AZ-204 Syllabus — Objectives by Domain (Azure Developer Associate)

Use this syllabus as your source of truth for AZ-204. Work through each domain in order and drill targeted sets after every section.

What’s covered

• Domain 1: Develop Azure compute solutions (25-30%)
• Domain 2: Develop for Azure storage (15-20%)
• Domain 3: Implement Azure security (15-20%)
• Domain 4: Monitor and troubleshoot Azure solutions (5-10%)
• Domain 5: Connect to and consume Azure services and third-party services (20-25%)

Domain 1: Develop Azure compute solutions (25-30%)

Practice this topic →

Task 1.1 - Implement containerized solutions

• Create container images for solutions using Dockerfiles and follow best practices such as multi-stage builds and minimal base images.
• Tag and version container images in a way that supports repeatable deployments across dev/test/prod.
• Create and manage an Azure Container Registry (ACR) to store container images securely.
• Authenticate to ACR using Microsoft Entra ID, scoped tokens, or admin credentials and choose the appropriate option for a scenario.
• Build and publish a container image to ACR using the Azure CLI and Docker tooling.
• Configure automated image builds using ACR Tasks or CI/CD pipelines.
• Run containers using Azure Container Instances (ACI) and configure ports, environment variables, and resource limits.
• Use volumes and secrets patterns for containerized workloads without embedding secrets in images.
• Create solutions using Azure Container Apps and configure ingress for HTTP-based workloads.
• Configure Container Apps revisions and use traffic splitting for safe rollouts.
• Configure autoscaling rules for Container Apps including HTTP scaling and event-driven scaling (KEDA).
• Choose between ACI, Container Apps, and App Service containers based on orchestration needs and operational complexity.
• Configure logging and diagnostics for container workloads and route logs to the appropriate destination.
• Secure container workloads by controlling registry access and applying least privilege for image pull/push.

Task 1.2 - Implement Azure App Service Web Apps

• Create an Azure App Service plan and Web App using the appropriate runtime stack and hosting options.
• Configure application settings and connection strings to support environment-specific configuration.
• Configure custom domains and Transport Layer Security (TLS) settings including HTTPS-only.
• Implement authentication and authorization for App Service apps using Microsoft Entra ID when appropriate.
• Deploy code to App Service using common methods such as zip deploy or CI/CD pipelines.
• Deploy containerized solutions to App Service using images from ACR and configure image pull settings.
• Configure deployment slots and slot settings and perform safe slot swaps.
• Implement autoscaling for App Service plans using metric-based and schedule-based rules.
• Configure diagnostics and logging for App Service including application logs and web server logs.
• Integrate Application Insights with App Service for end-to-end telemetry and dependency tracking.
• Configure API settings such as CORS and allowed origins for web APIs.
• Configure service connections to dependent services using secure patterns such as managed identity or Key Vault references.
• Use Azure App Configuration or Key Vault references to centralize configuration and secrets.
• Apply networking controls such as access restrictions and private connectivity when scenarios require it.
• Choose deployment strategies that minimize downtime and enable quick rollback.
• Select the appropriate App Service tier based on scaling, networking, and compliance requirements.
• Identify common App Service deployment and configuration failures and recommend an appropriate fix.
• Monitor and troubleshoot App Service apps using logs, metrics, and Application Insights.

Task 1.3 - Implement Azure Functions

• Choose the appropriate Azure Functions hosting plan (Consumption, Premium, or Dedicated) based on scaling and cold start requirements.
• Create and configure an Azure Functions app with the correct runtime stack and required supporting resources.
• Implement HTTP-triggered functions with routes and appropriate authorization levels.
• Implement timer-triggered functions for scheduled processing.
• Implement data-triggered functions using queue or blob triggers and handle poison message patterns.
• Implement webhook and event-driven triggers such as Event Grid and Service Bus triggers.
• Implement input bindings to read data from services such as Blob Storage, Cosmos DB, or Service Bus.
• Implement output bindings to write data to services such as Blob Storage, Cosmos DB, Event Hubs, or Service Bus.
• Configure application settings and connection strings required by triggers and bindings.
• Use managed identities and Key Vault references in Functions to avoid embedding secrets.
• Implement retries, error handling, and idempotency for trigger-based processing.
• Configure logging for Functions and integrate with Application Insights.
• Deploy Azure Functions using run-from-package and CI/CD pipelines.
• Understand scaling behavior for Functions and how concurrency affects processing throughput.
• Recognize Durable Functions patterns for orchestrating long-running workflows.
• Consider private connectivity and network isolation requirements for Functions when scenarios require it.
• Optimize function performance and cost by reducing cold-start overhead and reusing SDK clients.
• Debug and troubleshoot Functions using logs, local tools, and telemetry.

Domain 2: Develop for Azure storage (15-20%)

Practice this topic →

Task 2.1 - Develop solutions that use Azure Cosmos DB

• Choose an appropriate Azure Cosmos DB API model based on application compatibility requirements.
• Create databases and containers and choose partition keys that support scale and avoid hot partitions.
• Perform CRUD operations on items by using the Azure Cosmos DB SDK.
• Query items using parameterized queries and handle pagination/continuation tokens.
• Set the appropriate consistency level for operations and explain the trade-offs.
• Design throughput settings (manual vs autoscale) and interpret RU consumption.
• Implement optimistic concurrency using ETags to handle update conflicts.
• Implement TTL and indexing configurations to meet retention and query requirements.
• Implement change feed notifications to react to data changes.
• Use change feed processor patterns including leases and checkpointing for scalable processing.
• Handle transient failures and throttling with appropriate retry policies.
• Secure access to Cosmos DB using keys or Microsoft Entra ID RBAC when available.
• Design data modeling patterns that balance query performance and scalability.
• Use bulk operations where appropriate and understand trade-offs.
• Monitor Cosmos DB performance using metrics and logs and interpret common signals.
• Reason about geo-redundancy and backup/restore capabilities at a conceptual level.

Task 2.2 - Develop solutions that use Azure Blob Storage

• Create storage accounts and blob containers and choose access levels appropriate to the scenario.
• Perform operations on blob data by using the appropriate SDK (upload, download, list).
• Set and retrieve blob properties and metadata such as content type and cache control.
• Use conditional operations with ETags and leases to handle concurrency.
• Implement storage policies such as soft delete, versioning, and immutability when required.
• Implement data lifecycle management rules and choose appropriate access tiers.
• Generate and use Shared Access Signatures (SAS) and choose an appropriate SAS type.
• Implement secure access patterns using identity-based authentication and RBAC when supported.
• Upload large objects efficiently using block blobs and parallel transfers.
• Select encryption and key management options based on compliance requirements.
• Integrate blob storage with event-driven workflows using blob change events.
• Use AzCopy and CLI tools for bulk transfers when appropriate.
• Handle transient storage errors with retries and idempotent operations.
• Design naming conventions and metadata strategies that support efficient retrieval and governance.
• Monitor blob storage operations using logs and metrics and interpret common signals.
• Optimize storage cost using tiering and lifecycle policies aligned to access patterns.

Domain 3: Implement Azure security (15-20%)

Practice this topic →

Task 3.1 - Implement user authentication and authorization

• Explain core OAuth 2.0 and OpenID Connect concepts at a developer level, including tokens, scopes, and audiences.
• Configure Microsoft Entra ID app registrations including redirect URIs and required API permissions.
• Authenticate and authorize users by using the Microsoft Identity platform and MSAL libraries.
• Implement service-to-service authentication using client credentials flow where appropriate.
• Validate JWT access tokens and configure API authorization middleware.
• Implement authorization using app roles and scopes and enforce least privilege.
• Use App Service built-in authentication when it meets the scenario requirements.
• Authenticate apps and services by using Microsoft Entra ID service principals where managed identity is not available.
• Prefer managed identities for Azure-hosted workloads to avoid managing secrets.
• Create and implement Shared Access Signatures (SAS) for Azure Storage access.
• Choose between account SAS, service SAS, and user delegation SAS based on security requirements.
• Use stored access policies and rotation patterns to control and revoke SAS access.
• Implement solutions that interact with Microsoft Graph using correct permissions.
• Request access tokens for Microsoft Graph with the correct scopes and handle pagination.
• Implement token caching and refresh strategies that avoid leaking tokens.
• Troubleshoot common authentication and authorization failures such as consent issues and invalid audiences.
• Design authentication for multi-tenant scenarios and external user access at a conceptual level.
• Apply least privilege across user permissions, app permissions, and storage access.

Task 3.2 - Implement secure Azure solutions

• Secure app configuration data by using Azure App Configuration for centralized settings.
• Secure app configuration data by using Azure Key Vault for secrets, keys, and certificates.
• Choose between Key Vault access policies and RBAC authorization models based on governance requirements.
• Configure Key Vault protections such as soft delete and purge protection when required.
• Develop code that uses secrets stored in Azure Key Vault using the appropriate SDK.
• Develop code that uses keys and certificates stored in Azure Key Vault.
• Implement Managed Identities for Azure resources and choose between system-assigned and user-assigned identities.
• Use DefaultAzureCredential and managed identity to avoid embedding credentials in code.
• Grant least-privilege access to Key Vault secrets, keys, and certificates.
• Implement safe secret rotation practices and handle versioning of secrets.
• Secure secrets in CI/CD and deployment pipelines without exposing plaintext values.
• Apply network controls to Key Vault and configuration stores when scenarios require private access.
• Implement encryption patterns that use keys without exporting key material.
• Audit and monitor access to Key Vault and configuration stores.
• Troubleshoot common Key Vault access failures related to identity, permissions, and networking.
• Choose between App Configuration and Key Vault based on whether the data is a secret or an application setting.

Domain 4: Monitor and troubleshoot Azure solutions (5-10%)

Practice this topic →

Task 4.1 - Monitor and troubleshoot solutions by using Application Insights

• Instrument an app or service to use Application Insights and configure the connection string.
• Monitor and analyze metrics, logs, and traces for Azure applications.
• Use custom events and custom metrics to capture domain-specific telemetry.
• Configure sampling and telemetry filtering to balance observability with cost.
• Investigate failures using end-to-end transaction details and dependency tracking.
• Use Live Metrics and quick diagnostics to triage incidents.
• Write basic KQL queries to analyze requests, dependencies, and exceptions.
• Implement Application Insights availability tests (web tests) for endpoints and APIs.
• Implement alerts based on metrics or log queries and configure action groups.
• Ensure distributed tracing context is propagated across services.
• Integrate App Service and Functions telemetry into Application Insights for unified analysis.
• Troubleshoot missing or incomplete telemetry due to misconfiguration or network restrictions.
• Identify performance bottlenecks using latency percentiles and dependency durations.
• Design a basic observability strategy using SLIs and meaningful alerts.

Domain 5: Connect to and consume Azure services and third-party services (20-25%)

Practice this topic →

Task 5.1 - Implement Azure API Management

• Create an Azure API Management instance and choose an appropriate tier for the scenario.
• Create and document APIs in API Management using OpenAPI definitions or manual operations.
• Configure API backends and route requests to the correct service.
• Configure access to APIs using products, subscriptions, and keys.
• Configure authentication to backends using secure patterns such as managed identity or certificates.
• Implement API policies such as rate limiting and quotas.
• Implement transformation policies such as header manipulation and URL rewriting.
• Implement CORS policies for browser-based clients.
• Implement caching policies to reduce backend load and improve performance.
• Implement JWT validation policies to protect APIs.
• Use named values and integrate secrets with Key Vault to avoid hard-coded policy values.
• Manage API versions and revisions and deploy changes safely.
• Publish developer portal documentation and onboarding materials.
• Configure diagnostics and logging for APIs and correlate failures with backend telemetry.
• Apply network and access controls such as IP filtering or private exposure when required.
• Create mock responses for testing and initial integration.
• Troubleshoot common API Management issues such as missing subscription keys or policy ordering problems.
• Design an API gateway strategy that centralizes cross-cutting concerns such as auth, throttling, and observability.

Task 5.2 - Develop event-based solutions

• Choose between Azure Event Grid and Azure Event Hubs based on whether the scenario is event routing or stream ingestion.
• Implement solutions that use Azure Event Grid topics and system topics.
• Configure Event Grid subscriptions including filters and delivery settings.
• Secure Event Grid subscriptions and endpoints and handle validation requirements.
• Implement Event Grid handlers using Azure Functions or webhooks.
• Configure dead-lettering and retry behavior for Event Grid delivery.
• Monitor Event Grid delivery failures and diagnose common misconfigurations.
• Implement solutions that use Azure Event Hubs for high-throughput event ingestion.
• Publish events to Event Hubs using producer clients and batching.
• Consume events from Event Hubs using consumer groups and checkpointing.
• Implement Event Processor patterns for scalable event processing.
• Handle scaling events and partition rebalancing in Event Hubs consumers.
• Use capture and archival patterns for Event Hubs when long-term storage is required.
• Choose serialization and schema strategies appropriate to the scenario.
• Monitor Event Hubs performance and diagnose throttling or consumer lag.
• Troubleshoot common Event Grid/Event Hubs issues such as authorization errors and endpoint timeouts.

Task 5.3 - Develop message-based solutions

• Choose between Azure Service Bus and Azure Queue Storage queues based on required features and guarantees.
• Implement solutions that use Azure Service Bus queues and topics/subscriptions.
• Send and receive Service Bus messages using the appropriate SDK.
• Choose the correct receive mode (peek-lock vs receive-and-delete) for reliability requirements.
• Settle messages correctly (complete, abandon, defer, dead-letter) based on processing outcomes.
• Implement retry strategies and handle dead-letter queues (DLQ) for failed processing.
• Use sessions to preserve ordering and support FIFO processing when required.
• Use duplicate detection and scheduled messages when scenarios require it.
• Use transactions to coordinate message operations when scenarios require atomicity.
• Implement Service Bus triggers in Azure Functions for message processing.
• Implement solutions that use Azure Queue Storage queues and configure visibility timeouts.
• Implement poison message handling for storage queues using retry counts and secondary queues.
• Secure access to messaging services using shared access policies or identity-based access when available.
• Tune throughput using batching, prefetch, and concurrency settings where appropriate.
• Configure message TTL and expiration behaviors to match business requirements.
• Monitor queue depth and processing latency and implement alerts.
• Troubleshoot common messaging issues such as lock lost, max delivery count reached, and throttling.
• Design message-based integration patterns that decouple services and isolate failures.

Tip: After finishing a domain, run a 20–30 question timed drill for that domain, then revisit weak objectives before moving on.