AZ-104 — Microsoft Azure Administrator Exam Blueprint

Last revised: June 18, 2026

Practical AZ-104 exam blueprint for Microsoft Azure Administrator exam readiness.

How to Use This Exam Blueprint

Use this checklist as a practical readiness map for the Microsoft Azure Administrator (AZ-104) exam from Microsoft. It is designed for final review and gap-finding, not as a replacement for hands-on Azure practice.

For each area, ask:

Can I choose the right Azure service or configuration from a scenario?
Can I explain why one option is safer, cheaper, more resilient, or easier to operate?
Can I perform the task in the Azure portal, Azure CLI, or PowerShell when appropriate?
Can I troubleshoot a misconfiguration using logs, metrics, effective routes, effective permissions, or diagnostic tools?

Do not study only definitions. AZ-104 readiness means being able to administer Azure resources under realistic constraints: least privilege, network isolation, backup requirements, monitoring needs, policy enforcement, and operational troubleshooting.

AZ-104 readiness areas at a glance

Readiness area	What to review	You are ready when you can…	Common scenario cue
Identity and access	Microsoft Entra ID, users, groups, RBAC, scopes, managed identities	Assign the correct access at the correct scope without over-permissioning	“User can view but cannot modify,” “app needs access without secrets,” “delegate admin for one resource group”
Governance	Subscriptions, resource groups, management groups, tags, locks, Azure Policy	Organize resources and enforce standards without breaking operations	“Prevent public IPs,” “require tags,” “stop accidental deletion”
Storage	Storage accounts, Blob, Azure Files, redundancy, access control, SAS, lifecycle, private access	Select and secure storage for performance, access, durability, and cost requirements	“Share files with VMs,” “temporary partner upload,” “archive old blobs”
Compute	VMs, scale sets, availability options, disks, extensions, App Service, containers	Deploy, size, secure, scale, and troubleshoot compute resources	“VM is unreachable,” “app needs scaling,” “standardized VM deployment”
Virtual networking	VNets, subnets, NSGs, route tables, peering, DNS, private endpoints, load balancing	Design and troubleshoot connectivity and isolation	“Spoke cannot reach hub,” “deny internet access,” “private access to PaaS”
Monitoring	Azure Monitor, metrics, logs, alerts, action groups, diagnostic settings, Log Analytics	Find signals, create alerts, and query operational data	“Alert on CPU,” “send logs to workspace,” “investigate failed deployment”
Backup and recovery	Recovery Services vaults, backup policies, restore, replication concepts	Match backup and restore configuration to recovery needs	“Restore deleted VM data,” “protect workload from regional issue”
Automation and deployment	ARM templates, Bicep awareness, deployment parameters, Azure CLI, PowerShell, Cloud Shell	Read, adjust, and run repeatable deployments and admin commands	“Deploy same resources to multiple environments”

Identity and access checklist

Microsoft Entra ID and Azure RBAC

You should be comfortable distinguishing identity, authentication, authorization, and resource access.

Topic	Readiness check
Users and groups	Can you create, manage, disable, and organize users and groups?
Group-based access	Can you grant permissions to a group instead of individual users?
Microsoft Entra roles vs Azure RBAC	Can you tell whether a task is directory administration or Azure resource administration?
Azure RBAC scopes	Can you assign roles at management group, subscription, resource group, or resource scope as appropriate?
Built-in roles	Can you choose between owner-style, contributor-style, reader-style, and service-specific roles?
Least privilege	Can you avoid assigning broad permissions when a narrower role or lower scope works?
Role inheritance	Can you explain how a role assignment at a parent scope affects child resources?
Managed identities	Can you identify when a VM, app, or automation task should use a managed identity instead of a stored secret?

Can you do this?

Create or identify the correct Microsoft Entra user, group, or service principal for a scenario.
Assign Azure RBAC permissions at the minimum required scope.
Explain why a user with a directory role may still lack access to Azure resources.
Explain why a user with Azure RBAC access may not be able to manage Microsoft Entra ID.
Use a managed identity for an Azure resource that needs access to another Azure service.
Troubleshoot “access denied” by checking role, scope, inheritance, policy, lock, and data-plane permissions.
Recognize when privileged, temporary, or reviewed access is safer than permanent broad access.

Access decision checks

If the scenario says…	Think about…
“User can manage VMs in one resource group only”	Azure RBAC at resource group scope
“User can manage all users in the directory”	Microsoft Entra administrative role, not just Azure RBAC
“Application needs to read secrets without storing credentials”	Managed identity and appropriate target-resource permissions
“User can see the storage account but cannot read blob data”	Management-plane vs data-plane permissions
“Access should apply to future resources in the group”	Assign role at the resource group scope
“Access should be removed centrally for many users”	Group-based assignment

Governance and resource organization checklist

Subscriptions, resource groups, tags, locks, and policy

Topic	What to know	Ready means you can…
Resource groups	Logical lifecycle container for Azure resources	Decide when resources should share or not share a resource group
Subscriptions	Billing, access, and administrative boundary	Place workloads into the correct subscription strategy from a scenario
Management groups	Higher-level governance organization	Recognize when policy or access should apply across multiple subscriptions
Tags	Metadata for ownership, cost, environment, or classification	Apply and enforce tags for reporting and operations
Resource locks	Protection against accidental deletion or modification	Choose a lock when the requirement is operational protection
Azure Policy	Governance rule evaluation and enforcement	Select policy effects and understand remediation at a high level
Initiatives	Grouped policies	Recognize when multiple standards should be assigned together
Resource providers	Enable Azure service types in a subscription	Troubleshoot deployment errors related to unavailable providers

Governance “can you do this?” checklist

Choose the right resource group structure for lifecycle, access, and deployment needs.
Apply tags consistently and understand how policy can enforce them.
Distinguish between a policy denial and an RBAC denial.
Use locks to protect critical resources from accidental deletion or change.
Explain how locks can affect normal admin operations.
Assign policy at the appropriate scope.
Recognize when remediation is needed for existing noncompliant resources.
Interpret compliance results and understand that policy does not replace monitoring or access control.

Governance traps

Trap	Why it matters
Confusing Azure Policy with RBAC	Policy controls what can be deployed or configured; RBAC controls who can perform actions.
Applying broad Owner permissions	Over-permissioning is rarely the best exam answer when least privilege is available.
Using locks as security controls	Locks help prevent accidental changes but do not replace access design.
Ignoring scope	A correct role or policy at the wrong scope can fail the requirement.
Treating tags as access controls	Tags support organization and reporting; they do not secure resources by themselves.

Storage checklist

Storage account readiness

Topic	Readiness check
Storage account creation	Can you choose location, redundancy, performance-related options, and network access based on requirements?
Blob containers	Can you configure container access, blob upload, metadata, tiers, and lifecycle rules?
Azure Files	Can you recognize scenarios for shared file access by VMs or users?
Redundancy choices	Can you choose local, zone, or geo-oriented redundancy based on resiliency requirements?
Access tiers	Can you match hot, cool, or archive-style storage to access frequency and retrieval needs?
Lifecycle management	Can you move or delete blobs based on age or usage requirements?
Data protection	Can you identify soft delete, versioning, snapshots, and recovery options when relevant?
Network restrictions	Can you secure storage with firewall rules, private access, or selected networks?
Authorization	Can you choose among Microsoft Entra authorization, shared keys, SAS, and managed identity?

Storage access decision table

Requirement	Likely direction
Temporary partner upload to a specific container	SAS with limited permissions and expiration
Azure VM or app needs access without storing a key	Managed identity with appropriate role
Users need file-share style access	Azure Files
Blob data should move to lower-cost storage as it ages	Lifecycle management and access tiers
Storage must not be reachable from the public internet	Private endpoint or selected network access
Admin can manage account but cannot read blob contents	Add data-plane role or adjust data access permissions
Preserve prior versions of changed blobs	Blob versioning or snapshot-related protection
Limit accidental deletion impact	Soft delete or data protection settings where applicable

Storage command familiarity

You do not need to memorize every switch, but you should understand what each command is trying to accomplish and what object it targets.

az storage account create \
  --name <storage-account-name> \
  --resource-group <resource-group> \
  --location <region> \
  --sku <redundancy-option>

az storage container create \
  --name <container-name> \
  --account-name <storage-account-name>

az storage blob upload \
  --account-name <storage-account-name> \
  --container-name <container-name> \
  --name <blob-name> \
  --file <local-file>

PowerShell-style tasks to recognize:

New-AzStorageAccount
New-AzStorageContainer
Set-AzStorageBlobContent
Get-AzStorageBlob

Storage “can you do this?” checklist

Choose a storage redundancy option from a resiliency scenario.
Explain when Blob storage, Azure Files, or managed disks are appropriate.
Configure secure storage access without exposing public endpoints unnecessarily.
Generate or evaluate a SAS based on allowed operations, resource scope, and expiration.
Troubleshoot storage access failures caused by RBAC, SAS, firewall, private endpoint, or key issues.
Configure lifecycle management for aging data.
Identify which data protection feature helps recover from deletion or overwrite.
Select the correct tool for data transfer, such as portal upload, Azure Storage Explorer, AzCopy, Azure CLI, or PowerShell.

Compute checklist

Virtual machines and scale sets

Topic	Readiness check
VM creation	Can you choose image, size family concept, authentication method, disk type, VNet, subnet, and NSG placement?
VM access	Can you troubleshoot SSH/RDP access using NSGs, public IPs, Bastion-style access, and guest OS state?
Disks	Can you distinguish OS disks, data disks, snapshots, and managed disk choices?
Availability	Can you choose availability zones, availability sets, or scale sets based on resiliency and scaling requirements?
VM extensions	Can you identify when extensions or run commands help configure or troubleshoot a VM?
Images	Can you recognize when a custom image or shared image approach supports standardized deployments?
Scale sets	Can you identify when identical VM instances need autoscale or fleet management?
Managed identity	Can you assign a VM identity to access Azure resources securely?

App Service and container readiness

Topic	Readiness check
App Service plans	Can you distinguish the app from the plan that provides compute resources?
App settings	Can you configure runtime settings, connection strings, and environment-specific values?
Deployment slots	Can you recognize slot-based deployment and swap scenarios?
Scaling	Can you choose manual or autoscale approaches based on demand?
Custom domains and TLS	Can you identify the configuration steps involved at a high level?
Container instances	Can you recognize simple container deployment scenarios?
Kubernetes awareness	Can you understand basic administrative implications if AKS appears in a scenario?

Compute decision cues

Scenario cue	Look for
“Several identical VMs must scale based on demand”	Virtual Machine Scale Sets
“Single application needs managed platform hosting”	App Service
“Need OS-level control”	VM rather than fully managed app hosting
“Need to run a quick isolated container”	Azure Container Instances-style scenario
“Need standardized VM builds”	Images, templates, extensions, or automation
“Cannot connect to VM”	NSG rules, public/private IP path, route table, Bastion/jump access, VM status, guest firewall
“VM must access Key Vault or storage without embedded credentials”	Managed identity

Compute “can you do this?” checklist

Deploy a VM into the correct VNet and subnet.
Attach and initialize data disks conceptually.
Configure inbound access securely.
Use NSGs to allow only required management or application traffic.
Interpret boot diagnostics, serial console-style clues, and run-command options.
Resize, stop, restart, redeploy, or reconfigure a VM for troubleshooting.
Choose between availability sets, zones, and scale sets from a scenario.
Configure or recognize autoscale rules at a high level.
Deploy an App Service and configure app settings.
Understand how deployment slots reduce deployment risk.
Recognize when container-based deployment is the simpler fit.

Virtual networking checklist

Core networking topics

Topic	Readiness check
VNets and subnets	Can you plan address spaces, create subnets, and avoid overlaps?
CIDR awareness	Can you interpret subnet sizes and recognize when address space is insufficient?
Network security groups	Can you evaluate inbound and outbound rules, priorities, source/destination, and ports?
Application security groups	Can you recognize grouping of VM NICs for rule readability and maintainability?
Route tables	Can you identify when user-defined routes override default routing behavior?
VNet peering	Can you connect VNets and understand non-overlapping address requirements?
VPN gateways	Can you recognize site-to-site or point-to-site connectivity scenarios?
DNS	Can you choose Azure DNS or private DNS based on public vs private name resolution needs?
Private endpoints	Can you connect privately to Azure PaaS resources and account for DNS behavior?
Service endpoints	Can you recognize selected network access to supported services from a subnet?
Load balancing	Can you distinguish network load balancing from application-aware routing scenarios?
NAT/internet egress	Can you identify controlled outbound internet access requirements?
Network Watcher	Can you use diagnostic tools for IP flow, next hop, connection troubleshooting, and packet-level clues?

Network security and routing decision table

Requirement	Likely concept
Allow HTTPS to web tier only	NSG inbound rule scoped to destination and port
Deny direct internet access to database subnet	NSG, routing, and private access design
Force traffic through a security appliance	User-defined route
Connect two VNets privately	VNet peering
Resolve private endpoint names correctly	Private DNS zone integration or records
Determine why VM traffic is blocked	Effective security rules and IP flow verification
Determine where traffic is routed	Effective routes or next-hop diagnostics
Publish highly available TCP/UDP service	Load Balancer-style scenario
Route based on HTTP/S path or host	Application Gateway-style scenario
Secure admin access without exposing RDP/SSH publicly	Bastion or private management path

Networking “can you do this?” checklist

Build a VNet and subnet plan from a short scenario.
Detect overlapping address spaces before peering or VPN design.
Evaluate NSG rules in priority order.
Explain the difference between NSG rules on a subnet and on a NIC.
Troubleshoot blocked traffic using source, destination, port, protocol, priority, and direction.
Explain when a route table is needed.
Troubleshoot incorrect routing using effective routes or next-hop analysis.
Configure or evaluate VNet peering requirements.
Choose public DNS vs private DNS.
Explain how private endpoints affect connectivity and name resolution.
Distinguish private endpoint from service endpoint in scenario terms.
Select the right load-balancing option based on layer, protocol, and routing behavior.

Monitoring, logging, and alerting checklist

Azure Monitor readiness

Topic	Readiness check
Metrics	Can you identify numeric platform signals such as CPU, memory-related signals where available, latency, or availability indicators?
Logs	Can you identify diagnostic logs, activity logs, and resource-specific logs?
Activity log	Can you use it to investigate management-plane operations, deployments, and administrative changes?
Diagnostic settings	Can you route logs and metrics to a Log Analytics workspace, storage account, or event stream target when required?
Log Analytics	Can you run basic KQL queries and interpret results?
Alerts	Can you choose metric alert, log alert, activity log alert, or service health alert based on the scenario?
Action groups	Can you connect alert conditions to notifications or automated actions?
Workbooks/dashboards	Can you recognize visualization and reporting use cases?
Service Health and Resource Health	Can you distinguish broad Azure service events from individual resource health signals?

KQL readiness

You should be able to read and lightly modify simple KQL queries.

AzureActivity
| where TimeGenerated > ago(24h)
| summarize Count = count() by OperationNameValue, ActivityStatusValue
| order by Count desc

Common KQL skills:

Filter by time range.
Filter by resource group, resource provider, operation, or status.
Summarize counts or averages.
Sort results.
Identify failed operations.
Understand that different tables contain different signal types.

Alert decision checks

Scenario	Alert type to consider
CPU crosses a threshold	Metric alert
Specific error appears in logs	Log query alert
Resource is deleted or modified	Activity log alert
Azure service incident affects a region	Service Health alert
Alert must notify an operations team	Action group
Alert should trigger automation	Action group with automation target

Monitoring “can you do this?” checklist

Enable diagnostic settings for an Azure resource.
Send logs to a Log Analytics workspace.
Use metrics for near-real-time operational thresholds.
Use logs when you need query flexibility or event detail.
Create an alert rule and connect it to an action group.
Interpret Azure Activity logs for deployment and administrative changes.
Use Resource Health to evaluate a resource-specific issue.
Use Service Health to track broader Azure incidents.
Select the right troubleshooting signal before changing configuration.

Backup, restore, and business continuity checklist

Backup readiness

Topic	Readiness check
Recovery Services vault	Can you identify the vault as the management container for backup configuration?
Backup policy	Can you match backup frequency and retention conceptually to recovery requirements?
Protected items	Can you identify which resources are protected by which policy?
Restore operations	Can you choose restore of files, disks, VMs, or workload data when relevant?
Soft delete / deletion protection concepts	Can you recognize protections against accidental or malicious deletion where available?
Backup monitoring	Can you check backup jobs, alerts, and vault status?
Site recovery concepts	Can you recognize replication/failover scenarios distinct from ordinary backup?

Backup decision table

Requirement	Think about
Recover a file from a VM	File-level restore or workload-aware restore path
Recover an entire VM	VM restore or disk restore approach
Protect against accidental deletion	Backup protection and deletion safeguards
Keep restore points for compliance	Backup policy retention settings
Resume service in another location after major outage	Replication/failover concept rather than simple backup
Prove backups are running	Backup jobs, alerts, reports, vault monitoring

Backup “can you do this?” checklist

Configure backup protection for an Azure VM conceptually.
Choose a backup policy based on recovery needs.
Locate backup jobs and troubleshoot failures.
Identify restore options from a scenario.
Distinguish backup from replication or disaster recovery.
Understand that backup design must match workload, region, access, and retention requirements.
Explain why monitoring backups is part of administration, not an optional add-on.

Deployment, automation, and admin tooling checklist

Tools you should recognize

Tool	Exam-relevant use
Azure portal	Interactive administration and visual troubleshooting
Azure Cloud Shell	Browser-based CLI/PowerShell environment
Azure CLI	Scriptable cross-platform Azure administration
Azure PowerShell	Scriptable administration using PowerShell cmdlets
ARM templates	Declarative Azure resource deployment
Bicep	Higher-level declarative deployment authoring for Azure resources
Azure Resource Manager deployments	Track, validate, and troubleshoot deployments
Azure Automation concepts	Scheduled or repeatable operational tasks
Azure Policy remediation	Bring existing resources toward policy compliance

Command and artifact readiness

Know the purpose of common command families even if you do not memorize every parameter.

az group create
az vm create
az network vnet create
az network nsg rule create
az role assignment create
az deployment group create
az monitor metrics list

New-AzResourceGroup
New-AzVM
New-AzVirtualNetwork
New-AzRoleAssignment
New-AzResourceGroupDeployment
Get-AzMetric

ARM/Bicep readiness checks:

Identify parameters, variables, resources, outputs, and dependencies.
Understand resource group vs subscription-level deployment context conceptually.
Recognize deployment failures caused by missing permissions, policy denial, naming conflicts, provider issues, or invalid regions.
Know why templates support repeatability and consistency.
Understand that declarative deployment describes the desired resource state.

Troubleshooting scenario checklist

Symptom	First checks	Likely tools or artifacts
User cannot manage a resource	Role assignment, scope, group membership, lock, policy	Access control blade, role assignments, activity log
User can manage storage account but not blob data	Data-plane role, SAS, firewall, private endpoint	Storage IAM, container access, network settings
VM cannot be reached by SSH/RDP	NSG rule, public/private IP, route table, guest firewall, VM status	Effective security rules, connection troubleshoot, boot diagnostics
VM cannot reach internet	Route table, NAT/egress design, NSG outbound, DNS	Effective routes, next hop, NSG diagnostics
Peered VNets cannot communicate	Address overlap, peering settings, NSGs, routes, DNS	Peering configuration, effective routes
Private endpoint name resolves to public IP	DNS zone linkage or records	Private DNS zone, DNS lookup results
App deployment fails	App settings, plan capacity, identity, deployment logs	App Service logs, activity log, deployment center
Policy denies deployment	Policy assignment, effect, scope, exemption/remediation need	Compliance view, deployment error details
Alert did not notify anyone	Alert condition, evaluation scope, action group, permissions	Alert rule, action group, fired alerts
Backup missing restore point	Backup policy, job failure, protected item state	Vault jobs, backup alerts, protected items

High-value “Can you do this?” final readiness list

Identity and governance

Choose between Microsoft Entra role and Azure RBAC role.
Assign permissions at the narrowest practical scope.
Use group-based access for maintainability.
Explain management-plane vs data-plane permissions.
Use tags, locks, and policy for governance.
Diagnose policy vs permission vs lock problems.

Storage

Select Blob, Azure Files, disks, or another storage option from requirements.
Secure storage with identity, SAS, firewall rules, or private access.
Choose a redundancy direction based on resiliency needs.
Configure lifecycle management for aging objects.
Troubleshoot access failure using identity, network, and authorization checks.

Compute

Deploy and configure VMs.
Troubleshoot VM connectivity and startup issues.
Choose scale sets for fleets of similar VMs.
Choose App Service for managed application hosting scenarios.
Configure scaling, app settings, and deployment concepts.
Use managed identities for secure service-to-service access.

Networking

Design non-overlapping VNet and subnet address spaces.
Evaluate NSG rules by direction, priority, source, destination, protocol, and port.
Use route tables for custom traffic paths.
Explain private endpoint DNS implications.
Choose the right load-balancing pattern.
Use Network Watcher-style diagnostics to isolate connectivity issues.

Monitoring and recovery

Choose metrics vs logs for a monitoring requirement.
Create alert rules and action groups.
Query logs with basic KQL.
Use Activity Log for administrative events.
Configure backup policies and identify restore paths.
Distinguish backup, restore, replication, and failover concepts.

Common AZ-104 weak areas and traps

Weak area	What to watch for
Scope mistakes	Many answers are wrong because the role, policy, or lock is applied too high, too low, or to the wrong object.
Directory vs Azure resource permissions	Microsoft Entra administration and Azure resource administration are related but not identical.
Management plane vs data plane	Managing a storage account is not always the same as reading the data inside it.
NSG rule evaluation	Direction, priority, protocol, source, destination, and port all matter.
Route confusion	Peering alone does not fix every routing, DNS, or security issue.
Private endpoint DNS	Private connectivity often fails because names still resolve incorrectly.
SAS overuse	SAS can solve temporary access needs, but expiration, permissions, and scope must be limited.
App Service plan confusion	Scaling and compute capacity are tied to the plan, not just the app object.
Backup vs disaster recovery	Backup restores data; replication/failover addresses broader continuity scenarios.
Alerts without action groups	Detecting a condition is not the same as notifying or triggering a response.
Locks mistaken for security	Locks prevent accidental operations but do not replace least-privilege access.
Policy mistaken for remediation	Policy can evaluate and deny; existing resources may still require remediation steps.

Scenario decision prompts

Use these prompts when reviewing practice questions.

Access prompt

Who or what needs access?
Is the target Microsoft Entra ID, an Azure resource, or data inside a resource?
What is the smallest valid scope?
Is a built-in role sufficient?
Is temporary, group-based, or managed identity access safer?
Could a lock, policy, firewall, or private endpoint still block the action?

Networking prompt

Are the address spaces valid and non-overlapping?
Is the traffic allowed by NSGs in the correct direction?
Is there a custom route changing the path?
Does DNS resolve to the intended private or public address?
Is the service listening and healthy?
Which diagnostic tool confirms the next hop or blocking rule?

Storage prompt

What type of data is being stored?
How often is it accessed?
Who or what needs access?
Is access temporary or ongoing?
Should traffic remain private?
What recovery or retention capability is required?

Monitoring prompt

Is the signal a metric, log event, activity event, or health event?
Where should the data be collected?
What condition should trigger an alert?
Who or what should be notified?
Is historical query or dashboarding required?
How will you verify the alert works?

Final-week checklist

Hands-on review

Create a resource group, VNet, subnet, NSG, VM, and storage account in a test environment.
Assign RBAC to a user or group at resource group scope.
Create and test a storage container access scenario.
Configure a VM with restricted inbound access.
Create a basic alert with an action group.
Enable diagnostic settings for at least one resource.
Run a simple KQL query in Log Analytics.
Review backup configuration and restore options conceptually.
Deploy or inspect a simple ARM template or Bicep file.
Troubleshoot one intentional network or permission misconfiguration.

Concept review

Revisit all wrong answers from recent practice sets.
Write down the difference between RBAC, policy, and locks.
Write down the difference between private endpoints and service endpoints.
Write down the difference between metrics, logs, and activity logs.
Write down the difference between backup and replication.
Review when to choose VM, scale set, App Service, or container deployment.
Review storage access methods: RBAC, SAS, keys, managed identities, and network controls.
Review the troubleshooting order for VM connectivity and storage access.

Exam-readiness self-check

You are close to ready for AZ-104 when you can consistently:

Explain why the correct answer is better than two plausible alternatives.
Identify the Azure scope involved before choosing an access or governance answer.
Read a scenario and separate identity, network, storage, compute, and monitoring requirements.
Troubleshoot from symptoms instead of guessing configuration changes.
Recognize least-privilege and private-access patterns.
Work through short command, template, or KQL examples without being distracted by syntax.
Finish mixed-topic practice questions with time left for review.

Practical next step

Use this Exam Blueprint to mark weak areas, then practice with mixed AZ-104 scenarios that force service selection, configuration judgment, and troubleshooting. Prioritize hands-on repetition for any item you cannot explain or perform without notes.

Study Plan

Scenario Guide