Browse Certification Practice Tests by Exam Family

Microsoft AZ-104 Cheat Sheet: Administrator

May 1, 2026

Review Microsoft Azure Administrator (AZ-104) scope, resource-scope decisions, governance traps, networking, storage, compute, and monitoring before practicing in IT Mastery.

On this page

AZ-104 is an administrator exam, so many questions turn on scope, least privilege, operational evidence, and the smallest safe Azure change. Use this cheat sheet to review the decisions that come up repeatedly before timed practice.

Use this with practice. Review the admin checklist, then take the free diagnostic or open the AZ-104 route in IT Mastery.

Try AZ-104 on Web Free AZ-104 diagnostic

Exam snapshot

FieldDetail
IssuerMicrosoft
Exam nameMicrosoft Azure Administrator
Exam codeAZ-104
Passing score700 scaled score
IT Mastery statusLive AZ-104 practice available

Domain map

DomainWhat to knowCommon trap
Identities and governanceMicrosoft Entra ID, RBAC, scopes, subscriptions, policies, locks, tags, and management groupsAssigning permissions at a broader scope than the scenario requires
StorageStorage accounts, access tiers, redundancy, private access, lifecycle management, shares, blobs, and backupConfusing redundancy, backup, and soft delete
ComputeVirtual machines, scale sets, App Service, containers, templates, automation, and deployment optionsTreating every compute problem as a VM problem
Virtual networkingVNets, subnets, NSGs, routes, private endpoints, service endpoints, load balancing, VPN, and DNSMixing up service endpoints and private endpoints
Monitoring and maintenanceAzure Monitor, alerts, logs, metrics, backup, update management, and recoveryReading metrics without checking logs or scope

Must-know distinctions

DistinctionHow to decide
RBAC vs Azure PolicyRBAC controls who can act; Policy controls what resources or configurations are allowed.
Management group vs subscriptionManagement groups organize policy and governance across subscriptions; subscriptions hold resources and billing boundaries.
Resource group vs tagResource groups manage lifecycle and permissions; tags classify resources for reporting and cost allocation.
Private endpoint vs service endpointPrivate endpoint gives a private IP for a service; service endpoint keeps the service public endpoint but routes from a subnet over the Azure backbone.
Metrics vs logsMetrics are numeric time-series signals; logs give detailed event and request records.
Backup vs replicationBackup supports restore points; replication keeps another copy available for continuity or failover.
NSG vs route tableNSGs allow or deny traffic; route tables change next-hop behavior.
Availability set vs availability zoneAvailability sets separate fault/update domains in a datacenter; zones separate across datacenters in a region.

High-yield checklist

  • Identify the exact scope: tenant, management group, subscription, resource group, resource, VNet, subnet, or storage account.
  • Apply least privilege and avoid broad role assignments unless inheritance is the point.
  • Use Azure Policy for enforcement and compliance reporting.
  • Use tags for cost, owner, environment, or workload reporting, not access control.
  • Choose private endpoints when the requirement is private IP access to a PaaS service.
  • Check whether a networking issue is caused by DNS, NSG rules, routes, firewall rules, or endpoint configuration.
  • For storage, separate durability, recovery, performance, access control, and cost.
  • For compute, check deployment method, scale behavior, image/version control, and health probes.
  • For monitoring, determine whether the question asks for metrics, logs, alerts, workbooks, or diagnostic settings.
  • Prefer repeatable deployment artifacts when the requirement mentions consistency, automation, or source control.

Common traps

  • Assigning Owner when Contributor or a narrower role would satisfy the task.
  • Using a resource lock as a substitute for governance policy.
  • Assuming backup captures every platform configuration detail.
  • Confusing a storage account firewall rule with identity authorization.
  • Opening public access when private connectivity is required.
  • Treating a subscription boundary like a region or resource group boundary.

Practice strategy

Take the free AZ-104 diagnostic and tag every miss by the Azure scope that mattered. If you cannot name the scope, you probably guessed from service familiarity rather than administrator reasoning. Drill the matching topic page, then return to mixed sets when you can explain both the right resource and the right scope.

Timed mocks matter for AZ-104 because administrator questions often include extra operational detail. Practice eliminating evidence that is real but not decisive.

Official source

Revised on Monday, May 25, 2026
Monitor and Maintain Azure Resources
Free Practice Exam