AZ-104 Azure Administrator Associate
Compressed Course
AZ-104 Microsoft Azure Administrator Associate
Compressed Complete Study Guide
Exam: AZ-104: Microsoft Azure Administrator
Certification: Microsoft Certified: Azure Administrator Associate
Blueprint version used: Skills measured as of April 17, 2026
Purpose: A practical, scenario-focused course for rapid learning, realistic revision, and exam-day decision making.
Table of Contents
- Exam Overview
- Exam Domains
- Start-to-Finish Study Path
- Core Concepts by Domain
- Service Selection Guide
- Architecture Patterns
- Exam Traps
- Quick Memory Rules
- Final Revision Notes
- Exam-Day Checklist
1. Exam Overview
AZ-104 tests whether you can operate an Azure environment safely and efficiently. It is not mainly a memorization exam. Most scenarios ask you to choose the most appropriate administrative action while balancing:
- Least privilege
- Minimum operational effort
- Scope
- Availability
- Security
- Recoverability
- Cost
- Troubleshooting efficiency
A passing score is 700 or greater. Microsoft periodically updates the exam. This guide follows the skills measured as of April 17, 2026.
What an Azure administrator is expected to manage
You should be comfortable administering:
- Microsoft Entra users, groups, licenses, and external identities
- Azure role-based access control (Azure RBAC)
- Subscriptions, management groups, policies, locks, tags, budgets, and Advisor recommendations
- Azure Storage accounts, blobs, Azure Files, access controls, replication, tiers, and recovery controls
- Azure virtual machines, disks, availability, scale sets, templates, and Bicep
- Azure Container Registry, Azure Container Instances, and Azure Container Apps
- Azure App Service plans, apps, TLS, DNS, deployment slots, backups, networking, and scaling
- Virtual networks, subnets, peering, routes, NSGs, Bastion, private endpoints, service endpoints, DNS, and load balancers
- Azure Monitor, Log Analytics, alerts, Network Watcher, Backup, and Site Recovery
The core AZ-104 mindset
When a scenario gives several valid-looking options, ask:
- What exact requirement is being tested?
- Is the requirement about management-plane control, data-plane access, routing, filtering, monitoring, availability, or recovery?
- What is the smallest scope that meets the requirement?
- Does the chosen feature solve the requirement directly, or is it only related?
- Is there an Azure-native feature that avoids a manual workaround?
A common exam pattern is to offer a distractor that is technically useful but solves the wrong layer of the problem.
2. Exam Domains
| Domain | Official Weight | Study Priority | Main Question Style |
|---|---|---|---|
| Manage Azure identities and governance | 20–25% | Very high | Scope, roles, policy, locks, costs |
| Implement and manage storage | 15–20% | High | Access, redundancy, data protection, tiering |
| Deploy and manage Azure compute resources | 20–25% | Very high | Deployment, availability, scaling, App Service, containers |
| Implement and manage virtual networking | 15–20% | High | Routing, filtering, private access, DNS, load balancing |
| Monitor and maintain Azure resources | 10–15% | High | Logs, alerts, insights, Backup, Site Recovery |
Suggested effort allocation
Because the official weights are ranges, use this revision split:
| Domain | Recommended Revision Time |
|---|---|
| Identities and governance | 24% |
| Storage | 18% |
| Compute | 25% |
| Networking | 19% |
| Monitoring and recovery | 14% |
Highest-value cross-domain themes
These themes appear repeatedly because they connect multiple domains:
- Scope inheritance: tenant, management group, subscription, resource group, resource
- Least privilege: choose the smallest role and smallest scope
- Private access: private endpoint versus service endpoint
- Traffic flow: DNS → route → NSG → load balancer → backend health
- Availability: availability zones, availability sets, scale sets, backups, and Site Recovery solve different problems
- Recoverability: soft delete, versioning, snapshots, Backup, and Site Recovery are not interchangeable
- Automation: prefer ARM templates or Bicep for repeatable deployments
- Monitoring pipeline: collect → query → evaluate → notify
3. Start-to-Finish Study Path
Phase 1 — Build the Azure mental model
Learn the basic Azure hierarchy first:
Microsoft Entra tenant
└── Management groups
└── Subscriptions
└── Resource groups
└── Resources
Then separate two types of access:
| Access Type | Meaning | Examples |
|---|---|---|
| Management plane | Manage the Azure resource configuration | Create a VM, change an NSG, assign a policy |
| Data plane | Access the data inside a service | Read blobs, upload files, query stored data |
This distinction eliminates many wrong answers. For example, Reader can view a storage account configuration but does not automatically grant permission to read blobs.
Phase 2 — Master service selection
Build quick decision rules:
- Need to prevent a deployment? Azure Policy
- Need to stop accidental deletion? CanNotDelete lock
- Need to block changes and deletion? ReadOnly lock
- Need time-limited delegated storage access? SAS
- Need storage access through a private IP? Private endpoint
- Need selected subnet access while using a public PaaS endpoint? Service endpoint
- Need secure RDP or SSH without VM public IP addresses? Azure Bastion
- Need multiple identical VMs with autoscale? Virtual Machine Scale Sets
- Need revisions and scale-to-zero for containerized microservices? Azure Container Apps
- Need simple fast serverless container execution? Azure Container Instances
- Need logs sent to Log Analytics? Diagnostic settings
- Need threshold-based notification? Alert rule + action group
- Need regional disaster recovery orchestration? Azure Site Recovery
Phase 3 — Learn the major comparison tables
Spend time on the comparisons that generate the most exam traps:
- Azure RBAC versus Azure Policy versus locks
- Availability zones versus availability sets versus backups versus Site Recovery
- Private endpoints versus service endpoints
- Blob soft delete versus container soft delete versus blob versioning versus snapshots
- Azure Container Instances versus Azure Container Apps versus Virtual Machine Scale Sets versus App Service
- Metrics versus logs versus Activity Log
- Recovery Services vault versus Backup vault
Phase 4 — Practice layered troubleshooting
For network failures, use this sequence:
Name resolution
→ Route selection
→ NSG filtering
→ Public/private endpoint design
→ Load balancer probe
→ Backend application state
For monitoring failures, use:
Telemetry source
→ Diagnostic setting or agent
→ Workspace destination
→ KQL query
→ Alert rule
→ Action group
→ Alert processing rule
For access failures, use:
Identity
→ Group membership
→ Role
→ Scope
→ Inheritance
→ Data-plane permission
→ Network restriction
Phase 5 — Final revision
Before the exam:
- Re-read the quick memory rules
- Rebuild each architecture pattern from memory
- Practice explaining why the strongest distractor is wrong
- Review high-value traps
- Use the exam sandbox to understand the interface
4. Core Concepts by Domain
Domain 1 — Manage Azure Identities and Governance
4.1 Microsoft Entra users and groups
Microsoft Entra ID manages identities used across Azure.
User types
| User Type | Use Case |
|---|---|
| Member user | Internal workforce identity |
| Guest user | External collaborator using an external identity |
| Cloud-only user | Identity created directly in Microsoft Entra ID |
| Synchronized user | Identity synchronized from an external directory |
Groups
| Group Type | Best Use |
|---|---|
| Security group | Assign permissions, licenses, or access |
| Microsoft 365 group | Collaboration scenarios |
| Assigned membership | Manually maintained membership |
| Dynamic user membership | Automatically include users based on attributes |
| Dynamic device membership | Automatically include devices based on attributes |
Decision rule
When the question says:
Membership must update automatically when the user's department changes.
Choose:
A dynamic Microsoft Entra security group with a membership rule based on the department attribute.
Do not choose an assigned group. Assigned membership requires manual maintenance.
Group-based licensing
Group-based licensing applies licenses to members of a Microsoft Entra group. If assignment fails:
- Review license assignment errors.
- Identify conflicting service plans or missing prerequisites.
- Resolve the license issue.
- Reprocess the assignment.
Do not confuse Azure resource roles with Microsoft Entra license management.
External users
Use Microsoft Entra B2B guest invitations when external partners should authenticate with their existing organizational identities.
Avoid:
- Sharing one internal account
- Sending passwords manually
- Creating unnecessary cloud-only member users for partners
Self-service password reset
Use SSPR when users must reset their own passwords.
Key exam clue:
Enable the feature for a pilot group only.
Answer:
Enable SSPR for selected users and choose the pilot group.
4.2 Azure RBAC
Azure RBAC controls who can perform actions on Azure resources.
Role assignment model
Security principal + Role definition + Scope
| Component | Meaning |
|---|---|
| Security principal | User, group, service principal, or managed identity |
| Role definition | Allowed actions |
| Scope | Where the permissions apply |
Scope hierarchy
Management group
→ Subscription
→ Resource group
→ Resource
Permissions inherit downward. Prefer the smallest scope that meets the requirement.
Important built-in roles
| Role | What It Allows | Common Trap |
|---|---|---|
| Reader | View Azure resources | Does not modify resources |
| Contributor | Create and manage resources | Cannot manage role assignments by default |
| Owner | Full management plus role assignment control | Usually broader than necessary |
| User Access Administrator | Manage access assignments | Does not provide general resource modification |
| Virtual Machine Contributor | Manage VMs | Does not grant broad subscription management |
| Storage Blob Data Reader | Read blob data | Data-plane role |
| Storage Blob Data Contributor | Read, write, and delete blob data | Data-plane role |
Additive permissions
Azure RBAC assignments are additive.
Example:
- Reader at subscription scope
- Contributor at resource-group scope
Result:
- Contributor within that resource group
- Reader elsewhere in the subscription
The Reader role does not override Contributor.
Least-privilege pattern
Question:
A developer must upload blobs to one storage account only.
Best answer:
Assign Storage Blob Data Contributor at the storage-account scope.
Wrong answer:
Assign Contributor at subscription scope.
Why wrong:
- Contributor is broader
- Subscription scope affects unrelated resources
- A management-plane role may not be the best fit for blob data access
4.3 Azure Policy, locks, and tags
These are frequently confused.
| Feature | Purpose | Example |
|---|---|---|
| Azure Policy | Enforce or audit configuration rules | Deny resources outside approved regions |
| Resource lock | Protect resources from accidental changes or deletion | Prevent deletion of a production database |
| Tag | Add metadata for organization and cost analysis | Owner=Finance |
| Azure RBAC | Control who can perform actions | Grant VM restart permissions |
Azure Policy
Use Azure Policy to:
- Deny unsupported regions
- Require tags
- Audit configurations
- Deploy required settings when missing
- Modify supported properties
- Apply governance at scale
Policy effects
| Effect | Typical Use |
|---|---|
| Deny | Block noncompliant deployment |
| Audit | Report noncompliance |
| Append | Add supported fields |
| Modify | Adjust supported fields |
| DeployIfNotExists | Deploy a related configuration when missing |
| AuditIfNotExists | Report when related configuration is missing |
Remediation
A DeployIfNotExists or Modify policy may need a remediation task for existing resources.
Decision rule:
New deployments are corrected, but existing resources remain noncompliant.
Choose:
Create a remediation task.
Policy initiatives
An initiative groups related policy definitions.
Use an initiative when several policies should be managed together, such as:
- Allowed locations
- Required tags
- Diagnostic settings
- Encryption controls
Policy exclusions and exemptions
| Option | Best Use |
|---|---|
| Excluded scope | Do not evaluate a child scope under the assignment |
| Policy exemption | Document an approved exception while preserving the broader assignment |
Resource locks
| Lock | Prevents Deletion | Prevents Modification |
|---|---|---|
| CanNotDelete | Yes | No |
| ReadOnly | Yes | Yes |
Memory rule:
- Protect from deletion only: CanNotDelete
- Freeze configuration: ReadOnly
Tags
Use tags for:
- Cost allocation
- Ownership
- Environment labeling
- Operational grouping
- Reporting
Examples:
Environment=Production
Owner=Finance
Application=Billing
CostCenter=CC-2040
Do not treat tags as security boundaries. Tags do not isolate resources or enforce network access.
4.4 Resource groups, subscriptions, and management groups
Resource groups
A resource group is a lifecycle and management container for Azure resources.
Use resource groups to:
- Organize related resources
- Apply RBAC
- Apply policies
- Apply locks
- Move compatible resources when supported
Before moving a resource:
- Check whether the resource type supports the move
- Identify dependencies
- Select required dependent resources
- Validate before committing
Subscriptions
Subscriptions provide boundaries for:
- Billing
- Quotas
- Governance
- Access control
- Environment separation
Typical pattern:
Production subscription
Development subscription
Shared services subscription
Sandbox subscription
Management groups
Management groups sit above subscriptions.
Use management groups to:
- Apply policy across subscriptions
- Apply Azure RBAC across subscriptions
- Build governance hierarchies
Example:
Tenant root
├── Production management group
│ ├── Production subscription A
│ └── Production subscription B
└── Non-production management group
├── Development subscription
└── Sandbox subscription
Cost management
Use:
| Requirement | Feature |
|---|---|
| Notify when actual or forecasted cost reaches a threshold | Cost Management budget |
| Review optimization recommendations | Azure Advisor |
| Analyze spending by department | Tags plus cost analysis |
| Separate billing boundaries | Separate subscriptions |
Domain 1 Exam Traps
- Contributor cannot manage Azure RBAC assignments by default.
- Owner is often correct but too broad.
- A lock does not replace Azure Policy.
- A tag does not enforce anything.
- A resource group does not span subscriptions.
- A management group governs subscriptions; it does not hold application resources directly.
- Azure RBAC permissions are additive.
- Storage configuration access and blob data access are different.
Domain 2 — Implement and Manage Storage
4.5 Storage account fundamentals
Common storage services
| Service | Purpose |
|---|---|
| Blob Storage | Object storage for unstructured data |
| Azure Files | Managed file shares using supported file protocols |
| Queue Storage | Message queues |
| Table Storage | Key-value NoSQL data |
| Managed disks | Block storage for VMs |
Storage account kind
For general-purpose support of blobs, files, queues, and tables, choose:
StorageV2
Redundancy options
| Option | Replication Scope | Typical Use |
|---|---|---|
| LRS | Copies in one datacenter | Lowest cost, limited resilience |
| ZRS | Copies across availability zones in one region | Zone-level resilience |
| GRS | Primary region plus paired secondary region | Regional replication |
| RA-GRS | GRS plus read access to secondary endpoint | Read from secondary before failover |
| GZRS | Zone redundancy in primary plus geo-replication | Higher resilience |
| RA-GZRS | GZRS plus readable secondary | Higher resilience with secondary reads |
Fast selection rules
- Need zone resilience in one region? ZRS
- Need geo-replication? GRS
- Need readable secondary endpoint? RA-GRS or RA-GZRS
- Need minimum cost only? LRS
4.6 Storage access control
Storage security is layered.
Identity permission
+ SAS or key strategy
+ Network restriction
+ Encryption
Storage firewalls and virtual network rules
Use storage networking settings to:
- Allow selected public IP ranges
- Allow selected virtual networks
- Restrict public access
- Configure private endpoint access
Access keys
Storage accounts have access keys. Treat them like high-value secrets.
Rotation pattern:
- Regenerate the unused key.
- Update applications to use the new key.
- Validate access.
- Regenerate the exposed or old key.
Do not rotate both keys simultaneously unless downtime is acceptable.
Shared access signatures
A SAS provides delegated, time-limited access.
Use SAS when:
- A vendor needs temporary blob access
- A client should upload files for a limited period
- Sharing the full account key would be too broad
Limit:
- Resource scope
- Permissions
- Start time
- Expiry time
- Allowed protocol
- Allowed IP range when appropriate
Stored access policies
Use a stored access policy when multiple service SAS tokens need centralized revocation or modification.
Decision rule:
Revoke several SAS tokens before their individual expiry times.
Choose:
Associate SAS tokens with a stored access policy.
Identity-based access for Azure Files
Use identity-based authentication for Azure Files when users should access SMB shares using identities instead of shared keys.
4.7 Blob Storage
Containers
A blob container organizes blob objects.
Use blobs for:
- Images
- Documents
- Backups
- Logs
- Static content
- Data lake objects
Access tiers
| Tier | Access Pattern | Key Characteristic |
|---|---|---|
| Hot | Frequently accessed | Higher storage cost, lower access cost |
| Cool | Infrequently accessed but online | Immediate access |
| Cold | Less frequent access, still online | Lower storage cost than Cool |
| Archive | Rarely accessed | Offline; requires rehydration |
Decision rule:
- Rare access but immediate retrieval required → Cool or Cold, depending on expected retention and economics
- Long-term archive with acceptable retrieval delay → Archive
Lifecycle management
Lifecycle rules automate:
- Tier changes
- Deletion
- Retention behavior based on age and conditions
Example:
Move blobs to Cool after 30 days
Move blobs to Archive after 180 days
Delete blobs after 730 days
Blob protection features
| Feature | Protects Against | Best Use |
|---|---|---|
| Blob soft delete | Accidental blob deletion | Restore deleted blobs during retention window |
| Container soft delete | Accidental container deletion | Restore deleted blob containers |
| Blob versioning | Overwrite or modification | Restore an earlier blob version |
| Lifecycle management | Aging data | Automate tier transitions and deletion |
| Object replication | Need copy in another storage account | Async copy of supported blobs |
Important distinction
Question:
Users overwrite documents and need to recover earlier values.
Choose:
Blob versioning.
Question:
An entire container was deleted accidentally.
Choose:
Container soft delete.
Question:
A blob was deleted accidentally.
Choose:
Blob soft delete.
4.8 Azure Files
Azure Files provides managed file shares.
Use it when applications or users need:
- Shared file-system access
- SMB-based access
- Managed cloud file shares
- Mountable shares for multiple clients
Azure Files protection
| Feature | Purpose |
|---|---|
| Share snapshot | Read-only point-in-time copy |
| Soft delete for Azure file shares | Recover accidentally deleted file shares |
| Identity-based access | Avoid shared key use for SMB access |
Snapshot versus soft delete
- Need a known point-in-time copy before a change? Share snapshot
- Need recovery after accidental deletion? Soft delete
4.9 Data movement and encryption
Tools
| Tool | Best Use |
|---|---|
| AzCopy | Command-line bulk data transfer |
| Azure Storage Explorer | Graphical browsing and management |
| Azure portal | Basic administrative actions |
Encryption
Azure Storage encrypts data at rest. If the scenario requires control over the encryption key, use:
Customer-managed key stored in a supported key-management service such as Azure Key Vault.
Do not confuse access delegation with encryption. A SAS token controls access; it does not select the encryption key.
Domain 2 Exam Traps
- Blob versioning is not the same as blob soft delete.
- Blob soft delete does not specifically recover an entire deleted container.
- Archive is not immediately readable.
- GRS replicates to a secondary region, but RA-GRS provides read access to the secondary endpoint.
- A SAS is safer than sharing an account key for limited delegated access.
- A stored access policy helps centrally revoke service SAS tokens.
- AzCopy is a command-line transfer tool; Storage Explorer is a graphical management tool.
- A private endpoint provides a private IP; a service endpoint does not.
Domain 3 — Deploy and Manage Azure Compute Resources
4.10 ARM templates and Bicep
Infrastructure as code makes deployments repeatable.
ARM templates
ARM templates are declarative JSON files.
Bicep
Bicep is an Azure-native declarative language that compiles to ARM JSON.
Use Bicep when you want:
- Cleaner syntax
- Reusable modules
- Parameters
- Outputs
- Repeatable deployment
- Easier maintenance than raw JSON
Common deployment tasks
You should be able to:
- Interpret ARM templates or Bicep files
- Modify parameters
- Modify resources
- Deploy resources
- Export existing deployments
- Convert an ARM template to Bicep
- Use reusable modules
Deployment modes
| Mode | Behavior |
|---|---|
| Incremental | Adds or updates declared resources; leaves unrelated resources |
| Complete | Can remove resources not declared in the template at the deployment scope |
Exam rule:
Resources not listed in the template must remain.
Choose:
Incremental mode.
Export and decompile
Use export as a starting point for infrastructure as code. Review generated templates before production use.
Possible workflow:
Existing Azure resources
→ Export ARM template
→ Refine template
→ Optionally decompile to Bicep
→ Parameterize
→ Deploy repeatedly
4.11 Virtual machines
VM components
A VM commonly includes:
- VM resource
- Network interface
- Virtual network and subnet
- OS disk
- Optional data disks
- Optional public IP
- Optional NSG
- Boot diagnostics
- Optional availability configuration
Resize a VM
Resize when you need more CPU or memory while keeping existing disks and configuration.
Managed disks
Change disk size or SKU when you need more capacity or performance.
Encryption at host
Use encryption at host when security policy requires host-level encryption for:
- Temporary disks
- Disk caches
- Data paths on the host
Do not confuse this with only encrypting managed disks at rest.
Moving VMs
Before moving a VM:
- Check move support
- Check dependent resources
- Include required NICs, disks, and related resources
- Validate before committing
A move between regions is different from a move between resource groups.
4.12 VM availability and scale
Availability options solve different failure modes.
| Feature | Purpose | Scale Automatically? | Regional DR? |
|---|---|---|---|
| Availability set | Spread VMs across fault and update domains | No | No |
| Availability zones | Spread VMs across separate datacenters in a region | No | No |
| Virtual Machine Scale Sets | Manage multiple similar VM instances and autoscale | Yes | Not by itself |
| Azure Backup | Restore from recovery points | No | Not active failover |
| Azure Site Recovery | Replicate and orchestrate failover | No | Yes |
Availability sets
Use when:
- Multiple VMs must reduce correlated host-failure and maintenance risk
- Availability zones are not used or not available for the workload
Availability zones
Use when:
- Datacenter-level fault isolation is required within one Azure region
- The region and service support zones
Virtual Machine Scale Sets
Use when:
- Instances are similar
- Scale-out and scale-in are required
- Workload is stateless or appropriately designed
- Autoscale rules should change instance count
Memory rule:
- Availability set: resilient placement
- Availability zones: datacenter separation
- Scale set: resilient group plus scaling
4.13 Containers
Azure Container Registry
Use Azure Container Registry (ACR) to store private container images and artifacts.
Azure Container Instances
Use Azure Container Instances (ACI) when you need:
- Fast container execution
- No server administration
- No orchestrator management
- A simple batch or utility workload
- Explicit CPU and memory sizing for a container group
Azure Container Apps
Use Azure Container Apps when you need:
- Managed microservices
- Revisions
- Ingress
- Replica scaling
- Scale-to-zero behavior
- Event-driven or HTTP-based scaling
Service comparison
| Requirement | Best Fit |
|---|---|
| Run one container quickly | Azure Container Instances |
| Scale a microservice based on traffic | Azure Container Apps |
| Store private container images | Azure Container Registry |
| Scale groups of VMs | Virtual Machine Scale Sets |
| Host web apps without managing servers | Azure App Service |
Container sizing versus scaling
- Sizing: CPU and memory requested for a container
- Scaling: Number of replicas or instances
Do not confuse adding replicas with increasing the resources of one container.
4.14 Azure App Service
App Service hosts web applications and APIs without requiring VM management.
App Service plan
The App Service plan defines:
- Region
- Pricing tier
- Compute capacity
- Scaling features
- Shared hosting capacity for apps
Scale up versus scale out
| Action | Meaning |
|---|---|
| Scale up | Move to a larger or more capable pricing tier |
| Scale out | Increase the number of instances |
| Scale in | Reduce the number of instances |
Question:
Add instances when CPU rises and remove them when load falls.
Choose:
Autoscale rules on the App Service plan.
TLS and custom domains
To serve a custom domain securely:
- Configure the DNS mapping.
- Add the custom domain.
- Bind an appropriate TLS certificate.
- Enforce HTTPS.
A DNS record alone does not configure TLS.
App Service networking
| Requirement | Feature |
|---|---|
| App needs outbound access to private VNet resources | VNet integration |
| Clients need inbound private access to the app | Private endpoint, where supported and appropriate |
| Restrict inbound access | Access restrictions and networking controls |
| Validate new app release safely | Deployment slot |
Deployment slots
Use slots when you need:
- Pre-production validation
- Minimal-downtime release
- Fast rollback
- Controlled slot swap
Pattern:
Deploy to staging slot
→ Validate
→ Swap staging with production
→ Roll back with another swap if necessary
App Service backup
Configure App Service backups when supported by the selected tier and workload requirements.
Domain 3 Exam Traps
- Incremental mode preserves unrelated resources; Complete mode can remove undeclared resources.
- Resize changes VM compute size; it does not require rebuilding the VM.
- Encryption at host is specifically important for temporary disks and caches.
- Availability zones and availability sets are not autoscaling solutions.
- Scale sets scale VMs, not App Service plans.
- Azure Container Instances is simpler than Azure Container Apps.
- Azure Container Apps is better for revisions, ingress, replica scaling, and scale-to-zero.
- VNet integration is for App Service outbound connectivity.
- A deployment slot supports safer releases; it is not a scaling feature.
Domain 4 — Implement and Manage Virtual Networking
4.15 Virtual networks and subnets
A virtual network is an isolated Azure network. Subnets divide the VNet into segments.
Use subnets to separate:
- Web tier
- Application tier
- Database tier
- Management tier
- Private endpoint subnet
- Bastion subnet
Addressing
Avoid overlapping address spaces when networks must be connected.
Example:
Hub VNet: 10.0.0.0/16
Spoke A: 10.10.0.0/16
Spoke B: 10.20.0.0/16
On-prem: 172.16.0.0/16
VNet peering
Use peering for private communication between VNets over the Microsoft backbone.
Key rule:
VNet peering is not transitive by default.
If:
VNet-A ↔ VNet-B
VNet-B ↔ VNet-C
Do not assume:
VNet-A ↔ VNet-C
Gateway transit
In hub-and-spoke networks:
- Hub peering: allow gateway transit
- Spoke peering: use remote gateways
This allows a spoke to use the hub gateway when supported and correctly configured.
4.16 Routing
Azure uses routes to determine the next hop.
User-defined routes
Use a route table with a UDR when traffic must be directed through:
- A network virtual appliance
- A firewall
- A gateway
- A specific next hop
Pattern:
Subnet
→ Route table
→ UDR
→ Next hop: virtual appliance
Effective routes
When troubleshooting, inspect effective routes on the NIC to see applied routes and selected paths.
Route versus NSG
| Feature | Purpose |
|---|---|
| Route table / UDR | Determines where traffic goes |
| NSG | Determines whether traffic is allowed |
| DNS | Determines which IP address a name resolves to |
| Load balancer | Distributes traffic to healthy backends |
4.17 NSGs and application security groups
NSGs
Network security groups filter inbound and outbound traffic.
An NSG rule includes:
- Source
- Source port
- Destination
- Destination port
- Protocol
- Direction
- Priority
- Allow or deny
Priority
Lower number = higher priority.
If both rules match:
Priority 100: Allow TCP 443
Priority 200: Deny TCP 443
The priority 100 allow rule applies first.
Effective security rules
A NIC can be affected by:
- Subnet NSG
- NIC NSG
Review effective security rules to see the combined result.
Application security groups
Use application security groups (ASGs) when NSG rules should refer to logical application groups rather than individual IP addresses.
Example:
ASG-Web → allow TCP 1433 → ASG-Database
This is easier to maintain than listing changing VM IP addresses.
4.18 Azure Bastion
Use Azure Bastion for RDP and SSH access to VMs without assigning public IP addresses directly to the VMs.
Choose Bastion when the question says:
- Administrators need browser-based secure access
- VMs must not expose public IP addresses
- RDP or SSH is required
Do not create public IP addresses on every VM if Bastion meets the requirement.
4.19 Service endpoints and private endpoints
These are heavily tested.
| Feature | Service Endpoint | Private Endpoint |
|---|---|---|
| Access path | PaaS public endpoint | Private IP in VNet |
| Public endpoint still used? | Yes | Private path used |
| DNS changes commonly needed? | Usually minimal | Yes, private DNS is important |
| Subnet identity sent to service? | Yes | Not the main model |
| Best clue | Restrict public PaaS endpoint to selected subnet | Disable public access and use private IP |
Service endpoint
Use when:
- The PaaS service public endpoint remains in use
- Access should be restricted to selected subnets
- A storage virtual-network rule should recognize a subnet
Private endpoint
Use when:
- The PaaS service should be reached using a private IP
- Public network access should be disabled
- Private DNS resolution is required
Pattern:
Client VM
→ Private DNS resolves service name
→ Private IP
→ Private endpoint
→ Azure PaaS resource
Private DNS
Private endpoint scenarios often need a private DNS zone linked to the VNet.
Wrong DNS configuration can cause clients to resolve the public endpoint instead of the private endpoint.
4.20 Azure DNS
Azure DNS can host:
- Public DNS zones
- Private DNS zones
Public DNS
Use public zones for internet-resolvable names after delegation is configured.
Private DNS
Use private DNS zones for internal name resolution across linked VNets.
4.21 Azure Load Balancer
Azure Load Balancer distributes Layer 4 TCP or UDP traffic.
Public versus internal
| Load Balancer Type | Frontend |
|---|---|
| Public load balancer | Public IP |
| Internal load balancer | Private IP |
Key components
- Frontend IP configuration
- Backend pool
- Health probe
- Load-balancing rule
- Optional inbound NAT rules
Health probes
Load balancers send traffic only to healthy backend instances.
Troubleshooting sequence:
- Is the backend VM running?
- Does the health probe succeed?
- Does the NSG allow probe traffic?
- Does the NSG allow workload traffic?
- Is the backend application listening?
- Is the backend pool correct?
NAT rule versus load-balancing rule
| Rule Type | Use |
|---|---|
| Load-balancing rule | Distribute application traffic across backends |
| Inbound NAT rule | Map frontend traffic to a specific backend port or instance |
4.22 Network Watcher
Use Network Watcher tools to troubleshoot connectivity.
| Tool | Best Use |
|---|---|
| Connection troubleshoot | Test reachability and identify failure point |
| Next hop | Determine route next hop |
| Effective routes | Review routes applied to a NIC |
| Effective security rules | Review NSG results |
| Connection Monitor | Continuously monitor connectivity |
Domain 4 Exam Traps
- Peering is not transitive.
- NSGs filter traffic; they do not determine route next hop.
- UDRs control routing; they do not open ports.
- A service endpoint does not assign a private IP to the PaaS service.
- A private endpoint commonly requires private DNS configuration.
- Bastion removes the need for public IP addresses on individual VMs.
- Lower NSG priority number wins.
- Load balancer backend health depends on probe success, not only VM power state.
Domain 5 — Monitor and Maintain Azure Resources
4.23 Azure Monitor fundamentals
Metrics versus logs
| Data Type | Best Use |
|---|---|
| Metrics | Numeric time-series data, dashboards, near-real-time threshold alerts |
| Logs | Rich records queried with KQL |
| Activity Log | Subscription-level management-plane events |
| Resource logs | Service-specific operational logs |
| Guest OS telemetry | Collected from the VM guest using an agent and data collection rules |
Simple decision rules
- Need a CPU chart? Metrics
- Need to query detailed records? Logs
- Need to find who deleted a resource? Activity Log
- Need guest OS counters? Azure Monitor Agent + data collection rule
4.24 Diagnostic settings and data collection
Diagnostic settings
Diagnostic settings route supported platform logs and metrics to destinations such as:
- Log Analytics workspace
- Storage account
- Event Hub
Creating a Log Analytics workspace alone does not automatically collect every resource log.
Pattern:
Azure resource
→ Diagnostic setting
→ Log Analytics workspace
→ KQL query
Azure Monitor Agent and data collection rules
Use Azure Monitor Agent (AMA) and a data collection rule (DCR) when collecting supported guest OS telemetry.
Pattern:
VM guest
→ Azure Monitor Agent
→ Data collection rule
→ Log Analytics workspace
4.25 Log Analytics and KQL
Kusto Query Language (KQL) queries logs.
Common operators
| Operator | Purpose |
|---|---|
where |
Filter rows |
project |
Select or shape columns |
summarize |
Aggregate results |
order by |
Sort results |
top |
Return highest-ranked rows |
extend |
Add calculated columns |
Example:
AzureActivity
| where ActivityStatusValue == "Failed"
| summarize Failures = count() by ResourceGroup
| order by Failures desc
Reasoning pattern
- Need only matching rows?
where - Need counts by category?
summarize - Need fewer columns?
project - Need highest values?
topororder by
4.26 Alerts
Alert pipeline
Telemetry
→ Alert rule
→ Condition
→ Action group
→ Notification or automation
Alert rules
Use alert rules for:
- High CPU
- Failed operations
- Log-query conditions
- Resource health conditions
- Availability or connectivity conditions
Action groups
Action groups define reusable actions such as:
- SMS
- Push notification
- Voice notification
- Webhook
- Automation action
Use one action group across multiple alert rules when the same response is required.
Alert processing rules
Use alert processing rules when alerts should continue evaluating but notifications should be suppressed or modified temporarily.
Typical case:
Planned maintenance window.
Do not delete all alert rules and recreate them later.
4.27 Insights and network monitoring
Insights
| Insight | Purpose |
|---|---|
| VM insights | VM performance and dependency views |
| Storage insights | Storage monitoring views |
| Network insights | Network-resource visibility |
Connection Monitor
Use Network Watcher Connection Monitor for continuous monitoring between endpoints.
Do not confuse:
- One-time connectivity test: connection troubleshoot
- Continuous monitoring: Connection Monitor
4.28 Backup and recovery
Recovery Services vault versus Backup vault
| Vault Type | Common Use |
|---|---|
| Recovery Services vault | Azure VM backup and several established backup scenarios |
| Backup vault | Supported newer Azure Backup workloads such as Azure Disk Backup |
Always match the vault to the protected workload.
Backup policy
A backup policy defines:
- Schedule
- Frequency
- Retention
- Protected workload configuration
Creating a vault alone does not define the required schedule.
Restore
Use a recovery point to restore:
- Files
- Disks
- VM data
- Supported workload state
Azure Site Recovery
Use Azure Site Recovery for:
- Replication
- Regional disaster recovery
- Failover orchestration
- Test failover
- Planned or unplanned failover workflows
Backup versus Site Recovery
| Requirement | Best Service |
|---|---|
| Restore accidentally deleted or corrupted data | Azure Backup |
| Keep recovery points | Azure Backup |
| Replicate workload for regional failover | Azure Site Recovery |
| Validate DR without disrupting production | Site Recovery test failover |
Domain 5 Exam Traps
- Creating a workspace does not automatically collect resource logs.
- Diagnostic settings route telemetry; alert rules evaluate conditions.
- Action groups define responses; they do not collect logs.
- Alert processing rules suppress or modify actions without deleting alerts.
- Metrics and logs solve different problems.
- Activity Log is for management-plane operations.
- Azure Backup and Site Recovery are complementary but not interchangeable.
- A test failover validates DR without disrupting production.
5. Service Selection Guide
Identity and governance
| Requirement | Choose | Avoid Confusing With |
|---|---|---|
| Automatically update group membership from attributes | Dynamic Microsoft Entra group | Assigned membership |
| External partner authentication | Microsoft Entra B2B guest | Shared internal account |
| Pilot self-service password reset | SSPR for selected users | Azure RBAC |
| View resources only | Reader | Contributor |
| Modify resources but not assign roles | Contributor | Owner |
| Manage access assignments | User Access Administrator | Contributor |
| Block unsupported resource locations | Azure Policy with deny | Resource lock |
| Prevent deletion but allow modification | CanNotDelete lock | ReadOnly lock |
| Freeze changes and deletion | ReadOnly lock | CanNotDelete lock |
| Apply governance to multiple subscriptions | Management group | Resource group |
| Forecast spending threshold alert | Cost Management budget | Azure Monitor CPU alert |
| Cost optimization recommendations | Azure Advisor | Azure Monitor |
Storage
| Requirement | Choose | Avoid Confusing With |
|---|---|---|
| General-purpose account | StorageV2 | BlockBlobStorage |
| Delegated time-limited access | SAS | Account key |
| Centrally revoke service SAS tokens | Stored access policy | Key rotation |
| Zone-level storage resilience | ZRS | LRS |
| Geo-replication with readable secondary | RA-GRS | GRS |
| Recover deleted blob | Blob soft delete | Blob versioning |
| Recover deleted container | Container soft delete | Blob soft delete |
| Restore overwritten blob | Blob versioning | Lifecycle rule |
| Point-in-time Azure Files copy | Share snapshot | Blob snapshot |
| Recover deleted Azure file share | Azure Files soft delete | Blob soft delete |
| Bulk command-line transfer | AzCopy | Storage Explorer |
| GUI storage management | Storage Explorer | AzCopy |
| Private-IP storage access | Private endpoint | Service endpoint |
Compute
| Requirement | Choose | Avoid Confusing With |
|---|---|---|
| Declarative repeatable deployment | ARM template or Bicep | Manual portal checklist |
| Preserve unrelated resources during deployment | Incremental mode | Complete mode |
| Host-level encryption for caches and temporary disks | Encryption at host | Only managed-disk encryption |
| Datacenter isolation in one region | Availability zones | Availability sets |
| Host and update-domain distribution | Availability set | Scale set |
| Similar VMs with autoscale | Virtual Machine Scale Sets | Availability set |
| Private image registry | Azure Container Registry | Blob container |
| Fast simple container execution | Azure Container Instances | Container Apps |
| Microservice revisions and scale-to-zero | Azure Container Apps | ACI |
| Shared web-app hosting compute | App Service plan | Deployment slot |
| Safe web-app rollout | Deployment slot | Autoscale |
| Outbound App Service access to VNet | VNet integration | Private endpoint |
Networking
| Requirement | Choose | Avoid Confusing With |
|---|---|---|
| Connect VNets privately | VNet peering | Load balancer |
| Send subnet traffic through appliance | UDR | NSG |
| Allow or deny ports | NSG | Route table |
| Group NICs logically for NSG rules | ASG | IP-address list |
| Secure RDP or SSH without VM public IP | Azure Bastion | Public IP per VM |
| Use public PaaS endpoint restricted to subnet | Service endpoint | Private endpoint |
| Use PaaS private IP and disable public access | Private endpoint | Service endpoint |
| Host public DNS records | Azure DNS public zone | Private DNS zone |
| Resolve private endpoint privately | Private DNS zone linked to VNet | Public DNS only |
| Distribute internet TCP/UDP traffic | Public load balancer | Internal load balancer |
| Distribute private TCP/UDP traffic | Internal load balancer | Public load balancer |
Monitoring and recovery
| Requirement | Choose | Avoid Confusing With |
|---|---|---|
| CPU time-series chart | Metrics | Activity Log |
| Query detailed logs | Log Analytics + KQL | Metrics only |
| Route resource logs to workspace | Diagnostic settings | Workspace alone |
| Collect guest OS counters | Azure Monitor Agent + DCR | Platform metrics only |
| Reusable alert actions | Action group | Alert processing rule |
| Silence notifications during maintenance | Alert processing rule | Delete alerts |
| Continuous endpoint connectivity monitoring | Connection Monitor | One-time troubleshoot |
| Back up Azure VMs | Recovery Services vault | Backup vault by default |
| Newer supported backup workload such as disk backup | Backup vault | Recovery Services vault by assumption |
| Regional failover orchestration | Azure Site Recovery | Azure Backup |
6. Architecture Patterns
6.1 Governed multi-subscription Azure landing pattern
Tenant
└── Management group hierarchy
├── Production
│ ├── Subscription: App Production
│ └── Subscription: Data Production
└── Non-production
├── Subscription: Development
└── Subscription: Sandbox
Apply:
- Azure Policy at management-group scope
- RBAC at the smallest practical scope
- Tags for owner, application, environment, and cost center
- Budgets per subscription or workload scope
- Resource locks on critical production resources
Reasoning:
- Use management groups for cross-subscription governance.
- Use subscriptions for billing and access boundaries.
- Use resource groups for workload lifecycle management.
- Use locks only for accidental-change protection.
6.2 Secure storage pattern
Application subnet
→ Private DNS
→ Private endpoint private IP
→ Storage account
Configure:
- Disable or tightly restrict public network access
- Private endpoint
- Private DNS integration
- Data-plane role assignment at smallest scope
- Blob soft delete
- Container soft delete
- Blob versioning when overwrite recovery matters
- Lifecycle rule for aging data
- Customer-managed key only when required
Reasoning:
- Private endpoint solves private-IP access.
- Azure RBAC solves identity permission.
- Soft delete and versioning solve different recovery problems.
- Lifecycle management controls cost and retention.
6.3 Highly available web tier on VMs
Internet
→ Public IP
→ Public Load Balancer
→ Health probe
→ VM Scale Set across availability zones
→ Application instances
Configure:
- VM scale set
- Availability zones where supported
- Autoscale rule
- Backend pool
- Health probe
- Load-balancing rule
- NSG rules for application and probe traffic
- Azure Monitor alerting
Reasoning:
- Scale sets manage instance count.
- Zones reduce datacenter-level risk.
- Health probes remove unhealthy instances from rotation.
- NSGs still need to permit required traffic.
6.4 Private internal application
Internal clients
→ Private DNS
→ Internal Load Balancer private IP
→ Backend VMs
Configure:
- Internal load balancer
- Private frontend IP
- Backend pool
- Health probe
- NSG rules
- Optional ASGs for tier-based security
Use when the service must not be reachable directly from the internet.
6.5 Hub-and-spoke routing pattern
Spoke A ─┐
├── Hub VNet → Firewall / NVA → Internet or on-premises
Spoke B ─┘
Configure:
- Non-overlapping address spaces
- VNet peering
- Gateway transit where needed
- Remote gateway usage in spokes where appropriate
- Route tables and UDRs for forced routing
- NSGs for filtering
- Effective route checks during troubleshooting
Reasoning:
- Peering connects VNets.
- UDRs direct traffic.
- NSGs allow or deny flows.
- Gateway transit is explicit.
6.6 App Service release pattern
Source package
→ Staging deployment slot
→ Validate
→ Swap with production
→ Monitor
→ Swap back if rollback is needed
Configure:
- App Service plan
- App Service app
- Deployment slot
- Custom domain
- TLS certificate binding
- HTTPS-only access
- Autoscale rules when needed
- VNet integration for outbound private access
- Backup when required
6.7 Monitoring pipeline
Azure resources
→ Metrics / logs / guest telemetry
→ Diagnostic settings or Azure Monitor Agent + DCR
→ Log Analytics workspace
→ KQL query
→ Alert rule
→ Action group
→ Notification or automation
Optional:
Alert processing rule
→ Suppress or modify notifications during maintenance
6.8 Backup and disaster-recovery pattern
Production VM
├── Azure Backup → Recovery points → Restore
└── Azure Site Recovery → Secondary region → Test failover / failover
Reasoning:
- Backup protects data and recovery points.
- Site Recovery orchestrates workload continuity during regional outage.
- Test failover validates the DR plan safely.
7. Exam Traps
7.1 Governance traps
| Trap | Correct Reasoning |
|---|---|
| Choose Owner because it always works | Prefer smaller role and scope |
| Choose Contributor to manage role assignments | Use User Access Administrator or Owner only when justified |
| Use a lock to prevent noncompliant deployment | Use Azure Policy |
| Use tags for access restriction | Tags are metadata |
| Apply policy separately to every subscription | Consider management-group scope |
| Remove an entire policy because one resource cannot comply | Consider exemption or excluded scope |
7.2 Storage traps
| Trap | Correct Reasoning |
|---|---|
| Share account keys with vendors | Prefer scoped SAS |
| Assume GRS secondary is readable | RA-GRS provides readable secondary |
| Use Archive for immediate retrieval | Archive requires rehydration |
| Use blob soft delete for overwritten content | Blob versioning preserves earlier values |
| Use blob versioning to restore an entire deleted container | Container soft delete is the direct feature |
| Choose service endpoint when private IP is required | Use private endpoint |
7.3 Compute traps
| Trap | Correct Reasoning |
|---|---|
| Use Complete deployment mode casually | It can remove undeclared resources |
| Use availability set for autoscaling | Use VM scale set |
| Use scale set when the requirement is only safer placement | Availability set or zones may be enough |
| Use ACI for revisions and scale-to-zero | Container Apps is usually better |
| Use private endpoint for outbound App Service VNet access | Use VNet integration |
| Configure DNS only for HTTPS | Add TLS binding and enforce HTTPS |
7.4 Networking traps
| Trap | Correct Reasoning |
|---|---|
| NSG controls route next hop | Route tables and UDRs control routing |
| UDR opens TCP port 443 | NSG filters ports |
| Peering is automatically transitive | It is not transitive by default |
| VM is running, so load balancer must send traffic | Probe and NSG conditions still matter |
| Service endpoint gives service a private IP | Private endpoint provides private IP |
| Private endpoint works automatically without DNS | Private DNS is frequently required |
7.5 Monitoring and recovery traps
| Trap | Correct Reasoning |
|---|---|
| Create workspace and expect all logs | Configure diagnostic settings or agent collection |
| Use metrics to identify who deleted a resource | Use Activity Log |
| Use action group to collect telemetry | Action groups perform actions |
| Delete alerts during maintenance | Use alert processing rules |
| Use Backup as regional active failover | Use Site Recovery |
| Perform unplanned failover for testing | Use test failover |
8. Quick Memory Rules
Identity and governance
- Dynamic group = membership follows attributes.
- Guest = external collaborator.
- SSPR selected users = pilot rollout.
- Reader = view only.
- Contributor = manage resources, not role assignments by default.
- User Access Administrator = manage access.
- Policy = enforce.
- Lock = protect from accidental change.
- Tag = label and report.
- Management group = govern subscriptions.
- Budget = notify about spending.
- Advisor = recommendations.
Storage
- StorageV2 = general-purpose account.
- SAS = delegated, limited, temporary access.
- Stored access policy = centrally manage service SAS revocation.
- ZRS = zones.
- GRS = secondary region.
- RA-GRS = readable secondary.
- Blob soft delete = deleted blob.
- Container soft delete = deleted container.
- Blob versioning = overwritten blob.
- Snapshot = point-in-time copy.
- Lifecycle management = automate tiering and deletion.
- AzCopy = CLI transfer.
- Storage Explorer = GUI.
- Private endpoint = private IP.
Compute
- Bicep = clean Azure infrastructure as code.
- Incremental mode = preserve undeclared resources.
- Resize VM = change CPU and memory.
- Disk SKU or size = change disk performance or capacity.
- Encryption at host = protect host-side caches and temporary disks.
- Availability set = fault and update domains.
- Availability zones = separate datacenters in one region.
- Scale set = autoscaling VM instances.
- ACR = private image registry.
- ACI = simple container execution.
- Container Apps = microservices, ingress, revisions, scale-to-zero.
- App Service plan = shared web compute.
- Deployment slot = safe release.
- VNet integration = App Service outbound private access.
Networking
- Peering = connect VNets.
- Peering is not transitive.
- UDR = choose next hop.
- NSG = allow or deny traffic.
- ASG = group NICs logically.
- Lower NSG priority number wins.
- Bastion = RDP and SSH without VM public IP.
- Service endpoint = selected subnet to public PaaS endpoint.
- Private endpoint = private IP to PaaS.
- Private DNS = resolve private endpoint correctly.
- Public load balancer = internet frontend.
- Internal load balancer = private frontend.
- Health probe = backend eligibility.
Monitoring and recovery
- Metrics = numeric time series.
- Logs = rich records.
- Activity Log = management-plane events.
- Diagnostic setting = route platform telemetry.
- Azure Monitor Agent + DCR = guest telemetry.
- KQL
where= filter rows. - Action group = notify or automate.
- Alert processing rule = suppress or modify alert actions.
- Connection Monitor = continuous connectivity checks.
- Recovery Services vault = Azure VM backup.
- Backup vault = supported newer backup workloads.
- Azure Backup = recovery points and restore.
- Site Recovery = replication and failover.
- Test failover = validate DR safely.
9. Final Revision Notes
9.1 One-page reasoning framework
For each question, classify the problem:
| Problem Type | Ask Yourself |
|---|---|
| Access | Is this identity, role, scope, inheritance, or data plane? |
| Governance | Is this enforcement, protection, labeling, or billing? |
| Storage | Is this access, redundancy, tiering, or recovery? |
| Compute | Is this deployment, sizing, availability, scaling, or hosting model? |
| Network | Is this DNS, routing, filtering, private access, or load balancing? |
| Monitoring | Is this collection, query, alerting, or notification? |
| Recovery | Is this restore or disaster-recovery failover? |
9.2 Elimination strategy
Remove options that:
- Solve the wrong Azure layer
- Grant broader scope than necessary
- Use a manual workaround when a native service exists
- Expose resources publicly without a requirement
- Confuse availability with backup
- Confuse backup with disaster recovery
- Confuse route control with traffic filtering
- Confuse App Service inbound private access with outbound VNet integration
- Confuse storage configuration permission with data access
9.3 High-frequency comparisons to memorize
| Compare | Key Difference |
|---|---|
| Azure RBAC vs Azure Policy | Who can do it vs what configuration is allowed |
| Policy vs lock | Enforce configuration vs protect from accidental changes |
| CanNotDelete vs ReadOnly | Delete protection vs modification and delete protection |
| Dynamic vs assigned group | Attribute-driven vs manual membership |
| Contributor vs User Access Administrator | Resource modification vs access assignment management |
| LRS vs ZRS | One datacenter vs availability zones |
| GRS vs RA-GRS | Geo-copy vs geo-copy with secondary reads |
| SAS vs access key | Scoped temporary delegation vs broad account secret |
| Soft delete vs versioning | Deleted item recovery vs previous content version |
| Availability set vs zone | Fault/update domains vs separate datacenters |
| Availability zone vs Site Recovery | In-region resilience vs regional DR |
| ACI vs Container Apps | Simple container vs managed microservice platform |
| App Service scale up vs scale out | Larger instances vs more instances |
| Service endpoint vs private endpoint | Restricted public endpoint vs private IP |
| NSG vs UDR | Filter traffic vs choose route |
| Metrics vs logs | Time-series measurements vs queryable records |
| Diagnostic settings vs action groups | Send telemetry vs act on alerts |
| Backup vs Site Recovery | Restore points vs failover orchestration |
9.4 Mini case studies
Case 1 — Least privilege
Requirement:
A support engineer can restart VMs in one resource group only.
Answer:
Assign Virtual Machine Contributor at that resource-group scope.
Why:
- Correct role
- Smallest useful scope
- No unnecessary subscription-wide rights
Case 2 — Secure storage access
Requirement:
VMs must access storage through a private IP and public access must be disabled.
Answer:
Configure a private endpoint and private DNS resolution.
Why:
- Private endpoint creates the private-IP path
- DNS ensures the storage name resolves privately
Case 3 — Blob recovery
Requirement:
Users overwrite blobs and need previous content.
Answer:
Enable blob versioning.
Why:
- The problem is modification, not deletion
Case 4 — Web deployment
Requirement:
Validate a new App Service release and switch traffic with minimal downtime.
Answer:
Deploy to a staging slot and perform a slot swap.
Case 5 — VM regional recovery
Requirement:
Replicate VMs to a secondary region and test recovery without disrupting production.
Answer:
Configure Azure Site Recovery and run a test failover.
Case 6 — Network troubleshooting
Requirement:
A VM cannot reach an on-premises destination and a custom route may be responsible.
Answer:
Review effective routes and use next-hop analysis.
Case 7 — Monitoring
Requirement:
Notify a webhook when resource logs match a KQL condition.
Answer:
Diagnostic setting
→ Log Analytics workspace
→ Log alert rule
→ Action group with webhook
10. Exam-Day Checklist
Before starting
- Confirm that you understand the current exam interface.
- Read every requirement carefully.
- Identify whether the question asks for one answer or a combination.
- Notice scope words such as:
- only
- all subscriptions
- one resource group
- private IP
- public endpoint
- selected subnet
- minimize administration
- least privilege
- no downtime
- automatically
- recover
- fail over
During the exam
Use this five-step method:
- Identify the domain.
- Identify the Azure layer.
- Eliminate options that solve a different problem.
- Prefer the smallest scope and simplest native feature.
- Re-read the requirement before confirming.
Last-minute checks
Before submitting an answer, ask:
- Did I choose a role that is too broad?
- Did I confuse management-plane and data-plane access?
- Did I choose Policy when the question asks for a lock, or a lock when it asks for Policy?
- Did I choose service endpoint when private IP is required?
- Did I forget private DNS for a private endpoint?
- Did I confuse route tables and NSGs?
- Did I confuse availability with backup?
- Did I confuse Azure Backup with Azure Site Recovery?
- Did I choose a GUI tool when the question asked for command-line bulk transfer?
- Did I choose a manual process when Azure offers automation?
Final Rapid Review Sheet
IDENTITY
Dynamic group = automatic attributes
Guest = external identity
SSPR = user password reset
RBAC = who can do what at which scope
GOVERNANCE
Policy = enforce
Lock = protect
Tag = label
Management group = govern subscriptions
Budget = spend threshold
Advisor = recommendations
STORAGE
SAS = limited delegated access
Stored access policy = revoke SAS centrally
ZRS = zones
RA-GRS = readable geo-secondary
Blob soft delete = deleted blob
Container soft delete = deleted container
Versioning = overwritten blob
Lifecycle = aging data
Private endpoint = private IP
COMPUTE
Bicep = repeatable deployment
Incremental = preserve unrelated resources
Encryption at host = temp disk and cache protection
Availability set = fault/update domains
Availability zone = datacenter isolation
Scale set = autoscaling VMs
ACI = simple container
Container Apps = revisions and scale-to-zero
Deployment slot = safe web release
VNet integration = outbound App Service private connectivity
NETWORK
Peering = private VNet connection
Peering is not transitive
UDR = route
NSG = filter
ASG = logical NIC grouping
Bastion = RDP/SSH without VM public IP
Service endpoint = restricted public PaaS endpoint
Private endpoint = PaaS private IP
Private DNS = private endpoint name resolution
Health probe = load balancer backend eligibility
MONITORING AND RECOVERY
Metrics = numeric trend
Logs = KQL
Activity Log = management-plane history
Diagnostic settings = route platform logs
AMA + DCR = guest telemetry
Action group = notification
Alert processing rule = temporary suppression
Recovery Services vault = VM backup
Backup vault = supported newer backup workloads
Backup = restore
Site Recovery = failover
Test failover = safe DR validation
Source and Alignment Note
This course was synthesized from the reviewed AZ-104 practice bank and aligned with Microsoft's official AZ-104: Microsoft Azure Administrator study guide for the skills measured as of April 17, 2026. The structure intentionally merges repeated question patterns into reusable decision rules and does not reproduce raw exam dumps.
Unlock the full course
All 73 modules with detailed explanations, code examples, and exam tips.
Case study — project Falcon: Environment: test Primary constraint: minimize operational risk and avoid over-permissioning. Requirement: You need a governance hierarchy so that policy assignments apply to multiple subscriptions owned by Research. Which resource should you create?
Get Your Personalized Results
Enter your email to receive your score, weak-topic analysis, and a personalized revision plan.
Results sent! Check your inbox.
This Question is Locked
You're viewing 35 of 1100 free questions.
trending_up Certified pros earn 20-30% more
Higher salary: IT certifications add $12,000-$25,000/year on average to your paycheck
Job security: 87% of hiring managers prefer candidates with certifications : you become irreplaceable
More opportunities: Freelance gigs, remote roles, and promotions open up instantly
Practice all questions: Comprehensive practice is the #1 predictor of passing
Mock Exam : Upgrade to Unlock
Available in Q&A + Course + Mock Exam package
You've already started : one exam away from a career upgrade.