AZ-802 — Microsoft Certified: Windows Server Hybrid Administrator Associate Exam Blueprint
Practical AZ-802 exam blueprint for Windows Server hybrid administrator readiness.
How to use this AZ-802 exam blueprint
Use this page as a practical readiness map for Microsoft AZ-802, the exam associated with Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-802). It is not an official Microsoft objective list and does not claim exact exam weights. Instead, it translates the major readiness areas into what you should be able to recognize, configure, troubleshoot, and explain before test day.
For each area, ask:
- Can I choose the right Microsoft service, Windows Server role, or management tool for the scenario?
- Can I explain why one option is better than another?
- Can I identify the operational risk, security impact, or recovery tradeoff?
- Can I troubleshoot from symptoms, logs, configuration artifacts, and commands?
- Can I apply the same concept in both on-premises and hybrid Azure-connected environments?
AZ-802 readiness areas at a glance
| Readiness area | What to be ready for | You are ready when you can… |
|---|---|---|
| Secure Windows Server environments | Hardening, identity protection, secure administration, endpoint protection, network security, certificates, and baseline enforcement | Apply least privilege, secure remote access, interpret security recommendations, and choose controls that reduce risk without breaking required workloads |
| Secure hybrid infrastructure | Azure Arc, Microsoft Defender for Cloud, Azure Policy, update management, monitoring, and hybrid governance | Explain how Azure services extend management and security to Windows Server systems outside Azure |
| Implement high availability | Failover clustering, quorum, witnesses, Cluster-Aware Updating, Storage Spaces Direct concepts, Hyper-V availability, and workload failover | Design and troubleshoot availability for services that must keep running during host, network, or storage failures |
| Implement disaster recovery | Azure Backup, Azure Site Recovery, Windows Server Backup, Storage Replica, recovery testing, RPO/RTO decisions | Select the right recovery method for file, server, VM, application, or site-level failures |
| Migrate servers and workloads | Azure Migrate, Storage Migration Service, Windows Admin Center, file server migration, Hyper-V migration, dependency discovery, cutover planning | Build a migration plan that preserves identity, data, permissions, naming, DNS, and application dependencies |
| Monitor and troubleshoot | Event logs, Performance Monitor, Resource Monitor, Azure Monitor, Log Analytics, Windows Admin Center, cluster logs, AD DS diagnostics, network testing | Move from symptom to root cause using the correct tool and evidence |
| Manage core infrastructure services | AD DS, DNS, DHCP, Group Policy, file services, storage, networking, and remote management | Diagnose common Windows Server service failures in hybrid and on-premises scenarios |
Topic-area readiness table
| Topic area | Review focus | Practical readiness checks | Common evidence or artifacts |
|---|---|---|---|
| Windows Server security baselines | Local security policy, Group Policy, Microsoft security baselines, attack surface reduction, auditing | Can you identify whether a setting should be enforced locally, by GPO, by Azure Policy, or by endpoint security tooling? | GPO reports, security baseline exports, audit policy, Event Viewer, Defender recommendations |
| Privileged access | Least privilege, administrative tiers, Just Enough Administration, PowerShell remoting, delegation, local admin control | Can you reduce broad Domain Admin use and still allow admins to perform required tasks? | JEA role capabilities, constrained endpoints, LAPS policies, group memberships |
| Authentication and identity protection | Kerberos, NTLM, LDAP signing, channel binding, SPNs, time sync, trusts, account lockouts | Can you troubleshoot authentication failures without guessing? | Security logs, klist, nltest, dcdiag, repadmin, SPN records |
| Network security | Windows Defender Firewall, IPsec, segmentation, SMB security, remote management ports, DNS security | Can you distinguish name resolution, connectivity, firewall, and authentication issues? | Firewall rules, Test-NetConnection, DNS records, packet captures, event logs |
| Endpoint and server protection | Microsoft Defender, update posture, threat detection, malware response, exclusion decisions | Can you evaluate whether an exclusion or disabled control creates unnecessary risk? | Defender alerts, update history, security recommendations, process evidence |
| Azure Arc-enabled servers | Hybrid inventory, guest configuration, policy, monitoring, extensions, update governance | Can you explain what Azure Arc adds for non-Azure Windows Server machines? | Arc resource, connected machine agent status, Azure Policy assignment, extension status |
| Defender for Cloud | Security posture, recommendations, workload protection concepts, hybrid server visibility | Can you map a recommendation to the underlying server control? | Secure score context, recommendations, alerts, regulatory/security posture views |
| High availability planning | Failover clustering, quorum, witness placement, cluster validation, workload roles | Can you decide when clustering is appropriate and when backup or replication is the better fit? | Cluster validation report, cluster events, quorum settings, role ownership |
| Cluster operations | Cluster-Aware Updating, node drain/resume, role failover, CSVs, cluster networking | Can you safely patch or fail over a cluster without unnecessary downtime? | CAU results, cluster logs, CSV state, role status, node status |
| Storage resiliency | Storage Spaces, Storage Spaces Direct concepts, Storage Replica, volumes, disks, redundancy | Can you explain what protects against disk failure versus site failure? | Disk health, storage pool state, replica partnership, event logs |
| Hyper-V recovery and availability | Hyper-V Replica, checkpoints, failover, networking, VM configuration compatibility | Can you choose the right protection method for a virtualized workload? | Replica health, VM settings, virtual switch config, failover test results |
| Backup and restore | Azure Backup, Recovery Services vaults, Windows Server Backup, backup policy, restore validation | Can you select item-level, volume-level, VM-level, or site-level recovery appropriately? | Backup jobs, restore points, recovery test notes, vault configuration |
| Disaster recovery design | RPO, RTO, replication, backup retention, failover testing, runbooks | Can you explain recovery tradeoffs in business terms? | Recovery plan, dependency map, runbook, failover test report |
| Server migration | Discovery, dependency assessment, compatibility, cutover, rollback | Can you migrate without losing permissions, names, shares, or application dependencies? | Azure Migrate project, dependency map, migration assessment, cutover checklist |
| Storage and file server migration | Storage Migration Service, SMB shares, ACLs, local users/groups, server identity | Can you preserve access paths and permissions during file server modernization? | Inventory report, transfer job status, share list, ACL validation |
| Monitoring | Azure Monitor, Log Analytics, Windows Admin Center, Event Viewer, PerfMon | Can you pick the right data source for performance, security, availability, or configuration issues? | Metrics, logs, alerts, workbooks, event IDs, performance counters |
| Troubleshooting | AD DS, DNS, DHCP, Group Policy, replication, cluster, storage, network, updates | Can you isolate cause using repeatable diagnostics rather than trial-and-error? | Diagnostic command output, event logs, health reports, failed job details |
Can you do this? Core AZ-802 skills checklist
Secure Windows Server and hybrid infrastructure
- Explain how Microsoft hybrid management tools can extend visibility to Windows Server systems outside Azure.
- Identify when to use Group Policy, local policy, Azure Policy, Microsoft Defender for Cloud recommendations, or endpoint security controls.
- Apply least privilege for server administration without granting broad domain-level permissions.
- Describe how to secure PowerShell remoting and remote administration.
- Recognize risks from legacy authentication protocols, weak cipher use, unsigned LDAP, and unrestricted admin access.
- Troubleshoot Kerberos, NTLM, SPN, time synchronization, and domain trust issues.
- Interpret security event logs and distinguish failed logon, lockout, privilege use, and policy-change events.
- Explain how Azure Arc-enabled servers support inventory, policy, monitoring, and extension-based management.
- Map Microsoft Defender for Cloud recommendations to Windows Server configuration changes.
- Choose firewall, segmentation, certificate, and remote access controls for a given scenario.
Implement high availability
- Explain the difference between high availability, fault tolerance, backup, replication, and disaster recovery.
- Determine whether a workload should use failover clustering, load balancing, replica-based recovery, or backup-based recovery.
- Interpret cluster validation results and identify blockers before production deployment.
- Choose an appropriate quorum and witness approach for a cluster scenario.
- Explain how node failure, witness loss, network partition, and storage failure affect cluster behavior.
- Use Cluster-Aware Updating concepts to patch clustered hosts safely.
- Identify the role of Cluster Shared Volumes in clustered virtualization scenarios.
- Troubleshoot failed cluster role movement, offline resources, disk ownership, and network issues.
- Explain the availability impact of planned versus unplanned failover.
- Recognize when Storage Replica, Hyper-V Replica, or Azure Site Recovery is the better fit than clustering.
Implement disaster recovery
- Define recovery point objective and recovery time objective in plain operational terms.
- Choose between Azure Backup, Windows Server Backup, Azure Site Recovery, Storage Replica, and application-native protection.
- Explain why a backup is not automatically a disaster recovery plan.
- Identify restore scope: file, folder, volume, system state, VM, application, or site.
- Describe how to validate backups and document restore procedures.
- Identify dependencies that must be recovered together, such as DNS, AD DS, databases, application servers, and file shares.
- Explain failover and failback considerations for replicated workloads.
- Recognize when crash-consistent recovery may not be sufficient for an application.
- Build a recovery runbook with contacts, order of operations, validation steps, and rollback criteria.
Migrate Windows Server workloads
- Perform discovery before selecting a migration tool.
- Identify server dependencies, open ports, service accounts, scheduled tasks, local users, certificates, and application bindings.
- Choose Azure Migrate for assessment and migration scenarios where appropriate.
- Choose Storage Migration Service for file server and storage migration scenarios where appropriate.
- Preserve SMB shares, NTFS permissions, local identities, and server names where the scenario requires it.
- Plan DNS, IP address, SPN, certificate, and application connection-string changes.
- Validate application functionality after migration, not just VM boot status.
- Define a rollback plan before cutover.
- Identify when modernization, rehosting, or replacement is more appropriate than direct migration.
Monitor and troubleshoot
- Use Event Viewer, Windows Admin Center, Performance Monitor, Resource Monitor, and PowerShell diagnostics appropriately.
- Use Azure Monitor and Log Analytics to centralize data from hybrid servers.
- Interpret alerts versus logs versus metrics.
- Diagnose AD DS replication, DNS resolution, Group Policy processing, DHCP leasing, and authentication issues.
- Troubleshoot Windows Update failures, service failures, disk pressure, CPU/memory bottlenecks, and network latency.
- Use cluster logs and validation reports for failover cluster issues.
- Distinguish between a monitoring gap and a real service outage.
- Build alert logic that is actionable instead of noisy.
Scenario and decision-point checks
HA, backup, replication, or DR?
| Scenario cue | Better exam reasoning | Watch for traps |
|---|---|---|
| “The service must remain available during a single host failure” | Consider failover clustering, load balancing, or application-level HA | Backup alone does not provide continuous availability |
| “The organization must recover deleted files from last week” | Consider backup with appropriate restore points | Replication may replicate deletions or corruption |
| “The entire site may become unavailable” | Consider disaster recovery planning, Azure Site Recovery, Storage Replica, or cross-site recovery design | A local cluster does not protect against full-site failure |
| “The application requires transaction consistency” | Consider application-aware backup or app-supported replication | Crash-consistent recovery may not meet requirements |
| “The server must be migrated with minimal user path changes” | Preserve name, shares, permissions, DNS, and SPNs where possible | Migrating data only may break application and user access |
| “Security posture must be monitored across on-premises and Azure” | Consider Azure Arc, Defender for Cloud, Azure Policy, and centralized monitoring | Local-only management may miss hybrid governance needs |
Migration decision path
flowchart TD
A[Identify workload] --> B{Is it file/storage focused?}
B -- Yes --> C[Evaluate Storage Migration Service]
B -- No --> D{Is it VM/server migration?}
D -- Yes --> E[Assess with Azure Migrate]
D -- No --> F[Review app-native or manual migration]
C --> G[Validate shares, ACLs, identities, names]
E --> H[Validate dependencies, sizing, compatibility]
F --> I[Document custom cutover steps]
G --> J[Plan cutover and rollback]
H --> J
I --> J
J --> K[Test access, performance, and monitoring]
Security scenario prompts
Use these prompts to test whether you can reason through Microsoft AZ-802-style security decisions.
| Prompt | Can you decide? |
|---|---|
| A legacy app requires older authentication behavior | Can you identify the risk, compensating controls, and migration path instead of simply disabling security? |
| Administrators use Domain Admin accounts for routine server tasks | Can you redesign access using least privilege, delegation, JEA, or role-specific groups? |
| Servers exist across on-premises, Azure, and another hosting location | Can you choose a consistent management and monitoring approach using Azure Arc where appropriate? |
| A firewall change breaks remote administration | Can you identify required management ports and distinguish firewall from authentication failure? |
| Security alerts appear for multiple servers | Can you prioritize by exposure, severity, business role, and exploitability? |
| A recommendation conflicts with application requirements | Can you document exception handling, scope reduction, and risk acceptance? |
Disaster recovery scenario prompts
| Prompt | Readiness question |
|---|---|
| “Recover within a short time after regional or site outage” | Can you explain whether replication, warm standby, or recovery orchestration is required? |
| “Restore a single accidentally deleted folder” | Can you choose file-level restore rather than full server recovery? |
| “Protect domain controllers” | Can you discuss system state, AD DS replication considerations, and authoritative versus non-authoritative thinking at a high level? |
| “Test failover without disrupting production” | Can you explain isolated test networks and validation steps? |
| “Meet a strict RPO” | Can you choose a method that captures changes frequently enough without assuming backup is sufficient? |
Commands, tools, and artifacts to recognize
You do not need to treat AZ-802 as a pure command memorization exam, but you should recognize what common tools are used for and what evidence they produce.
AD DS, DNS, and authentication diagnostics
dcdiag
repadmin /replsummary
repadmin /showrepl
nltest /dsgetdc:contoso.com
klist
gpresult /h report.html
Resolve-DnsName server01.contoso.com
Test-ComputerSecureChannel
| Tool or command | What it helps verify |
|---|---|
dcdiag | Domain controller health checks |
repadmin | AD DS replication status and failures |
nltest | Domain controller discovery and secure channel diagnostics |
klist | Kerberos ticket information |
gpresult | Applied Group Policy settings |
Resolve-DnsName | DNS resolution and record validation |
Test-ComputerSecureChannel | Domain secure channel health |
Cluster and availability diagnostics
Test-Cluster
Get-ClusterNode
Get-ClusterGroup
Move-ClusterGroup
Get-ClusterResource
Get-ClusterLog
| Tool or command | What it helps verify |
|---|---|
Test-Cluster | Cluster readiness and validation results |
Get-ClusterNode | Node state and membership |
Get-ClusterGroup | Clustered role ownership and status |
Move-ClusterGroup | Planned role movement or failover testing |
Get-ClusterResource | Resource-level state and dependencies |
Get-ClusterLog | Detailed cluster troubleshooting evidence |
Storage Replica and storage checks
Test-SRTopology
Get-SRGroup
Get-SRPartnership
Get-Volume
Get-PhysicalDisk
Get-StoragePool
| Tool or command | What it helps verify |
|---|---|
Test-SRTopology | Storage Replica readiness for a proposed configuration |
Get-SRGroup | Replication group status |
Get-SRPartnership | Replication partnership status |
Get-Volume | Volume state and file system information |
Get-PhysicalDisk | Disk health and operational status |
Get-StoragePool | Storage pool capacity and health |
Network and performance diagnostics
Test-NetConnection server01.contoso.com -Port 445
Get-NetIPConfiguration
Get-NetRoute
Get-DnsClientServerAddress
Get-WinEvent -LogName System -MaxEvents 50
Get-Counter '\Processor(_Total)\% Processor Time'
| Tool or command | What it helps verify |
|---|---|
Test-NetConnection | Connectivity, port reachability, and path checks |
Get-NetIPConfiguration | IP, DNS, and gateway configuration |
Get-NetRoute | Routing table issues |
Get-DnsClientServerAddress | DNS client configuration |
Get-WinEvent | Recent events from selected logs |
Get-Counter | Performance counter sampling |
Azure and hybrid management artifacts
| Artifact | Why it matters for AZ-802 readiness |
|---|---|
| Azure Arc-enabled server resource | Shows a non-Azure or hybrid server represented in Azure for management |
| Connected Machine agent status | Helps confirm hybrid server connectivity and management state |
| Azure Policy assignment | Shows governance or configuration rules applied to resources |
| Defender for Cloud recommendation | Connects security posture findings to remediation actions |
| Log Analytics workspace | Centralizes logs and queryable telemetry |
| Azure Monitor alert rule | Defines condition-based notification or action |
| Recovery Services vault | Common Azure resource for backup and recovery scenarios |
| Azure Migrate project | Organizes discovery, assessment, and migration activities |
| Windows Admin Center connection | Provides server, cluster, storage, and hybrid management access |
Key concepts you should be able to explain clearly
High availability versus disaster recovery
| Concept | Plain-language meaning | Example exam distinction |
|---|---|---|
| High availability | Keeps a service running during expected component failures | Failover cluster handles a node failure |
| Backup | Stores recoverable copies of data or system state | Restore a deleted file or corrupted server |
| Replication | Copies data or workload state to another location | Storage Replica or Hyper-V Replica prepares another target |
| Disaster recovery | Restores service after a major failure or site outage | Fail over to another site or Azure environment |
| Business continuity | Keeps business processes operating despite disruption | Includes people, process, technology, and communication |
RPO and RTO
| Term | What it asks | Example interpretation |
|---|---|---|
| RPO | How much data can be lost? | “We can lose up to the last few minutes or hours of changes.” |
| RTO | How long can the service be down? | “The service must be usable again within the required recovery window.” |
For final review, make sure you can choose a technology based on RPO and RTO language without needing exact product limits or pricing.
Hybrid management boundaries
| Need | On-premises-only approach | Hybrid/Azure-connected approach |
|---|---|---|
| Server configuration | Local tools, GPO, scripts, Windows Admin Center | Azure Arc, Azure Policy guest configuration, extensions |
| Security posture | Local audit, endpoint tools, manual reviews | Defender for Cloud recommendations and alerts |
| Monitoring | Event Viewer, PerfMon, local logs | Azure Monitor, Log Analytics, workbooks, centralized alerts |
| Backup/recovery | Windows Server Backup, local storage, app backup | Azure Backup, Recovery Services vaults, ASR-style recovery planning |
| Migration | Manual copy, export/import, in-place upgrades | Azure Migrate, Storage Migration Service, Windows Admin Center integrations |
Common weak areas and traps
| Weak area | Why candidates miss it | Final-review correction |
|---|---|---|
| Treating backup as HA | Backup restores after failure but does not keep the service continuously available | Separate availability, backup, replication, and DR in your notes |
| Ignoring DNS during migration | Workloads often depend on names, aliases, SPNs, and hardcoded endpoints | Include DNS and identity validation in every migration plan |
| Overusing Domain Admin | Broad privileges are convenient but risky | Practice delegation, least privilege, JEA, and scoped admin roles |
| Skipping cluster validation | Unsupported or unhealthy configurations often appear before production failure | Know when and why to run validation |
| Misunderstanding quorum | Quorum is about cluster decision-making, not data backup | Review witness choices and split-brain prevention |
| Confusing Azure Arc with moving a server to Azure | Arc projects management into Azure; it does not automatically migrate the workload | Distinguish management plane from workload location |
| Assuming replication protects against deletion | Replication may copy unwanted changes | Use backups for historical recovery |
| Troubleshooting from symptoms only | Many Windows Server failures have similar symptoms | Use logs, commands, and dependency checks systematically |
| Forgetting service accounts and certificates | Apps often break after server or domain changes | Inventory accounts, SPNs, cert bindings, and scheduled tasks |
| Focusing only on portals | AZ-802 scenarios may require knowing the underlying Windows Server role or setting | Pair Azure tool knowledge with Windows Server fundamentals |
Final-week AZ-802 review checklist
Three-pass review plan
| Pass | Goal | What to do |
|---|---|---|
| Pass 1: Coverage | Find topic gaps | Review each readiness area and mark weak topics |
| Pass 2: Scenarios | Improve decision-making | Practice choosing tools for HA, DR, security, migration, and monitoring scenarios |
| Pass 3: Evidence | Strengthen troubleshooting | Review logs, commands, reports, and artifacts that prove a configuration works |
Final-week checklist
- I can explain the purpose of Azure Arc-enabled servers in hybrid Windows Server administration.
- I can distinguish Microsoft Defender for Cloud recommendations from local Windows Server security settings.
- I can choose between Group Policy, local configuration, Azure Policy, and endpoint security controls.
- I can troubleshoot AD DS replication, DNS, Group Policy, and authentication failures.
- I can explain quorum, witness options, node failure, and cluster validation.
- I can identify when Cluster-Aware Updating is appropriate.
- I can choose between failover clustering, Storage Replica, Hyper-V Replica, Azure Backup, and Azure Site Recovery-style planning.
- I can describe backup restore scopes and why restore testing matters.
- I can plan migration discovery, dependency mapping, cutover, validation, and rollback.
- I can preserve file server permissions, shares, and access paths during migration scenarios.
- I can select monitoring data sources for logs, metrics, alerts, security findings, and performance data.
- I can read a scenario and identify the real requirement instead of selecting the newest or broadest tool.
- I can explain tradeoffs in cost, complexity, recovery time, security, and operational effort without relying on memorized limits.
- I can map each major topic to at least one Microsoft tool and one Windows Server artifact.
Quick self-score
Use this simple scoring pass before scheduling or sitting for AZ-802.
| Score | Meaning | Action |
|---|---|---|
| 0 | I recognize the term but cannot apply it | Review the concept and do a small lab or walkthrough |
| 1 | I can explain it but hesitate in scenarios | Practice decision prompts and compare similar tools |
| 2 | I can apply, troubleshoot, and justify it | Keep it in rotation but focus on weaker areas |
Aim for mostly 2s across security, hybrid management, high availability, disaster recovery, migration, and troubleshooting. Any 0 in those areas is a final-review priority.
Practical next step
Pick one weak area from this checklist and turn it into a scenario drill. For example: secure a hybrid server with Azure Arc, troubleshoot a failed domain logon, validate a cluster, design a restore plan, or plan a file server migration. Then practice explaining the decision, the tool choice, the failure points, and the evidence you would check.