AZ-104 Syllabus — Objectives by Domain (Administrator)

Use this syllabus as your source of truth for AZ-104. Work through each domain in order and drill targeted sets after every section.

What’s covered

• Domain 1: Manage Azure identities and governance (20-25%)
• Domain 2: Implement and manage storage (15-20%)
• Domain 3: Deploy and manage Azure compute resources (20-25%)
• Domain 4: Implement and manage virtual networking (15-20%)
• Domain 5: Monitor and maintain Azure resources (10-15%)

Domain 1: Manage Azure identities and governance (20-25%)

Practice this topic →

Task 1.1 - Manage Microsoft Entra users and groups

• Create user accounts in Microsoft Entra ID with required attributes by using the Azure portal, Azure PowerShell, or Azure CLI.
• Create security groups and Microsoft 365 groups in Microsoft Entra ID and choose the appropriate group type for a given scenario.
• Configure dynamic group membership rules for Microsoft Entra groups based on user or device attributes.
• Modify user properties such as user principal name (UPN), job title, and department and understand the impact of these changes.
• Configure group properties including membership type, owners, and allowed membership management options.
• Assign and remove product licenses directly to and from individual users in Microsoft Entra ID.
• Implement group-based licensing in Microsoft Entra ID to manage application licenses at scale.
• Identify and troubleshoot common licensing assignment issues such as insufficient available licenses or conflicting service plans.
• Invite external business-to-business (B2B) guest users to the tenant and manage their user accounts.
• Configure access restrictions, permissions, and lifecycle policies for external users in Microsoft Entra ID.
• Enable and configure self-service password reset (SSPR) policies for users and groups.
• Configure authentication methods for SSPR and understand the user registration experience.
• Monitor and troubleshoot SSPR activity by using Microsoft Entra sign-in logs and audit logs.

Task 1.2 - Manage access to Azure resources

• Describe the differences between common built-in Azure roles such as Owner, Contributor, Reader, and User Access Administrator.
• Choose the least-privilege built-in role for a given scenario to avoid over-privileging users or groups.
• Assign Azure roles at different scopes, including management group, subscription, resource group, and individual resources, by using the portal or scripts.
• Explain how Azure role assignments inherit down the scope hierarchy from management groups to subscriptions, resource groups, and resources.
• Use the Access control (IAM) blade to view who has access to a resource and what roles they have at each scope.
• Interpret Azure role assignments, including principal type, role definition, scope, and assignment type.
• Identify when a custom role is required instead of using only built-in roles, based on unique permission requirements.
• Remove unnecessary or inappropriate role assignments and understand the impact on user access.
• Diagnose common Azure RBAC-related 'Access denied' issues by reviewing role assignments and scopes.
• Distinguish between Azure RBAC and resource-specific access models such as storage access keys or SQL logins.

Task 1.3 - Manage Azure subscriptions and governance

• Explain the purpose of Azure Policy and how it helps enforce organizational standards and compliance across resources.
• Assign built-in policy definitions and initiatives at the appropriate scope to enforce specific compliance requirements.
• Interpret Azure Policy compliance results and understand common effect types such as Deny, Audit, Append, and Modify.
• Design a basic tagging strategy for Azure resources based on cost center, environment, owner, and other metadata needs.
• Apply, modify, and inherit tags at resource and resource group level to support reporting and policy enforcement.
• Use Azure Policy or automation to ensure resources inherit required tags from their resource group.
• Explain the purpose of resource locks and differentiate between CanNotDelete and ReadOnly lock types.
• Apply resource locks at resource group or resource scope and understand how they prevent accidental changes or deletions.
• Organize resources into resource groups based on lifecycle, permissions, and management requirements.
• Move resources between resource groups and subscriptions and identify common constraints or unsupported moves.
• Create and manage Azure subscriptions and understand their relationship to tenants and billing.
• Organize multiple subscriptions by using management groups to apply governance and access control consistently.
• Configure budget alerts in Azure Cost Management to notify stakeholders when spending approaches defined thresholds.
• Analyze cost data in Azure Cost Management and Azure Advisor to identify opportunities for cost optimization.
• Use Azure Advisor recommendations to improve cost, security, reliability, and operational excellence for subscriptions.
• Distinguish when to use management groups, subscriptions, resource groups, and tags to meet governance requirements.
• Understand how Azure Policy and resource locks can affect deployment success, including blocked or failed deployments.

Domain 2: Implement and manage storage (15-20%)

Practice this topic →

Task 2.1 - Configure access to storage

• Configure storage account firewalls and virtual network rules to restrict access to trusted networks and services.
• Plan network access to storage accounts by using service endpoints or private endpoints for Azure PaaS services.
• Create account-level and service-level shared access signature (SAS) tokens with appropriate permissions, expiry, and IP constraints.
• Explain the security risks associated with SAS tokens and apply best practices to reduce exposure.
• Create stored access policies for blob containers or file shares to centrally manage SAS permissions and lifetimes.
• Rotate and regenerate storage account access keys while minimizing application downtime.
• Configure applications to use storage account connection strings or key-based authentication securely.
• Enable identity-based access for Azure Files and assign the necessary permissions using Azure AD and file system ACLs.
• Compare key-based, SAS-based, and identity-based access methods for storage and choose the best approach for different scenarios.
• Troubleshoot common storage access issues such as firewall blocks, invalid SAS tokens, and missing Azure RBAC permissions.

Task 2.2 - Configure and manage storage accounts

• Create storage accounts with the appropriate performance tier and account kind based on workload requirements.
• Configure storage account redundancy options such as LRS, ZRS, GRS, RA-GRS, GZRS, and RA-GZRS based on durability and regional requirements.
• Change storage account replication where supported and understand the impact on data availability and migration time.
• Enable and configure object replication between storage accounts to replicate blob data across regions or accounts.
• Configure encryption at rest for storage accounts by using Microsoft-managed keys or customer-managed keys stored in Key Vault.
• Enforce encryption in transit for storage accounts by requiring secure transfer using HTTPS.
• Use Azure Storage Explorer to upload, download, and manage blob and file data across storage accounts and subscriptions.
• Use AzCopy to script bulk data transfer operations to and from Azure Storage.
• Configure lifecycle management rules to automatically move blob data between access tiers or delete old data based on policies.
• Monitor storage account performance and access using metrics and diagnostic logs in Azure Monitor.

Task 2.3 - Configure Azure Files and Azure Blob Storage

• Create Azure Files shares with appropriate quotas and protocol settings for SMB or NFS workloads.
• Configure Azure Files share permissions and access, including integration with Active Directory-based identities.
• Create blob containers and select appropriate public access levels for different workloads.
• Configure soft delete for blobs and containers and set an appropriate retention period.
• Enable snapshots for Azure Files shares and restore individual files or entire shares from snapshots.
• Configure soft delete for Azure Files and understand how it protects against unintended deletions.
• Choose appropriate blob storage tiers (hot, cool, archive) based on access frequency and cost requirements.
• Enable and manage blob versioning to protect against accidental overwrites or deletions.
• Implement blob lifecycle management rules to transition data between tiers and delete data according to retention policies.
• Plan and configure client access to Azure Files from Windows and Linux systems, including mounting and authentication options.
• Plan and configure application access to Blob Storage using SAS tokens or managed identities.
• Troubleshoot common Azure Files and Blob Storage issues such as access failures, throttling, and performance constraints.

Domain 3: Deploy and manage Azure compute resources (20-25%)

Practice this topic →

Task 3.1 - Automate deployment of resources by using ARM templates or Bicep files

• Interpret the basic structure of an Azure Resource Manager (ARM) template, including parameters, variables, resources, and outputs.
• Interpret Bicep syntax and understand how it maps to ARM template concepts such as parameters and resources.
• Modify parameters and variables in an existing ARM template to change resource configurations.
• Modify an existing Bicep file to add or update resource properties and add additional resources.
• Deploy resources from an ARM template by using the Azure portal, Azure CLI, or Azure PowerShell.
• Deploy resources from a Bicep file by using Azure CLI or Azure PowerShell.
• Export an existing deployment or resource group as an ARM template from the Azure portal for reuse.
• Use the Bicep CLI to decompile an ARM template to Bicep and recompile Bicep back to an ARM template.
• Identify when to use templates or Bicep files instead of manual portal deployments to achieve repeatable infrastructure.

Task 3.2 - Create and configure virtual machines

• Create Windows and Linux virtual machines using the Azure portal, Azure CLI, and Azure PowerShell.
• Choose appropriate VM size families and SKUs based on CPU, memory, storage, and workload characteristics.
• Attach, detach, and resize managed data disks for Azure virtual machines.
• Configure disk caching options for VM OS and data disks and understand when to use each mode.
• Implement Azure Disk Encryption for VM OS and data disks using platform-managed or customer-managed keys.
• Configure snapshots and backup options for VM disks to support recovery scenarios.
• Move a virtual machine between resource groups or subscriptions and understand common limitations and prerequisites.
• Use Azure Resource Mover or backup and restore approaches to move VMs between Azure regions.
• Deploy virtual machines in availability sets to improve availability within a single Azure region.
• Deploy zonal or zone-redundant virtual machines across availability zones to protect against datacenter-level failures.
• Create and manage Azure Virtual Machine Scale Sets, including configuring instance count and autoscale rules.
• Configure VM networking, including NIC settings, public and private IPs, and association with network security groups.
• Troubleshoot common VM issues such as startup failures, connectivity problems, or high resource utilization using Azure tools.

Task 3.3 - Provision and manage containers in the Azure portal

• Create an Azure Container Registry (ACR) and select an appropriate SKU based on features and expected usage.
• Push container images to and pull images from ACR using Docker and Azure CLI.
• Provision Azure Container Instances (ACI) for simple containerized workloads that require fast startup and minimal management.
• Configure environment variables, secrets, and networking for Azure Container Instances.
• Provision containerized workloads by using Azure Container Apps and configure application environments.
• Configure sizing and scaling rules for Azure Container Instances and Azure Container Apps to respond to workload demands.
• Choose between ACI, Azure Container Apps, Azure Kubernetes Service (AKS), and App Service for container hosting scenarios.

Task 3.4 - Create and configure Azure App Service

• Create an App Service plan with an appropriate pricing tier for web apps and APIs.
• Configure vertical and horizontal scaling for an App Service plan, including autoscale rules.
• Deploy applications to Azure App Service using deployment options such as source control, ZIP deployment, or containers.
• Configure app settings and connection strings in App Service to externalize configuration securely.
• Bind custom TLS/SSL certificates to an App Service app and manage certificate renewal.
• Map custom DNS domain names to App Service apps using CNAME and A records.
• Configure backup schedules and retention policies for App Service and perform app backups.
• Restore an App Service app from a backup to recover from data loss or misconfiguration.
• Configure App Service networking features such as virtual network integration and access restrictions.
• Use private endpoints or service endpoints where supported to secure App Service connectivity to backend services.
• Configure deployment slots for App Service and perform slot swaps to reduce deployment risk.
• Configure logging and diagnostics for App Service, including application logs and HTTP logging.
• Integrate App Service apps with managed identities to securely access other Azure resources.
• Troubleshoot common App Service issues such as application startup failures, configuration mistakes, and SSL binding problems.

Domain 4: Implement and manage virtual networking (15-20%)

Practice this topic →

Task 4.1 - Configure and manage virtual networks in Azure

• Create and configure virtual networks and subnets with appropriately sized address spaces.
• Plan IP address spaces to avoid conflicts between Azure virtual networks and on-premises networks.
• Resize virtual networks or add new subnets to accommodate growth while minimizing disruption.
• Configure public IP addresses, including static vs dynamic allocation and basic SKU choices, and associate them with Azure resources.
• Create and configure virtual network peering within and across regions to enable private network connectivity.
• Configure VNet peering options such as gateway transit and traffic forwarding for hub-and-spoke topologies.
• Design a hub-and-spoke virtual network architecture using VNet peering for centralized services and security appliances.
• Create route tables and user-defined routes (UDRs) to control traffic paths within virtual networks.
• Associate route tables with subnets and analyze effective routes for network interfaces.
• Use Azure Network Watcher tools such as IP flow verify and Connection troubleshoot to diagnose connectivity issues.
• Diagnose connectivity failures caused by misconfigured NSGs, route tables, or DNS settings in virtual networks.
• Plan hybrid connectivity between Azure virtual networks and on-premises networks using VPN or ExpressRoute at a high level.
• Configure basic VPN gateway settings for site-to-site connections, including address spaces and shared keys.
• Verify VPN connections and troubleshoot common issues such as shared key mismatches or overlapping address spaces.
• Understand Azure virtual network limits and the relationship between service endpoints and subnet configuration at a high level.

Task 4.2 - Configure secure access to virtual networks

• Create and associate network security groups (NSGs) with subnets and network interfaces to control traffic.
• Create inbound and outbound NSG rules with appropriate priorities, ports, and protocols to permit or deny traffic.
• Use application security groups (ASGs) to simplify NSG rule management for groups of virtual machines.
• Evaluate effective NSG rules to determine why specific traffic is allowed or denied.
• Design NSG rules that follow least-privilege and zero-trust principles while still meeting application requirements.
• Implement Azure Bastion to provide secure RDP and SSH access to VMs without exposing public IP addresses.
• Compare Azure Bastion with jumpbox VMs and VPN-based administration for secure remote access.
• Configure service endpoints to limit access to Azure PaaS services from specific subnets.
• Configure private endpoints to provide private IP access to Azure PaaS services from virtual networks.
• Differentiate scenarios where private endpoints are preferable to service endpoints for securing PaaS resources.
• Restrict storage account or Azure SQL Database access to specific virtual networks by using private endpoints and NSGs.
• Plan and configure Azure Firewall or network virtual appliances (NVAs) for centralized network security.
• Integrate NSGs and route tables with Azure Firewall or NVAs to direct and filter traffic appropriately.
• Use Azure Network Watcher NSG diagnostics to identify rules that block or allow specific traffic flows.
• Recognize insecure network configurations such as allowing management ports from any internet source and apply safer alternatives.

Task 4.3 - Configure name resolution and load balancing

• Configure public DNS zones and records in Azure DNS, including common record types such as A and CNAME.
• Delegate a public DNS zone from a domain registrar to Azure DNS.
• Configure private DNS zones and link them to virtual networks for internal name resolution.
• Configure name resolution within virtual networks using Azure-provided DNS or custom DNS servers.
• Create and configure a public load balancer with frontend IPs, backend pools, health probes, and load-balancing rules.
• Create and configure an internal load balancer to distribute traffic within a virtual network.
• Monitor load balancer health and troubleshoot common issues such as failing health probes or misconfigured backend pools.
• Choose between Azure Load Balancer, Application Gateway, and Traffic Manager for different load balancing and routing scenarios.

Domain 5: Monitor and maintain Azure resources (10-15%)

Practice this topic →

Task 5.1 - Monitor resources in Azure

• Interpret key Azure Monitor metrics such as CPU utilization, disk IOPS, and network throughput for common Azure resources.
• Configure metric collection and retention settings for Azure resources.
• Enable diagnostic settings to send resource logs and metrics to Log Analytics workspaces, Event Hubs, or storage accounts.
• Describe the structure of Log Analytics workspaces and how data is organized into tables.
• Write basic Kusto Query Language (KQL) queries to filter, sort, and summarize log data.
• Use Azure Monitor workbooks and dashboards to visualize metrics and logs for operational insights.
• Create metric alerts that trigger when resource metrics cross defined thresholds.
• Create log alerts based on KQL queries in Log Analytics workspaces.
• Configure action groups to define who is notified and which actions are taken when alerts fire.
• Configure alert processing rules to suppress, route, or modify alerts based on scope, time, or other conditions.
• Enable and interpret VM Insights to monitor virtual machine performance and dependencies.
• Use Azure Monitor Insights for storage accounts to view capacity, availability, and performance information.
• Use Azure Monitor Insights for networks to monitor virtual network health and traffic patterns.
• Configure and interpret Azure Network Watcher connection monitors to test end-to-end connectivity.
• Use Network Watcher capabilities such as packet capture and NSG flow logs to troubleshoot network traffic issues.
• Enable and use Application Insights for App Service and other workloads to track application performance and failures.
• Distinguish between Azure Monitor, Log Analytics, and Application Insights and understand their roles in monitoring.
• Implement resource naming and tagging practices that support effective monitoring and alerting.

Task 5.2 - Implement backup and recovery

• Create Recovery Services vaults in appropriate regions for Azure Backup and Azure Site Recovery.
• Create Azure Backup vaults and understand differences compared to Recovery Services vaults.
• Discover and register Azure resources such as VMs and disks with a backup or Recovery Services vault.
• Create and configure backup policies, including schedules, retention settings, and backup types.
• Configure Azure Backup for virtual machines and application workloads based on defined backup policies.
• Run on-demand backup jobs and monitor their status in Azure Backup reports.
• Restore full virtual machines, disks, or individual files from Azure backups.
• Plan backup retention and long-term storage to meet business and compliance requirements.
• Configure Azure Site Recovery (ASR) for Azure virtual machines, including source and target regions and replication policies.
• Validate replication health and recovery point objectives (RPOs) for protected items in Site Recovery.
• Plan network mapping, IP addressing, and NSG configuration for failover environments in Azure Site Recovery.
• Perform planned and unplanned failovers by using Site Recovery to move workloads to a secondary region.
• Perform test failovers to validate disaster recovery plans without impacting production workloads.
• Reprotect or fail back workloads from the secondary region to the primary region after a Site Recovery failover.
• Configure backup reports and alerts using Azure Monitor or Azure Backup Center.
• Interpret common Azure Backup job errors and determine appropriate remediation steps.
• Understand backup supportability and limitations for different Azure resource types such as files, blobs, and databases.
• Differentiate between backup and disaster recovery (Site Recovery) scenarios and determine when to use each solution.
• Design basic backup and disaster recovery strategies that balance cost against recovery point and recovery time objectives.

Tip: After finishing a domain, take a 20–25 question drill focused on that domain, then revisit weak objectives before moving on.