AZ-104 — Microsoft Azure Administrator Quick Review
Independent Quick Review for Microsoft Azure Administrator (AZ-104): high-yield Azure administration concepts, traps, and practice focus.
Quick Review purpose
This independent Quick Review is for candidates preparing for the real Microsoft Azure Administrator (AZ-104) exam from Microsoft. Use it to refresh the main administration decisions before moving into topic drills, mock exams, and detailed explanations.
The exam rewards practical Azure administration judgment: choosing the correct service feature, applying least privilege, understanding where a setting is scoped, and recognizing what happens when networking, identity, storage, compute, and monitoring controls interact.
High-yield AZ-104 mental model
Think like an Azure administrator responsible for day-to-day operations:
| Area | What you must decide quickly |
|---|---|
| Identity and access | Who needs access, at what scope, and whether the permission is management-plane or data-plane |
| Governance | Whether to use RBAC, Azure Policy, resource locks, tags, management groups, or budgets |
| Storage | Redundancy, access control, lifecycle, secure transfer, private connectivity, and file/blob use case |
| Compute | VM sizing, availability, disks, images, extensions, scale sets, App Service, and containers |
| Networking | Addressing, NSGs, routing, peering, DNS, gateways, private endpoints, and load balancing |
| Monitoring and backup | Metrics vs logs, alerts, diagnostic settings, Log Analytics, backup policies, and restore choices |
A strong AZ-104 answer usually follows this order:
- Identify the resource type and scope.
- Separate identity, network, and configuration problems.
- Prefer least privilege and least operational effort.
- Check whether the question asks for high availability, security, cost, or recoverability.
- Watch for wording such as existing resources, without downtime, minimum administrative effort, least privilege, or no public internet access.
Identity and access review
Microsoft Entra ID and Azure RBAC
Microsoft Entra ID is the identity provider. Azure role-based access control controls permissions to Azure resources.
| Concept | Use it for | Common AZ-104 trap |
|---|---|---|
| Microsoft Entra user | Individual identity | Creating a user does not automatically grant Azure resource access |
| Microsoft Entra group | Assign access to many users | Prefer group assignment over repeated user assignments |
| Dynamic group | Membership based on rules | Do not choose it when manual membership is required |
| Azure RBAC role | Permission to Azure resources | Scope matters: management group, subscription, resource group, or resource |
| Microsoft Entra role | Directory administration | Not the same as Azure RBAC for resources |
| Managed identity | Azure resource authenticates without stored secrets | Must still be granted access to the target resource |
| Service principal | Application identity | Used for automation, apps, and pipelines |
RBAC scope decision rule
Assign the role at the narrowest scope that still meets the requirement.
| Requirement | Better scope |
|---|---|
| Access to one storage account | Resource scope |
| Access to all resources in one resource group | Resource group scope |
| Access to all resources in a subscription | Subscription scope |
| Policy or access across many subscriptions | Management group scope |
Key built-in roles:
| Role | Practical meaning |
|---|---|
| Owner | Full management access, including permission to assign roles |
| Contributor | Can manage resources, but cannot grant access |
| Reader | Can view resources, not modify them |
| User Access Administrator | Can manage user access to Azure resources |
| Storage Blob Data Reader | Read blob data |
| Storage Blob Data Contributor | Read, write, and delete blob data |
| Storage Account Contributor | Manage the storage account resource, not necessarily blob data access |
Management plane vs data plane
This is one of the most common AZ-104 traps.
| Plane | Controls | Example |
|---|---|---|
| Management plane | Azure resource configuration | Create a storage account, resize a VM, change an NSG |
| Data plane | Data inside the service | Read blobs, query Key Vault secrets, access files |
If a user can manage a storage account but cannot read blobs, the missing permission is likely a data-plane role, such as a Storage Blob Data role.
Identity traps to avoid
- Contributor is not Owner: Contributor cannot assign RBAC roles.
- Reader cannot view secrets by default: viewing a resource is not the same as reading protected data.
- A managed identity has no useful permissions until assigned to the target service.
- RBAC inheritance flows downward from management group to subscription to resource group to resource.
- Deny assignments and policy effects can override expected access in some scenarios.
- Removing a user from a group can remove inherited resource permissions even if no direct role assignment exists.
Governance: policy, locks, tags, and cost controls
Governance tool decision table
| Need | Use |
|---|---|
| Grant or restrict who can manage resources | Azure RBAC |
| Enforce allowed locations, SKUs, tags, or configurations | Azure Policy |
| Prevent accidental deletion or modification | Resource lock |
| Organize resources for billing/reporting | Tags |
| Group subscriptions for policy/RBAC inheritance | Management groups |
| Track or alert on spending | Budgets and cost alerts |
| Deploy standard configurations at scale | Policy initiative, templates, or automation |
Azure Policy vs RBAC
| Question | Use RBAC | Use Azure Policy |
|---|---|---|
| “Who can create resources?” | Yes | Sometimes indirectly |
| “Which locations are allowed?” | No | Yes |
| “Which VM SKUs are allowed?” | No | Yes |
| “Require a tag on resources?” | No | Yes |
| “Audit noncompliant resources?” | No | Yes |
| “Prevent public IP creation?” | Usually no | Yes, with policy |
RBAC answers who can act. Policy answers what is allowed or required.
Resource locks
| Lock | Effect |
|---|---|
| CanNotDelete | Authorized users can read and modify, but cannot delete |
| ReadOnly | Authorized users can read, but cannot modify or delete |
Important trap: resource locks operate at the Azure management layer. A delete lock on a storage account helps prevent deletion of the storage account resource, but it is not a substitute for data protection, backup, versioning, soft delete, or data-plane permissions.
Tags and organization
Tags are useful for cost allocation, ownership, environment, and automation. They are not a security boundary.
Common traps:
- Tags are not automatically inherited in all scenarios.
- Policy can require or append tags depending on configuration.
- Moving resources between resource groups may affect management scope, but it does not automatically redesign the resource.
Storage review
Storage account choices
| Requirement | Likely feature or decision |
|---|---|
| Object storage for unstructured data | Blob storage |
| SMB file share for lift-and-shift workloads | Azure Files |
| Queue-based decoupling | Azure Queue Storage |
| NoSQL key-value style storage | Table storage |
| Lowest latency with managed disks | Choose appropriate disk SKU/performance tier |
| Archive long-term blob data | Archive tier or lifecycle policy |
| Protect against accidental blob deletion | Soft delete, versioning, snapshots, backup strategy |
| Access without public internet | Private endpoint, private DNS, firewall rules |
Redundancy quick comparison
| Redundancy | Basic idea | Watch for |
|---|---|---|
| LRS | Copies within one datacenter/location unit | Lower cost, less regional resilience |
| ZRS | Copies across availability zones in a region | Requires regional/zone support |
| GRS | Replicates to paired region | Secondary access depends on configuration |
| RA-GRS | Read access to secondary replica | Higher resilience/read option, higher cost |
| GZRS / RA-GZRS | Combines zone and geo redundancy concepts | Availability depends on region/service support |
Do not assume every redundancy conversion is immediate, free, or available for every account type. In exam questions, choose the redundancy that matches the stated resilience requirement and budget.
Blob access tiers
| Tier | Best for | Trap |
|---|---|---|
| Hot | Frequently accessed data | Higher storage cost, lower access cost |
| Cool | Infrequently accessed data | Retrieval and minimum retention considerations may apply |
| Archive | Rarely accessed long-term data | Must be rehydrated before normal access |
Lifecycle management can move blobs between tiers or delete them based on rules. If the question asks for automatic cost optimization over time, look for lifecycle management.
Storage security
| Control | Purpose |
|---|---|
| Microsoft Entra authentication | Identity-based access where supported |
| Azure RBAC data roles | Least-privilege access to blob/queue data |
| Shared access signature | Delegated time-limited access |
| Stored access policy | Manage SAS constraints for supported services |
| Storage account keys | Broad access; rotate and protect carefully |
| Secure transfer required | Enforce HTTPS |
| Firewall and virtual network rules | Limit network paths |
| Private endpoint | Private IP access from a VNet |
| Customer-managed keys | Control key management requirements |
SAS traps:
- A SAS grants access according to its permissions, resource scope, and time window.
- Revoking a SAS can be difficult if it was created directly from account keys.
- A user delegation SAS for Blob storage is tied to Microsoft Entra authentication and is often the more least-privilege choice when supported.
Azure Files and Azure File Sync
| Need | Feature |
|---|---|
| Cloud-hosted SMB file share | Azure Files |
| Cache Azure file shares on Windows Server | Azure File Sync |
| Keep frequently used files local | Cloud tiering |
| Centralize branch office file data | Azure File Sync topology |
Common mistakes:
- Confusing Blob storage with Azure Files. Blob is object storage; Azure Files provides file shares.
- Forgetting that network access, identity, share permissions, and NTFS permissions can all matter depending on the scenario.
- Assuming a storage account firewall rule automatically creates private connectivity. Private endpoints are different.
Compute review
Virtual machines
High-yield VM concepts:
| Topic | What to remember |
|---|---|
| VM size | Determines CPU, memory, temporary storage, and supported features |
| Managed disks | Azure-managed storage for OS and data disks |
| Availability set | Spreads VMs across fault/update domains within a datacenter scope |
| Availability zone | Places resources in physically separate zones within a supported region |
| VM extension | Runs configuration or agents after deployment |
| Custom Script Extension | Executes scripts on a VM |
| Image | Reusable OS/application template |
| Snapshot | Point-in-time disk copy |
| Backup | Managed recovery point strategy through vault/policy |
Availability choice:
| Requirement | Choose |
|---|---|
| Protect against host maintenance/failure for multiple VMs | Availability set |
| Protect against datacenter-level failure within a region | Availability zones |
| Automatically scale identical VMs | Virtual Machine Scale Sets |
| Replace manual VM configuration | Image, extension, template, or automation |
VM disks
| Disk type concept | Exam focus |
|---|---|
| OS disk | Contains operating system |
| Data disk | Application/data storage |
| Temporary disk | Nonpersistent local storage; do not store critical data |
| Standard HDD/SSD | Cost-sensitive workloads |
| Premium SSD / higher performance options | Production and performance-sensitive workloads |
| Snapshots | Disk-level point-in-time copy |
Common trap: a stopped VM can still incur storage charges for disks. To stop compute billing, the VM must be deallocated, but attached disks and other resources can still cost money.
App Service
| Concept | What it controls |
|---|---|
| App Service app | Web app/API/application resource |
| App Service plan | Compute, region, pricing tier, scale capacity |
| Deployment slot | Separate deployment target for staging/testing |
| Swap | Exchange slot content/configuration with production |
| App settings | Environment-style configuration |
| Custom domain/TLS | Public application access and certificates |
Decision points:
- Scaling up changes the plan tier/size.
- Scaling out adds instances.
- Deployment slots reduce deployment risk.
- The App Service plan is the billing and compute container.
Containers
| Requirement | Likely service |
|---|---|
| Run a simple container quickly without managing orchestration | Azure Container Instances |
| Orchestrate multi-container workloads at scale | Azure Kubernetes Service |
| Containerized web app with PaaS-style management | App Service for containers |
For AZ-104, focus on administrative tasks: deployment, scaling, networking, identity, and monitoring rather than deep Kubernetes internals.
ARM templates, Bicep, and deployment behavior
You may see infrastructure deployment concepts.
| Concept | Review point |
|---|---|
| ARM template | JSON declarative deployment |
| Bicep | Declarative language that compiles to ARM templates |
| Parameters | Values supplied at deployment |
| Variables | Reusable expressions inside the template |
| Outputs | Values returned after deployment |
| Incremental deployment | Adds/updates declared resources without intentionally removing all undeclared resources |
| Complete deployment | Can remove resources not in the template in supported scenarios; read wording carefully |
Trap: if the question asks for repeatable deployments, do not choose manual portal configuration.
Networking review
Addressing and subnet basics
Azure reserves IP addresses in each subnet. For IPv4 subnet sizing, a useful review formula is:
\[ \text{usable IPv4 addresses} = 2^{(32 - \text{prefix length})} - 5 \]Common traps:
- Subnet address ranges cannot overlap within a VNet.
- Peered VNets cannot have overlapping address spaces.
- Some Azure services require dedicated subnets or minimum subnet sizes.
- Resizing a subnet may be blocked if resources are already deployed into it.
NSGs, ASGs, and effective security rules
| Feature | Use |
|---|---|
| Network security group | Allow/deny inbound or outbound traffic |
| Application security group | Group VM NICs logically for NSG rules |
| Service tag | Represent Azure service IP ranges in rules |
| Priority | Lower number wins |
| Default rules | Exist even if you do not create custom rules |
NSG troubleshooting order:
- Identify source, destination, port, and protocol.
- Check NSG on source subnet/NIC and destination subnet/NIC.
- Review rule priority.
- Consider default rules.
- Check route tables, firewall/NVA, and application listening state.
Routes and next hops
| Need | Feature |
|---|---|
| Override system routing | User-defined route |
| Force traffic through firewall/NVA | Route table with virtual appliance next hop |
| Connect on-premises networks | VPN gateway or ExpressRoute |
| Provide outbound internet SNAT at scale | NAT Gateway |
| Block route to a destination | Route to None where appropriate |
Route traps:
- UDRs can break connectivity if the next hop is wrong.
- Peering alone does not make routing transitive.
- Gateway transit must be configured intentionally.
- DNS resolution and routing are separate problems.
VNet peering
| Peering fact | Why it matters |
|---|---|
| Low-latency private connectivity between VNets | Common for hub-and-spoke designs |
| Non-transitive by default | Spoke-to-spoke requires explicit design |
| Address spaces must not overlap | Overlap prevents peering |
| Can allow forwarded traffic | Needed with NVAs in hub patterns |
| Gateway transit can be enabled | Allows spokes to use hub gateway if configured |
Private endpoint vs service endpoint
| Feature | Private endpoint | Service endpoint |
|---|---|---|
| Uses private IP in your VNet | Yes | No |
| Keeps traffic on Microsoft backbone | Yes | Yes |
| Can disable public access more cleanly | Often yes | Limited by service design |
| Requires private DNS planning | Usually yes | Usually less DNS impact |
| Service appears as a NIC-like endpoint | Yes | No |
Private endpoint trap: creating the endpoint is not enough if clients still resolve the public hostname to a public IP. Private DNS configuration is often the missing step.
Load balancing and traffic distribution
| Requirement | Service |
|---|---|
| Layer 4 TCP/UDP load balancing | Azure Load Balancer |
| Layer 7 HTTP/HTTPS routing and WAF | Application Gateway |
| DNS-based global traffic distribution | Traffic Manager |
| Global HTTP acceleration and modern edge routing | Azure Front Door |
| Secure outbound connectivity from subnet | NAT Gateway |
| Central network filtering | Azure Firewall |
Do not choose Application Gateway for simple non-HTTP TCP load balancing. Do not choose Traffic Manager for packet-level load balancing; it uses DNS responses.
DNS
| Need | Use |
|---|---|
| Host public DNS zone | Azure DNS public zone |
| Resolve private names in VNets | Azure private DNS zone |
| Resolve private endpoint names correctly | Private DNS zone integration |
| Custom name resolution | DNS forwarders or custom DNS servers |
DNS is a frequent hidden cause of private endpoint failures.
Monitoring, alerts, and backup
Azure Monitor core components
| Component | Use |
|---|---|
| Metrics | Numeric time-series data |
| Logs | Queryable records, often in Log Analytics |
| Activity log | Subscription-level control-plane events |
| Resource logs | Service-specific diagnostic logs |
| Diagnostic settings | Send logs/metrics to destinations |
| Alerts | Notify or trigger action based on signal |
| Action groups | Email, SMS, webhook, automation, ITSM-style actions depending on configuration |
| Workbooks | Interactive reporting |
| Network Watcher | Network diagnostics and troubleshooting |
Metrics vs logs:
| If the question asks for… | Think |
|---|---|
| CPU percentage threshold | Metric alert |
| Query events across resources | Log Analytics logs |
| Who deleted or changed a resource | Activity log |
| Service-specific operational records | Diagnostic settings + resource logs |
| Packet/path/network troubleshooting | Network Watcher |
Diagnostic settings
A common mistake is assuming logs are automatically available in Log Analytics. Many platform logs must be sent using diagnostic settings.
Diagnostic settings can route supported logs and metrics to destinations such as a Log Analytics workspace, storage account, or event streaming destination. Choose the destination based on query, retention, archive, or integration needs.
Alerts
Alert design:
- Choose the signal: metric, log, activity log, service health, or resource health.
- Define condition and threshold.
- Define scope.
- Attach action group.
- Tune frequency, severity, and dimensions where relevant.
Trap: an alert rule without an action group may evaluate but not notify the intended people.
Backup and recovery
| Requirement | Use |
|---|---|
| Restore VM to previous point | Azure Backup |
| Protect Azure Files | Azure Backup where supported |
| Replicate workloads for disaster recovery | Azure Site Recovery |
| Store recovery points and policies | Recovery Services vault or backup vault depending on workload |
| Protect from accidental deletion | Soft delete / backup protection features where applicable |
| Restore individual files from VM backup | File-level recovery options |
Backup decision points:
- Backup protects against deletion, corruption, and restore scenarios.
- Replication/failover protects availability in disaster scenarios.
- Snapshots are not a full backup strategy by themselves.
- Vault, region, policy, retention, and supported workload matter.
Cross-topic decision rules
“Least privilege” questions
When a question says least privilege, avoid broad roles.
| Bad instinct | Better thought |
|---|---|
| Assign Owner | Is Contributor enough? |
| Assign Contributor | Is a specific built-in role enough? |
| Assign storage account key | Can Microsoft Entra/RBAC or SAS meet the need? |
| Assign at subscription scope | Can resource group or resource scope meet the need? |
“No public internet access” questions
Look for a combination of:
- Private endpoint
- Private DNS zone
- Disabled public network access where supported
- VNet integration or subnet placement
- NSG/route/firewall alignment
- Correct client network path
Do not rely on an NSG alone if the service endpoint is still public and the requirement is private access.
“Minimum administrative effort” questions
Prefer managed and built-in features:
| Requirement | Often lower effort |
|---|---|
| Repeat resource deployment | Template/Bicep |
| Enforce allowed locations | Azure Policy |
| Deploy monitoring at scale | Policy/diagnostic settings strategy |
| Rotate away from secrets | Managed identity |
| Scale app instances | Autoscale |
| Move blobs to cheaper tiers | Lifecycle management |
| Grant access to many users | Group-based RBAC |
“High availability” questions
| Workload | Review choice |
|---|---|
| Multiple VMs in same region | Availability zones or availability set depending on requirement |
| Stateless identical VMs | VM scale set |
| HTTP web traffic | Application Gateway, Front Door, App Service scale features |
| TCP/UDP regional traffic | Azure Load Balancer |
| Storage durability | Appropriate redundancy option |
| Cross-region recovery | Backup/replication/DR design |
“Troubleshoot connectivity” questions
Use this path:
- DNS: does the name resolve to the expected IP?
- Source network: subnet, NIC, NSG, route table.
- Destination network: NSG, firewall, private endpoint, service firewall.
- Routing: next hop, UDR, peering, gateway, NVA.
- Service configuration: listener, port, protocol, access policy.
- Identity: if network works but access fails, check RBAC, keys, SAS, or app identity.
- Logs: Network Watcher, flow logs where configured, diagnostic logs, activity log.
Common candidate mistakes
| Mistake | Better exam habit |
|---|---|
| Treating Microsoft Entra roles and Azure RBAC roles as interchangeable | Identify whether the task is directory administration or Azure resource access |
| Assigning Owner for convenience | Use least privilege and narrow scope |
| Forgetting data-plane roles | Storage, Key Vault, and other services may require data access permissions |
| Confusing Azure Policy with RBAC | Policy enforces rules; RBAC grants permissions |
| Using tags as security controls | Tags organize; they do not secure |
| Assuming VNet peering is transitive | Design explicit connectivity |
| Creating a private endpoint but ignoring DNS | Private DNS is often required |
| Choosing Traffic Manager for real-time load balancing | Traffic Manager is DNS-based |
| Assuming logs automatically appear in Log Analytics | Configure diagnostic settings |
| Using snapshots as complete backup strategy | Use backup policies for recoverability |
| Forgetting deallocation for VM compute billing | Stopped is not always deallocated |
| Ignoring scope inheritance | Parent assignments can affect child resources |
Quick command and tooling awareness
AZ-104 is not a pure command memorization exam, but you should recognize common administrative tooling.
| Tool | Best use |
|---|---|
| Azure portal | Visual administration and discovery |
| Azure CLI | Cross-platform command-line automation |
| Azure PowerShell | PowerShell-based administration and scripting |
| Cloud Shell | Browser-based shell with Azure tools |
| ARM templates / Bicep | Repeatable infrastructure deployment |
| Azure Resource Graph | Query resources across subscriptions |
| Azure Monitor / Log Analytics | Monitoring and KQL-based investigation |
Focus less on memorizing every parameter and more on knowing what the command is trying to configure: RBAC assignment, VM operation, storage setting, route, NSG rule, diagnostic setting, or deployment.
Fast self-check before practice
Use these prompts before starting topic drills:
- Can you explain the difference between Owner, Contributor, and User Access Administrator?
- Can you choose between Azure Policy, RBAC, locks, and tags?
- Can you distinguish storage account management access from blob data access?
- Can you choose between private endpoint and service endpoint?
- Can you troubleshoot a blocked VM connection using NSGs, UDRs, DNS, and service configuration?
- Can you choose the right load balancing service for Layer 4, Layer 7, and DNS-based routing?
- Can you explain when to use metrics, logs, activity log, and diagnostic settings?
- Can you choose between backup, snapshot, and site recovery?
If any answer feels uncertain, use targeted topic drills before attempting a full mock exam.
Practice plan for AZ-104
After this Quick Review, move into IT Mastery practice in this order:
- Topic drills for identity, governance, networking, storage, compute, and monitoring.
- Original practice questions that force service selection and least-privilege decisions.
- Scenario sets combining networking, RBAC, diagnostics, and recovery.
- Timed mock exams to practice reading constraints under pressure.
- Detailed explanations for every missed or guessed answer.
For each missed question, write down:
- The Azure service or feature being tested.
- The keyword you missed.
- The wrong assumption you made.
- The decision rule that would have led to the correct answer.
Final exam-readiness reminders
- Always identify the scope: tenant, management group, subscription, resource group, resource, subnet, NIC, or data object.
- Separate management-plane access from data-plane access.
- Prefer built-in managed Azure features when the question asks for minimum effort.
- Use least privilege unless the scenario clearly requires broad control.
- Treat DNS as a first-class part of private networking.
- Do not ignore diagnostic settings when logs are required.
- Match availability and recovery answers to the failure the question is trying to survive.
Next step: use the AZ-104 question bank for focused topic drills first, then move to mixed mock exams with detailed explanations once your weak areas are visible.
Continue in IT Mastery
Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official Microsoft questions, copied live-exam content, or exam dumps.