresses on every VM if Bastion meets the requirement.


4.19 Service endpoints and private endpoints

These are heavily tested.

Feature Service Endpoint Private Endpoint
Access path PaaS public endpoint Private IP in VNet
Public endpoint still used? Yes Private path used
DNS changes commonly needed? Usually minimal Yes, private DNS is important
Subnet identity sent to service? Yes Not the main model
Best clue Restrict public PaaS endpoint to selected subnet Disable public access and use private IP

Service endpoint

Use when:

  • The PaaS service public endpoint remains in use
  • Access should be restricted to selected subnets
  • A storage virtual-network rule should recognize a subnet

Private endpoint

Use when:

  • The PaaS service should be reached using a private IP
  • Public network access should be disabled
  • Private DNS resolution is required

Pattern:

Client VM
→ Private DNS resolves service name
→ Private IP
→ Private endpoint
→ Azure PaaS resource

Private DNS

Private endpoint scenarios often need a private DNS zone linked to the VNet.

Wrong DNS configuration can cause clients to resolve the public endpoint instead of the private endpoint.


4.20 Azure DNS

Azure DNS can host:

  • Public DNS zones
  • Private DNS zones

Public DNS

Use public zones for internet-resolvable names after delegation is configured.

Private DNS

Use private DNS zones for internal name resolution across linked VNets.


4.21 Azure Load Balancer

Azure Load Balancer distributes Layer 4 TCP or UDP traffic.

Public versus internal

Load Balancer Type Frontend
Public load balancer Public IP
Internal load balancer Private IP

Key components

  • Frontend IP configuration
  • Backend pool
  • Health probe
  • Load-balancing rule
  • Optional inbound NAT rules

Health probes

Load balancers send traffic only to healthy backend instances.

Troubleshooting sequence:

  1. Is the backend VM running?
  2. Does the health probe succeed?
  3. Does the NSG allow probe traffic?
  4. Does the NSG allow workload traffic?
  5. Is the backend application listening?
  6. Is the backend pool correct?

NAT rule versus load-balancing rule

Rule Type Use
Load-balancing rule Distribute application traffic across backends
Inbound NAT rule Map frontend traffic to a specific backend port or instance

4.22 Network Watcher

Use Network Watcher tools to troubleshoot connectivity.

Tool Best Use
Connection troubleshoot Test reachability and identify failure point
Next hop Determine route next hop
Effective routes Review routes applied to a NIC
Effective security rules Review NSG results
Connection Monitor Continuously monitor connectivity

Domain 4 Exam Traps

  • Peering is not transitive.
  • NSGs filter traffic; they do not determine route next hop.
  • UDRs control routing; they do not open ports.
  • A service endpoint does not assign a private IP to the PaaS service.
  • A private endpoint commonly requires private DNS configuration.
  • Bastion removes the need for public IP addresses on individual VMs.
  • Lower NSG priority number wins.
  • Load balancer backend health depends on probe success, not only VM power state.

Domain 5 — Monitor and Maintain Azure Resources

4.23 Azure Monitor fundamentals

Metrics versus logs

Data Type Best Use
Metrics Numeric time-series data, dashboards, near-real-time threshold alerts
Logs Rich records queried with KQL
Activity Log Subscription-level management-plane events
Resource logs Service-specific operational logs
Guest OS telemetry Collected from the VM guest using an agent and data collection rules

Simple decision rules

  • Need a CPU chart? Metrics
  • Need to query detailed records? Logs
  • Need to find who deleted a resource? Activity Log
  • Need guest OS counters? Azure Monitor Agent + data collection rule

4.24 Diagnostic settings and data collection

Diagnostic settings

Diagnostic settings route supported platform logs and metrics to destinations such as:

  • Log Analytics workspace
  • Storage account
  • Event Hub

Creating a Log Analytics workspace alone does not automatically collect every resource log.

Pattern:

Azure resource
→ Diagnostic setting
→ Log Analytics workspace
→ KQL query

Azure Monitor Agent and data collection rules

Use Azure Monitor Agent (AMA) and a data collection rule (DCR) when collecting supported guest OS telemetry.

Pattern:

VM guest
→ Azure Monitor Agent
→ Data collection rule
→ Log Analytics workspace

4.25 Log Analytics and KQL

Kusto Query Language (KQL) queries logs.

Common operators

Operator Purpose
where Filter rows
project Select or shape columns
summarize Aggregate results
order by Sort results
top Return highest-ranked rows
extend Add calculated columns

Example:

AzureActivity
| where ActivityStatusValue == "Failed"
| summarize Failures = count() by ResourceGroup
| order by Failures desc

Reasoning pattern

  • Need only matching rows? where
  • Need counts by category? summarize
  • Need fewer columns? project
  • Need highest values? top or order by

4.26 Alerts

Alert pipeline

Telemetry
→ Alert rule
→ Condition
→ Action group
→ Notification or automation

Alert rules

Use alert rules for:

  • High CPU
  • Failed operations
  • Log-query conditions
  • Resource health conditions
  • Availability or connectivity conditions

Action groups

Action groups define reusable actions such as:

  • Email
  • SMS
  • Push notification
  • Voice notification
  • Webhook
  • Automation action

Use one action group across multiple alert rules when the same response is required.

Alert processing rules

Use alert processing rules when alerts should continue evaluating but notifications should be suppressed or modified temporarily.

Typical case:

Planned maintenance window.

Do not delete all alert rules and recreate them later.


4.27 Insights and network monitoring

Insights

Insight Purpose
VM insights VM performance and dependency views
Storage insights Storage monitoring views
Network insights Network-resource visibility

Connection Monitor

Use Network Watcher Connection Monitor for continuous monitoring between endpoints.

Do not confuse:

  • One-time connectivity test: connection troubleshoot
  • Continuous monitoring: Connection Monitor

4.28 Backup and recovery

Recovery Services vault versus Backup vault

Vault Type Common Use
Recovery Services vault Azure VM backup and several established backup scenarios
Backup vault Supported newer Azure Backup workloads such as Azure Disk Backup

Always match the vault to the protected workload.

Backup policy

A backup policy defines:

  • Schedule
  • Frequency
  • Retention
  • Protected workload configuration

Creating a vault alone does not define the required schedule.

Restore

Use a recovery point to restore:

  • Files
  • Disks
  • VM data
  • Supported workload state

Azure Site Recovery

Use Azure Site Recovery for:

  • Replication
  • Regional disaster recovery
  • Failover orchestration
  • Test failover
  • Planned or unplanned failover workflows

Backup versus Site Recovery

Requirement Best Service
Restore accidentally deleted or corrupted data Azure Backup
Keep recovery points Azure Backup
Replicate workload for regional failover Azure Site Recovery
Validate DR without disrupting production Site Recovery test failover

Domain 5 Exam Traps

  • Creating a workspace does not automatically collect resource logs.
  • Diagnostic settings route telemetry; alert rules evaluate conditions.
  • Action groups define responses; they do not collect logs.
  • Alert processing rules suppress or modify actions without deleting alerts.
  • Metrics and logs solve different problems.
  • Activity Log is for management-plane operations.
  • Azure Backup and Site Recovery are complementary but not interchangeable.
  • A test failover validates DR without disrupting production.

5. Service Selection Guide

Identity and governance

Requirement Choose Avoid Confusing With
Automatically update group membership from attributes Dynamic Microsoft Entra group Assigned membership
External partner authentication Microsoft Entra B2B guest Shared internal account
Pilot self-service password reset SSPR for selected users Azure RBAC
View resources only Reader Contributor
Modify resources but not assign roles Contributor Owner
Manage access assignments User Access Administrator Contributor
Block unsupported resource locations Azure Policy with deny Resource lock
Prevent deletion but allow modification CanNotDelete lock ReadOnly lock
Freeze changes and deletion ReadOnly lock CanNotDelete lock
Apply governance to multiple subscriptions Management group Resource group
Forecast spending threshold alert Cost Management budget Azure Monitor CPU alert
Cost optimization recommendations Azure Advisor Azure Monitor

Storage

Requirement Choose Avoid Confusing With
General-purpose account StorageV2 BlockBlobStorage
Delegated time-limited access SAS Account key
Centrally revoke service SAS tokens Stored access policy Key rotation
Zone-level storage resilience ZRS LRS
Geo-replication with readable secondary RA-GRS GRS
Recover deleted blob Blob soft delete Blob versioning
Recover deleted container Container soft delete Blob soft delete
Restore overwritten blob Blob versioning Lifecycle rule
Point-in-time Azure Files copy Share snapshot Blob snapshot
Recover deleted Azure file share Azure Files soft delete Blob soft delete
Bulk command-line transfer AzCopy Storage Explorer
GUI storage management Storage Explorer AzCopy
Private-IP storage access Private endpoint Service endpoint

Compute

Requirement Choose Avoid Confusing With
Declarative repeatable deployment ARM template or Bicep Manual portal checklist
Preserve unrelated resources during deployment Incremental mode Complete mode
Host-level encryption for caches and temporary disks Encryption at host Only managed-disk encryption
Datacenter isolation in one region Availability zones Availability sets
Host and update-domain distribution Availability set Scale set
Similar VMs with autoscale Virtual Machine Scale Sets Availability set
Private image registry Azure Container Registry Blob container
Fast simple container execution Azure Container Instances Container Apps
Microservice revisions and scale-to-zero Azure Container Apps ACI
Shared web-app hosting compute App Service plan Deployment slot
Safe web-app rollout Deployment slot Autoscale
Outbound App Service access to VNet VNet integration Private endpoint

Networking

Requirement Choose Avoid Confusing With
Connect VNets privately VNet peering Load balancer
Send subnet traffic through appliance UDR NSG
Allow or deny ports NSG Route table
Group NICs logically for NSG rules ASG IP-address list
Secure RDP or SSH without VM public IP Azure Bastion Public IP per VM
Use public PaaS endpoint restricted to subnet Service endpoint Private endpoint
Use PaaS private IP and disable public access Private endpoint Service endpoint
Host public DNS records Azure DNS public zone Private DNS zone
Resolve private endpoint privately Private DNS zone linked to VNet Public DNS only
Distribute internet TCP/UDP traffic Public load balancer Internal load balancer
Distribute private TCP/UDP traffic Internal load balancer Public load balancer

Monitoring and recovery

Requirement Choose Avoid Confusing With
CPU time-series chart Metrics Activity Log
Query detailed logs Log Analytics + KQL Metrics only
Route resource logs to workspace Diagnostic settings Workspace alone
Collect guest OS counters Azure Monitor Agent + DCR Platform metrics only
Reusable alert actions Action group Alert processing rule
Silence notifications during maintenance Alert processing rule Delete alerts
Continuous endpoint connectivity monitoring Connection Monitor One-time troubleshoot
Back up Azure VMs Recovery Services vault Backup vault by default
Newer supported backup workload such as disk backup Backup vault Recovery Services vault by assumption
Regional failover orchestration Azure Site Recovery Azure Backup

6. Architecture Patterns

6.1 Governed multi-subscription Azure landing pattern

Tenant
└── Management group hierarchy
    ├── Production
    │   ├── Subscription: App Production
    │   └── Subscription: Data Production
    └── Non-production
        ├── Subscription: Development
        └── Subscription: Sandbox

Apply:

  • Azure Policy at management-group scope
  • RBAC at the smallest practical scope
  • Tags for owner, application, environment, and cost center
  • Budgets per subscription or workload scope
  • Resource locks on critical production resources

Reasoning:

  • Use management groups for cross-subscription governance.
  • Use subscriptions for billing and access boundaries.
  • Use resource groups for workload lifecycle management.
  • Use locks only for accidental-change protection.

6.2 Secure storage pattern

Application subnet
→ Private DNS
→ Private endpoint private IP
→ Storage account

Configure:

  • Disable or tightly restrict public network access
  • Private endpoint
  • Private DNS integration
  • Data-plane role assignment at smallest scope
  • Blob soft delete
  • Container soft delete
  • Blob versioning when overwrite recovery matters
  • Lifecycle rule for aging data
  • Customer-managed key only when required

Reasoning:

  • Private endpoint solves private-IP access.
  • Azure RBAC solves identity permission.
  • Soft delete and versioning solve different recovery problems.
  • Lifecycle management controls cost and retention.

6.3 Highly available web tier on VMs

Internet
→ Public IP
→ Public Load Balancer
→ Health probe
→ VM Scale Set across availability zones
→ Application instances

Configure:

  • VM scale set
  • Availability zones where supported
  • Autoscale rule
  • Backend pool
  • Health probe
  • Load-balancing rule
  • NSG rules for application and probe traffic
  • Azure Monitor alerting

Reasoning:

  • Scale sets manage instance count.
  • Zones reduce datacenter-level risk.
  • Health probes remove unhealthy instances from rotation.
  • NSGs still need to permit required traffic.

6.4 Private internal application

Internal clients
→ Private DNS
→ Internal Load Balancer private IP
→ Backend VMs

Configure:

  • Internal load balancer
  • Private frontend IP
  • Backend pool
  • Health probe
  • NSG rules
  • Optional ASGs for tier-based security

Use when the service must not be reachable directly from the internet.


6.5 Hub-and-spoke routing pattern

Spoke A ─┐
         ├── Hub VNet → Firewall / NVA → Internet or on-premises
Spoke B ─┘

Configure:

  • Non-overlapping address spaces
  • VNet peering
  • Gateway transit where needed
  • Remote gateway usage in spokes where appropriate
  • Route tables and UDRs for forced routing
  • NSGs for filtering
  • Effective route checks during troubleshooting

Reasoning:

  • Peering connects VNets.
  • UDRs direct traffic.
  • NSGs allow or deny flows.
  • Gateway transit is explicit.

6.6 App Service release pattern

Source package
→ Staging deployment slot
→ Validate
→ Swap with production
→ Monitor
→ Swap back if rollback is needed

Configure:

  • App Service plan
  • App Service app
  • Deployment slot
  • Custom domain
  • TLS certificate binding
  • HTTPS-only access
  • Autoscale rules when needed
  • VNet integration for outbound private access
  • Backup when required

6.7 Monitoring pipeline

Azure resources
→ Metrics / logs / guest telemetry
→ Diagnostic settings or Azure Monitor Agent + DCR
→ Log Analytics workspace
→ KQL query
→ Alert rule
→ Action group
→ Notification or automation

Optional:

Alert processing rule
→ Suppress or modify notifications during maintenance

6.8 Backup and disaster-recovery pattern

Production VM
├── Azure Backup → Recovery points → Restore
└── Azure Site Recovery → Secondary region → Test failover / failover

Reasoning:

  • Backup protects data and recovery points.
  • Site Recovery orchestrates workload continuity during regional outage.
  • Test failover validates the DR plan safely.

7. Exam Traps

7.1 Governance traps

Trap Correct Reasoning
Choose Owner because it always works Prefer smaller role and scope
Choose Contributor to manage role assignments Use User Access Administrator or Owner only when justified
Use a lock to prevent noncompliant deployment Use Azure Policy
Use tags for access restriction Tags are metadata
Apply policy separately to every subscription Consider management-group scope
Remove an entire policy because one resource cannot comply Consider exemption or excluded scope

7.2 Storage traps

Trap Correct Reasoning
Share account keys with vendors Prefer scoped SAS
Assume GRS secondary is readable RA-GRS provides readable secondary
Use Archive for immediate retrieval Archive requires rehydration
Use blob soft delete for overwritten content Blob versioning preserves earlier values
Use blob versioning to restore an entire deleted container Container soft delete is the direct feature
Choose service endpoint when private IP is required Use private endpoint

7.3 Compute traps

Trap Correct Reasoning
Use Complete deployment mode casually It can remove undeclared resources
Use availability set for autoscaling Use VM scale set
Use scale set when the requirement is only safer placement Availability set or zones may be enough
Use ACI for revisions and scale-to-zero Container Apps is usually better
Use private endpoint for outbound App Service VNet access Use VNet integration
Configure DNS only for HTTPS Add TLS binding and enforce HTTPS

7.4 Networking traps

Trap Correct Reasoning
NSG controls route next hop Route tables and UDRs control routing
UDR opens TCP port 443 NSG filters ports
Peering is automatically transitive It is not transitive by default
VM is running, so load balancer must send traffic Probe and NSG conditions still matter
Service endpoint gives service a private IP Private endpoint provides private IP
Private endpoint works automatically without DNS Private DNS is frequently required

7.5 Monitoring and recovery traps

Trap Correct Reasoning
Create workspace and expect all logs Configure diagnostic settings or agent collection
Use metrics to identify who deleted a resource Use Activity Log
Use action group to collect telemetry Action groups perform actions
Delete alerts during maintenance Use alert processing rules
Use Backup as regional active failover Use Site Recovery
Perform unplanned failover for testing Use test failover

8. Quick Memory Rules

Identity and governance

  • Dynamic group = membership follows attributes.
  • Guest = external collaborator.
  • SSPR selected users = pilot rollout.
  • Reader = view only.
  • Contributor = manage resources, not role assignments by default.
  • User Access Administrator = manage access.
  • Policy = enforce.
  • Lock = protect from accidental change.
  • Tag = label and report.
  • Management group = govern subscriptions.
  • Budget = notify about spending.
  • Advisor = recommendations.

Storage

  • StorageV2 = general-purpose account.
  • SAS = delegated, limited, temporary access.
  • Stored access policy = centrally manage service SAS revocation.
  • ZRS = zones.
  • GRS = secondary region.
  • RA-GRS = readable secondary.
  • Blob soft delete = deleted blob.
  • Container soft delete = deleted container.
  • Blob versioning = overwritten blob.
  • Snapshot = point-in-time copy.
  • Lifecycle management = automate tiering and deletion.
  • AzCopy = CLI transfer.
  • Storage Explorer = GUI.
  • Private endpoint = private IP.

Compute

  • Bicep = clean Azure infrastructure as code.
  • Incremental mode = preserve undeclared resources.
  • Resize VM = change CPU and memory.
  • Disk SKU or size = change disk performance or capacity.
  • Encryption at host = protect host-side caches and temporary disks.
  • Availability set = fault and update domains.
  • Availability zones = separate datacenters in one region.
  • Scale set = autoscaling VM instances.
  • ACR = private image registry.
  • ACI = simple container execution.
  • Container Apps = microservices, ingress, revisions, scale-to-zero.
  • App Service plan = shared web compute.
  • Deployment slot = safe release.
  • VNet integration = App Service outbound private access.

Networking

  • Peering = connect VNets.
  • Peering is not transitive.
  • UDR = choose next hop.
  • NSG = allow or deny traffic.
  • ASG = group NICs logically.
  • Lower NSG priority number wins.
  • Bastion = RDP and SSH without VM public IP.
  • Service endpoint = selected subnet to public PaaS endpoint.
  • Private endpoint = private IP to PaaS.
  • Private DNS = resolve private endpoint correctly.
  • Public load balancer = internet frontend.
  • Internal load balancer = private frontend.
  • Health probe = backend eligibility.

Monitoring and recovery

  • Metrics = numeric time series.
  • Logs = rich records.
  • Activity Log = management-plane events.
  • Diagnostic setting = route platform telemetry.
  • Azure Monitor Agent + DCR = guest telemetry.
  • KQL where = filter rows.
  • Action group = notify or automate.
  • Alert processing rule = suppress or modify alert actions.
  • Connection Monitor = continuous connectivity checks.
  • Recovery Services vault = Azure VM backup.
  • Backup vault = supported newer backup workloads.
  • Azure Backup = recovery points and restore.
  • Site Recovery = replication and failover.
  • Test failover = validate DR safely.

9. Final Revision Notes

9.1 One-page reasoning framework

For each question, classify the problem:

Problem Type Ask Yourself
Access Is this identity, role, scope, inheritance, or data plane?
Governance Is this enforcement, protection, labeling, or billing?
Storage Is this access, redundancy, tiering, or recovery?
Compute Is this deployment, sizing, availability, scaling, or hosting model?
Network Is this DNS, routing, filtering, private access, or load balancing?
Monitoring Is this collection, query, alerting, or notification?
Recovery Is this restore or disaster-recovery failover?

9.2 Elimination strategy

Remove options that:

  • Solve the wrong Azure layer
  • Grant broader scope than necessary
  • Use a manual workaround when a native service exists
  • Expose resources publicly without a requirement
  • Confuse availability with backup
  • Confuse backup with disaster recovery
  • Confuse route control with traffic filtering
  • Confuse App Service inbound private access with outbound VNet integration
  • Confuse storage configuration permission with data access

9.3 High-frequency comparisons to memorize

Compare Key Difference
Azure RBAC vs Azure Policy Who can do it vs what configuration is allowed
Policy vs lock Enforce configuration vs protect from accidental changes
CanNotDelete vs ReadOnly Delete protection vs modification and delete protection
Dynamic vs assigned group Attribute-driven vs manual membership
Contributor vs User Access Administrator Resource modification vs access assignment management
LRS vs ZRS One datacenter vs availability zones
GRS vs RA-GRS Geo-copy vs geo-copy with secondary reads
SAS vs access key Scoped temporary delegation vs broad account secret
Soft delete vs versioning Deleted item recovery vs previous content version
Availability set vs zone Fault/update domains vs separate datacenters
Availability zone vs Site Recovery In-region resilience vs regional DR
ACI vs Container Apps Simple container vs managed microservice platform
App Service scale up vs scale out Larger instances vs more instances
Service endpoint vs private endpoint Restricted public endpoint vs private IP
NSG vs UDR Filter traffic vs choose route
Metrics vs logs Time-series measurements vs queryable records
Diagnostic settings vs action groups Send telemetry vs act on alerts
Backup vs Site Recovery Restore points vs failover orchestration

9.4 Mini case studies

Case 1 — Least privilege

Requirement:

A support engineer can restart VMs in one resource group only.

Answer:

Assign Virtual Machine Contributor at that resource-group scope.

Why:

  • Correct role
  • Smallest useful scope
  • No unnecessary subscription-wide rights

Case 2 — Secure storage access

Requirement:

VMs must access storage through a private IP and public access must be disabled.

Answer:

Configure a private endpoint and private DNS resolution.

Why:

  • Private endpoint creates the private-IP path
  • DNS ensures the storage name resolves privately

Case 3 — Blob recovery

Requirement:

Users overwrite blobs and need previous content.

Answer:

Enable blob versioning.

Why:

  • The problem is modification, not deletion

Case 4 — Web deployment

Requirement:

Validate a new App Service release and switch traffic with minimal downtime.

Answer:

Deploy to a staging slot and perform a slot swap.

Case 5 — VM regional recovery

Requirement:

Replicate VMs to a secondary region and test recovery without disrupting production.

Answer:

Configure Azure Site Recovery and run a test failover.

Case 6 — Network troubleshooting

Requirement:

A VM cannot reach an on-premises destination and a custom route may be responsible.

Answer:

Review effective routes and use next-hop analysis.

Case 7 — Monitoring

Requirement:

Notify a webhook when resource logs match a KQL condition.

Answer:

Diagnostic setting
→ Log Analytics workspace
→ Log alert rule
→ Action group with webhook

10. Exam-Day Checklist

Before starting

  • Confirm that you understand the current exam interface.
  • Read every requirement carefully.
  • Identify whether the question asks for one answer or a combination.
  • Notice scope words such as:
    • only
    • all subscriptions
    • one resource group
    • private IP
    • public endpoint
    • selected subnet
    • minimize administration
    • least privilege
    • no downtime
    • automatically
    • recover
    • fail over

During the exam

Use this five-step method:

  1. Identify the domain.
  2. Identify the Azure layer.
  3. Eliminate options that solve a different problem.
  4. Prefer the smallest scope and simplest native feature.
  5. Re-read the requirement before confirming.

Last-minute checks

Before submitting an answer, ask:

  • Did I choose a role that is too broad?
  • Did I confuse management-plane and data-plane access?
  • Did I choose Policy when the question asks for a lock, or a lock when it asks for Policy?
  • Did I choose service endpoint when private IP is required?
  • Did I forget private DNS for a private endpoint?
  • Did I confuse route tables and NSGs?
  • Did I confuse availability with backup?
  • Did I confuse Azure Backup with Azure Site Recovery?
  • Did I choose a GUI tool when the question asked for command-line bulk transfer?
  • Did I choose a manual process when Azure offers automation?

Final Rapid Review Sheet

IDENTITY
Dynamic group = automatic attributes
Guest = external identity
SSPR = user password reset
RBAC = who can do what at which scope

GOVERNANCE
Policy = enforce
Lock = protect
Tag = label
Management group = govern subscriptions
Budget = spend threshold
Advisor = recommendations

STORAGE
SAS = limited delegated access
Stored access policy = revoke SAS centrally
ZRS = zones
RA-GRS = readable geo-secondary
Blob soft delete = deleted blob
Container soft delete = deleted container
Versioning = overwritten blob
Lifecycle = aging data
Private endpoint = private IP

COMPUTE
Bicep = repeatable deployment
Incremental = preserve unrelated resources
Encryption at host = temp disk and cache protection
Availability set = fault/update domains
Availability zone = datacenter isolation
Scale set = autoscaling VMs
ACI = simple container
Container Apps = revisions and scale-to-zero
Deployment slot = safe web release
VNet integration = outbound App Service private connectivity

NETWORK
Peering = private VNet connection
Peering is not transitive
UDR = route
NSG = filter
ASG = logical NIC grouping
Bastion = RDP/SSH without VM public IP
Service endpoint = restricted public PaaS endpoint
Private endpoint = PaaS private IP
Private DNS = private endpoint name resolution
Health probe = load balancer backend eligibility

MONITORING AND RECOVERY
Metrics = numeric trend
Logs = KQL
Activity Log = management-plane history
Diagnostic settings = route platform logs
AMA + DCR = guest telemetry
Action group = notification
Alert processing rule = temporary suppression
Recovery Services vault = VM backup
Backup vault = supported newer backup workloads
Backup = restore
Site Recovery = failover
Test failover = safe DR validation

Source and Alignment Note

This course was synthesized from the reviewed AZ-104 practice bank and aligned with Microsoft's official AZ-104: Microsoft Azure Administrator study guide for the skills measured as of April 17, 2026. The structure intentionally merges repeated question patterns into reusable decision rules and does not reproduce raw exam dumps.

lock_open

Unlock the full course

All 73 modules with detailed explanations, code examples, and exam tips.

workspace_premium
You've answered 0 of 35 free questions 1065 questions locked : these will appear on exam day.
0/35
rocket_launch Unlock All
event_available
Day 1 of 16 72 questions/day Finish by Jul 29, 2026
Question 1 of 1100
Manage Azure identities and governance · 25%

Case study — project Falcon: Environment: test Primary constraint: minimize operational risk and avoid over-permissioning. Requirement: You need a governance hierarchy so that policy assignments apply to multiple subscriptions owned by Research. Which resource should you create?

0 correct
0 wrong
1100 left
0% done