AZ-104 — Microsoft Azure Administrator Quick Reference

Last revised: June 18, 2026

Compact AZ-104 Quick Reference for Microsoft Azure Administrator candidates: governance, storage, compute, networking, monitoring, commands, and exam traps.

Exam identity and use

This independent Quick Reference supports candidates preparing for Microsoft Azure Administrator (AZ-104) from Microsoft. Use it as a compact decision aid while practicing scenario questions, labs, and troubleshooting tasks.

AZ-104 focuses on administering Azure environments across these practical areas:

Area	What to recognize quickly
Identity and governance	Microsoft Entra ID, Azure RBAC, subscriptions, management groups, policy, locks, tags
Storage	Storage accounts, blob/file access, redundancy, lifecycle, security, AzCopy, Azure Files
Compute	VMs, availability, VM Scale Sets, App Service, containers, disks, extensions, ARM/Bicep deployments
Networking	VNets, subnets, NSGs, routing, peering, VPN, Private Link, load balancing, DNS
Monitoring and maintenance	Azure Monitor, Log Analytics, alerts, Backup, Site Recovery, updates, troubleshooting

Azure resource model and governance

Scope hierarchy

Scope	Use for	Exam cues
Management group	Organize multiple subscriptions; apply governance broadly	“Apply policy/RBAC across several subscriptions”
Subscription	Billing/security boundary; contains resource groups	“Separate environments, cost tracking, access boundary”
Resource group	Lifecycle container for resources	Resources in one RG can be in different regions
Resource	Individual Azure service instance	Role assignments and locks can be placed directly here

High-yield points:

Azure RBAC assignments are inherited downward from management group to subscription to resource group to resource.
Resource groups are not a network boundary, region boundary, or identity boundary.
A resource can belong to only one resource group.
Moving resources may require moving dependencies and may temporarily affect operations.
Tags support organization, automation, and cost reporting, but tags are not inherited automatically by default.

Governance controls: choose the right tool

Need	Choose	Why
Grant access to manage Azure resources	Azure RBAC	Authorization for management plane and supported data plane actions
Enforce allowed locations, SKUs, tags, naming, or required settings	Azure Policy	Compliance and guardrails; does not grant access
Prevent accidental deletion or modification	Resource lock	Delete or ReadOnly lock at subscription, RG, or resource scope
Group policies together	Policy initiative	Assign one set of policy definitions as a compliance baseline
Organize many subscriptions	Management groups	Hierarchical governance above subscriptions
Track cost or ownership	Tags	Metadata for reporting and automation

Azure RBAC roles and traps

Role	Can do	Cannot do / trap
Owner	Manage resources and assign access	Very broad; avoid when User Access Administrator is enough
Contributor	Manage resources	Cannot assign RBAC access
Reader	View resources	Cannot modify resources
User Access Administrator	Manage role assignments	Does not itself manage all resources
Storage Blob Data Reader	Read blob data	Data-plane access, not general storage account management
Storage Blob Data Contributor	Read/write/delete blob data	Still needs network path if firewall/private access blocks traffic

Common traps:

Management-plane vs data-plane: Contributor on a storage account can manage the account, but blob data access often requires a Storage Blob Data role or keys/SAS.
Deny assignments can override allow assignments.
Locks do not grant permissions. A user still needs RBAC access.
A Delete lock prevents resource deletion; a ReadOnly lock can block management operations that normally write or retrieve keys.
Azure Policy can deny or audit deployments, but it does not authenticate users.

Microsoft Entra ID objects

Object	Use	Exam distinction
User	Human identity	Can be cloud-only or synchronized from on-premises identity
Guest user	External collaboration identity	Invited into tenant; access controlled by Entra ID and RBAC
Group	Assign access to many identities	Prefer group-based role assignment for manageability
Dynamic group	Membership by rule	Useful for large or changing populations
Service principal	Application identity	Used by apps, scripts, automation
Managed identity	Azure-managed service principal	No credential storage by user; best for Azure resources accessing Azure services
App registration	Application definition in Entra ID	Creates identity metadata; enterprise app/service principal represents instance in tenant

Managed identity decision table

Scenario	Choose	Reason
One Azure VM, web app, function, or automation resource needs Azure access	System-assigned managed identity	Lifecycle tied to the resource
Multiple resources need the same identity and permissions	User-assigned managed identity	Reusable identity with independent lifecycle
Non-Azure app or external CI system needs access	Service principal or workload identity pattern	Managed identity is for supported Azure-hosted resources
Script currently stores storage keys or passwords	Managed identity plus RBAC	Reduces secret handling

Azure Policy effects

Effect	What it does	Typical cue
Deny	Blocks non-compliant create/update	“Prevent public IPs”
Audit	Marks non-compliant resources	“Report but do not block”
Append / Modify	Adds or changes properties	“Add required tag or setting”
DeployIfNotExists	Deploys related configuration	“Ensure diagnostic settings exist”
Disabled	Turns policy off	Testing or staged rollout

Policy remediation reminders:

Existing non-compliant resources are not always fixed automatically.
Remediation for deploy/modify effects may need a managed identity.
Compliance evaluation is not the same as access authorization.

Storage quick reference

Storage service selection

Need	Azure storage option	Notes
Object storage for unstructured data	Blob Storage	Containers, blobs, tiers, lifecycle rules
SMB/NFS file share	Azure Files	Lift-and-shift file share scenarios
Big data analytics namespace	Data Lake Storage Gen2	Storage account with hierarchical namespace
Simple NoSQL key/attribute store	Table Storage	Lightweight structured storage
Message queue for decoupling	Queue Storage	Basic queueing; not the same as Service Bus
Disk for Azure VM	Managed disk	OS/data disks; snapshots and images
Large data transfer to Azure	AzCopy, Storage Explorer, Azure Data Box	Choose by size, network, and operational constraints

Storage account and redundancy choices

Choice	Use when	Key distinction
Locally redundant storage, LRS	Lowest-cost local durability is acceptable	Replicates within one datacenter/region facility design
Zone-redundant storage, ZRS	Need resilience across availability zones	Synchronous zone resilience within supported regions
Geo-redundant storage, GRS	Need regional disaster resilience	Secondary region replica; failover changes account state
Read-access GRS, RA-GRS	Need read access to secondary copy before failover	Read endpoint available for secondary
Geo-zone-redundant storage, GZRS	Need zone plus geo resilience	Combines zone resilience with regional replica
Read-access GZRS, RA-GZRS	Need read access to secondary plus zone resilience	Strongest common read-resilient pattern

Exam traps:

Redundancy choice is made for the storage account, not for individual blobs.
Changing redundancy can have restrictions depending on source/target combination.
Geo-redundancy helps with regional failure, not accidental deletion. Use soft delete/versioning/backup patterns for that.

Blob access tiers and protection

Feature	Use for	Trap
Hot tier	Frequently accessed data	Higher storage cost, lower access cost profile
Cool/Cold tiers	Infrequently accessed data	Retrieval and minimum-retention considerations may apply
Archive tier	Rarely accessed offline data	Must rehydrate before normal read access
Lifecycle management	Automatically tier/delete blobs	Rule-based; align with retention needs
Blob soft delete	Recover deleted blobs	Not a substitute for access control
Versioning	Recover previous blob versions	Can increase storage consumption
Immutability policy	WORM-style retention	Useful for compliance scenarios
Legal hold	Preserve data until cleared	Not based on a time period

Storage security decision table

Need	Choose	Notes
User/app access to blob data without keys	Microsoft Entra ID plus Azure RBAC	Preferred for identity-based access
Fine-grained ADLS Gen2 directory/file permissions	POSIX-style ACLs	Requires hierarchical namespace
Temporary delegated access	SAS	Limit permissions, scope, and expiry
SAS based on Microsoft Entra credentials for blobs	User delegation SAS	Preferred over account SAS when applicable
Block public internet path	Storage firewall and private endpoint	Private endpoint gives private IP in VNet
Allow selected VNets to reach storage public endpoint	Service endpoint	Traffic stays on Azure backbone but uses public service endpoint
Rotate shared credentials	Regenerate storage account keys	Apps using old key must be updated
Encrypt with customer-managed key	Key Vault plus CMK configuration	Requires correct identity and Key Vault permissions

Azure Files cues

Scenario	Consider	Why
Replace on-premises SMB share	Azure Files	Managed file share
Cache Azure file share on Windows Server	Azure File Sync	Local cache with cloud tiering
Need private access to file share	Private endpoint	Avoid public exposure
Need identity-based SMB access	Entra Kerberos / AD DS integration options	Match environment and client requirements
Need backup for file share	Azure Backup	Protects against deletion/corruption scenarios

Storage commands to recognize

## Create a resource group and storage account
az group create --name rg-demo --location eastus
az storage account create \
  --name mystorageacctdemo \
  --resource-group rg-demo \
  --location eastus \
  --sku Standard_LRS

## Upload with AzCopy using a SAS URL
azcopy copy "./data/*" "https://ACCOUNT.blob.core.windows.net/CONTAINER?SAS" --recursive=true

## Show storage account network rules
az storage account network-rule list \
  --resource-group rg-demo \
  --account-name mystorageacctdemo

Compute quick reference

VM availability and scaling

Requirement	Choose	Why
Protect against host/rack maintenance faults inside a datacenter	Availability set	Fault domains and update domains
Protect against datacenter failure within a region	Availability zones	Separate physical zones in supported regions
Run many identical VMs with autoscale	Virtual Machine Scale Sets	Scale out/in and consistent model
Keep VMs physically close for low latency	Proximity placement group	Placement optimization, not HA by itself
Create repeatable VM deployments	ARM template or Bicep	Declarative infrastructure
Standardize VM images	Azure Compute Gallery	Versioned image distribution
Run startup configuration	Custom Script Extension / cloud-init	Post-deployment automation

VM administration tasks

Task	Tool / concept	Exam cue
Reset local admin password	VM access extension / portal reset password	“Cannot sign in to VM”
Diagnose boot issues	Boot diagnostics, serial console	“VM fails to boot”
Apply patches	Azure Update Manager	“Assess and install updates”
Run command without direct login	Run Command	Useful when RDP/SSH is unavailable
Change VM size	Resize VM	May require deallocation if size unavailable on current host
Move VM to another host	Redeploy	Troubleshoot host-level issues
Protect VM data	Azure Backup	Recovery points in vault
Replicate VM for DR	Azure Site Recovery	Failover/failback orchestration

Managed disks

Disk concept	Use	Trap
OS disk	Boot volume	One OS disk per VM
Data disk	Application/data storage	Attach multiple based on VM capability
Temporary disk	Local ephemeral storage	Not durable; do not store critical data
Snapshot	Point-in-time disk copy	Useful before risky changes
Image	Template for new VMs	Generalize when required by image process
Server-side encryption	Default platform encryption	CMK requires Key Vault integration
Azure Disk Encryption	Guest OS encryption	Different from storage service-side encryption

App hosting and container choices

Requirement	Choose	Why
Host web app/API with minimal server admin	App Service	Managed platform, scaling, deployment slots
Blue/green or staged web deployment	App Service deployment slots	Swap after validation
Run a single container quickly	Azure Container Instances	Simple container execution, no orchestrator
Manage container images	Azure Container Registry	Private registry integrated with Azure
Orchestrate containers at scale	Azure Kubernetes Service	Cluster scheduling, node pools, Kubernetes control
Run background/serverless event code	Azure Functions	Event-driven compute, not VM administration

App Service cues

Concept	Remember
App Service plan	Defines compute region, pricing tier, scale capacity for apps
Web app	Application running on an App Service plan
Deployment slot	Separate live app endpoint; can swap with production
Scale up	Change plan size/tier
Scale out	Add instances
Custom domain/TLS	Requires domain validation and certificate binding
Managed identity	Lets app access Key Vault, Storage, SQL, etc. without secrets

Compute commands to recognize

## Create a VM with SSH key authentication
az vm create \
  --resource-group rg-demo \
  --name vm-demo \
  --image Ubuntu2204 \
  --admin-username azureuser \
  --generate-ssh-keys

## Open inbound port through NSG rule
az vm open-port \
  --resource-group rg-demo \
  --name vm-demo \
  --port 22

## Assign a system-managed identity to a VM
az vm identity assign \
  --resource-group rg-demo \
  --name vm-demo

Networking quick reference

Subnet sizing

Azure reserves addresses in each subnet. For IPv4 subnet planning, a common exam calculation is:

\[ \text{usable IPv4 addresses} = 2^{(32-\text{prefix length})} - 5 \]

Examples:

Prefix	Total addresses	Usable in Azure
/24	256	251
/27	32	27
/29	8	3

Core network components

Component	Purpose	Trap
VNet	Private network boundary in Azure	VNets are regional
Subnet	IP range inside VNet	Some services require dedicated subnets
NIC	VM network interface	NSG can apply at NIC and subnet
NSG	Stateful L3/L4 filtering	Lower priority number wins
ASG	Logical grouping for NICs in NSG rules	Simplifies rules; does not contain subnets
Route table / UDR	Custom routing	Can force traffic to NVA/firewall
Public IP	Internet-reachable frontend	SKU and zone choices matter in design
NAT Gateway	Outbound internet SNAT for subnet	Does not provide inbound publishing
VNet peering	Private connectivity between VNets	Non-transitive by default
Private DNS zone	Name resolution for private endpoints and VNets	Link zone to VNets that need resolution

NSG rule evaluation

Rule attribute	Exam point
Priority	Lower number processed first
Direction	Inbound and outbound rules are separate
Source/destination	Can use IP, service tag, or ASG
Port/protocol	L4 filtering; not URL/path inspection
Default rules	Allow VNet-internal and outbound internet; deny unsolicited inbound internet
Stateful behavior	Return traffic for allowed flow is automatically allowed

If traffic fails, check both subnet-level and NIC-level NSGs. Effective security rules show the combined result.

Routing decision points

Requirement	Choose	Notes
Force subnet traffic through firewall/NVA	UDR with virtual appliance next hop	Ensure appliance can forward traffic
Connect VNets in same or different regions	VNet peering	Low-latency private IP connectivity
Let peered VNet use central VPN gateway	Gateway transit / use remote gateway	Configure on peering; avoid overlapping address spaces
Site-to-site encrypted tunnel	VPN Gateway	Uses public internet with IPsec/IKE
Private dedicated connectivity	ExpressRoute	Does not traverse public internet
Resolve private endpoint names	Private DNS zone	Required for clean private-name resolution

Route selection reminders:

Longest prefix match is evaluated first.
User-defined routes override default system routes for matching prefixes.
BGP routes from gateways can affect effective routes.
VNet peering is not automatically transitive; hub-spoke designs need explicit routing.

Connectivity and edge service selection

Requirement	Choose	Layer / key distinction
Distribute TCP/UDP inside a region	Azure Load Balancer	Layer 4
HTTP/HTTPS routing, WAF, path-based routing	Application Gateway	Regional Layer 7
Global HTTP/HTTPS acceleration and WAF	Azure Front Door	Global Layer 7 edge
DNS-based global traffic distribution	Traffic Manager	DNS response routing, not a proxy
Central network firewall	Azure Firewall	Managed firewall with rules and threat intelligence features
Secure VM browser-based access	Azure Bastion	RDP/SSH through portal/private path
Outbound internet for private subnets	NAT Gateway	Scalable outbound SNAT
Private access to PaaS over private IP	Private Endpoint / Private Link	NIC with private IP in your VNet
Restrict PaaS to selected VNet while using public endpoint	Service Endpoint	Simpler, but not private IP to service

Private Endpoint vs Service Endpoint

Feature	Private Endpoint	Service Endpoint
Service reached by private IP	Yes	No
Uses private DNS integration	Commonly required	Usually not
Removes need for public service exposure	Yes	Not fully; service public endpoint still exists
Simpler to configure	More components	Simpler
Best cue	“Access PaaS privately from VNet/on-premises”	“Allow only this VNet/subnet to access service endpoint”

DNS quick reference

Need	Use
Host public DNS zone	Azure DNS public zone
Resolve private names inside VNets	Azure Private DNS zone
Auto-register VM records	Private DNS zone with registration-enabled VNet link
Resolve on-premises and Azure names	Custom DNS servers / DNS forwarding design
Private endpoint name resolution	Private DNS zone for service-specific zone

Network troubleshooting workflow

Symptom	Check first	Then check
Cannot RDP/SSH to VM	NSG inbound rule, public IP/Bastion, VM OS firewall	Route table, effective security rules, VM boot diagnostics
VM has no outbound internet	UDR, NAT Gateway/public IP, NSG outbound	DNS, appliance forwarding, Azure Firewall rules
Peered VNets cannot communicate	Address overlap, peering status, NSGs	UDRs, gateway transit, remote gateway settings
Private endpoint resolves public IP	Private DNS zone and VNet link	DNS forwarding and record set
App behind load balancer unavailable	Health probe	Backend pool, NSG allowing probe and app port

Monitoring, logging, and maintenance

Azure Monitor data sources

Data	Where it comes from	Use
Metrics	Numeric platform measurements	Fast alerting, charts
Activity Log	Subscription-level control-plane events	Who did what to Azure resources
Resource logs	Service-specific diagnostic logs	Data-plane and service behavior
Guest logs/performance	Agent-collected VM data	OS and workload troubleshooting
Log Analytics workspace	Central query store	KQL queries across logs
Application Insights	App telemetry	Requests, dependencies, exceptions

Diagnostic settings

Destination	Use when
Log Analytics workspace	Query, alert, correlate
Storage account	Archive logs
Event Hub	Stream to SIEM or external system
Partner solution	Integrated third-party monitoring/security

High-yield trap: A resource may emit metrics automatically, but detailed resource logs often require diagnostic settings.

Alert selection

Need	Alert type
CPU, availability, count, latency threshold	Metric alert
Query-based condition across logs	Log search alert
Administrative event such as delete or service health event	Activity Log alert
Notify people or trigger automation	Action group
Suppress alerts during maintenance	Alert processing rule

KQL patterns to recognize

// Recent administrative delete operations
AzureActivity
| where OperationNameValue has "delete"
| project TimeGenerated, Caller, ResourceGroup, ResourceProviderValue, ActivityStatusValue

// VMs that stopped sending heartbeat
Heartbeat
| summarize LastSeen=max(TimeGenerated) by Computer
| where LastSeen < ago(15m)

Backup and recovery choices

Requirement	Choose	Notes
Protect Azure VMs with restore points	Azure Backup	Commonly managed through Recovery Services vault
Protect Azure file shares	Azure Backup for Azure Files	Recovery for share data
Replicate workloads for regional DR	Azure Site Recovery	Failover and recovery plans
Short-term disk copy before change	Disk snapshot	Not a full backup strategy by itself
Recover deleted storage data	Soft delete/versioning	Must be enabled/configured as appropriate
Monitor backup health	Backup Center / vault monitoring	Central operational view

Backup traps:

Backup protects against deletion/corruption; availability zones protect against infrastructure failure. They solve different problems.
Vault redundancy and resource redundancy are separate design choices.
Site Recovery is for replication/failover, not routine file-level backup.

Maintenance and optimization

Need	Azure feature
Patch assessment and deployment	Azure Update Manager
Configuration drift/governance	Azure Policy compliance
Cost visibility and budgets	Microsoft Cost Management
Recommendations	Azure Advisor
Service incident awareness	Azure Service Health
Resource health status	Azure Resource Health

High-yield scenario decisions

Access denied checklist

Confirm the identity: user, group, service principal, or managed identity.
Confirm the scope: management group, subscription, resource group, or resource.
Check role assignment inheritance.
Check whether the task is management plane or data plane.
Check deny assignments, policy deny effects, and locks.
For PaaS data access, check firewall, private endpoint, and DNS.
If using PIM or just-in-time access, confirm activation.

“Cannot deploy resource” checklist

Check	Why
Subscription/resource provider registered	Some resource types require provider registration
Region supports resource/SKU	Not all services/SKUs are everywhere
Azure Policy assignment	Deny policies can block deployment
Quota/capacity	Subscription or regional capacity can block scale
RBAC permissions	Contributor may be needed; Owner/User Access Admin for role assignments
Naming requirements	Many Azure resources require globally unique or pattern-compliant names
Dependencies	Subnets, identities, Key Vault permissions, private DNS, and managed disks often matter

“Need high availability” quick choices

Workload	First design choices
Single VM workload	Availability zone or availability set plus backup
Multi-VM web tier	VM Scale Sets or multiple VMs behind Load Balancer/Application Gateway
Regional web app	App Service scale-out plus zone redundancy if supported by selected plan/region
Global HTTP app	Front Door or Traffic Manager with regional backends
Storage data	Appropriate redundancy plus soft delete/versioning/lifecycle
Disaster recovery	Backup for restore; Site Recovery for failover

Common exam traps

Trap	Correct thinking
“Policy will let the user deploy”	Policy enforces; RBAC grants
“Contributor can assign access”	Need Owner or User Access Administrator
“Service endpoint means private IP”	Private Endpoint provides private IP
“Load Balancer can route by URL path”	Use Application Gateway or Front Door for Layer 7
“Traffic Manager sends traffic through itself”	It returns DNS answers; it is not an inline proxy
“VNet peering is transitive”	It is not transitive by default
“Backup equals high availability”	Backup is recovery; HA keeps service running
“ReadOnly lock only affects portal edits”	It affects management-plane write operations broadly
“Tags inherit automatically”	They do not by default; use policy/automation if needed
“Blob archive can be read immediately”	Archive must be rehydrated first

Compact command reference

## Select subscription
az account set --subscription "<subscription-id-or-name>"

## Create a resource group
az group create --name rg-app-prod --location eastus

## Assign a built-in role at resource group scope
az role assignment create \
  --assignee "<user-or-principal-id>" \
  --role "Contributor" \
  --resource-group rg-app-prod

## Deploy an ARM/Bicep template to a resource group
az deployment group create \
  --resource-group rg-app-prod \
  --template-file main.bicep \
  --parameters @parameters.json

## View effective routes for a NIC
az network nic show-effective-route-table \
  --resource-group rg-app-prod \
  --name nic-vm01

## View effective NSG rules for a NIC
az network nic list-effective-nsg \
  --resource-group rg-app-prod \
  --name nic-vm01

PowerShell equivalents often appear in admin tasks:

Connect-AzAccount
Set-AzContext -Subscription "<subscription-id-or-name>"

New-AzResourceGroup -Name "rg-app-prod" -Location "eastus"

New-AzRoleAssignment `
  -SignInName "user@contoso.com" `
  -RoleDefinitionName "Reader" `
  -ResourceGroupName "rg-app-prod"

Get-AzEffectiveRouteTable `
  -NetworkInterfaceName "nic-vm01" `
  -ResourceGroupName "rg-app-prod"

Final review checklist

Before your next AZ-104 practice block, make sure you can:

Choose between RBAC, Policy, locks, tags, and management groups.
Distinguish management-plane access from data-plane access.
Select storage redundancy, access tier, SAS/RBAC model, and private connectivity pattern.
Choose VM availability sets, availability zones, scale sets, App Service, ACI, or AKS based on scenario wording.
Troubleshoot NSGs, UDRs, peering, DNS, private endpoints, and load balancer probes.
Configure diagnostic settings, alerts, Log Analytics queries, Backup, and Site Recovery at a conceptual admin level.

Next step: use this Quick Reference beside timed, scenario-based AZ-104 practice questions, then turn every missed question into a one-line rule or troubleshooting checklist.

Scenario Guide

Manage Azure Identities and Governance