AZ-802 — Microsoft Certified: Windows Server Hybrid Administrator Associate Quick Review
Quick Review for Microsoft AZ-802 candidates covering Windows Server hybrid administration, security, migration, high availability, disaster recovery, monitoring, and troubleshooting.
Quick Review purpose
This Quick Review is for candidates preparing for Microsoft Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-802), exam code AZ-802. Use it as a final-pass review before topic drills, mock exams, and detailed explanations.
AZ-802 is not just “Windows Server in Azure.” It tests whether you can secure, migrate, protect, monitor, and troubleshoot Windows Server workloads across on-premises and hybrid environments. Expect scenario questions where the best answer depends on constraints such as downtime tolerance, identity model, data size, recovery objective, network connectivity, administrative scope, and whether the workload is physical, virtual, clustered, or cloud-connected.
High-yield AZ-802 mental model
Think in five connected workstreams:
| Workstream | What the exam often tests | Fast decision point |
|---|---|---|
| Secure Windows Server | Least privilege, identity protection, hardening, update posture, Defender integrations | Is the risk identity, endpoint, network, data, or admin access? |
| Implement high availability | Failover clustering, load balancing, Storage Spaces Direct, Cluster-Aware Updating | Is the goal local availability or regional/site recovery? |
| Disaster recovery and backup | Azure Backup, Azure Site Recovery, Hyper-V Replica, Storage Replica | Is the goal restore, failover, replication, or rollback? |
| Migrate servers and workloads | Azure Migrate, Storage Migration Service, Windows Admin Center, data/app migration | Are you moving compute, storage, identity, or application dependencies? |
| Monitor and troubleshoot | Azure Monitor, Log Analytics, Azure Arc, event logs, performance counters | Is the problem resource health, OS behavior, network, identity, or application performance? |
Quick service-selection table
| Need | Likely tool or feature | Watch for this trap |
|---|---|---|
| Manage Windows Servers across on-premises, edge, and multicloud from Azure | Azure Arc-enabled servers | Arc enables management; it does not automatically migrate servers |
| Centralized monitoring and queries | Azure Monitor with Log Analytics | Diagnostic data must be collected before you can query it |
| Security recommendations and posture management | Microsoft Defender for Cloud | Recommendations depend on resource visibility, configuration, and plans enabled |
| Backup files, folders, system state, or VMs | Azure Backup | Backup is not the same as live disaster recovery failover |
| Replicate workloads for failover to Azure or another site | Azure Site Recovery | ASR is for recovery orchestration, not long-term backup retention |
| Migrate servers to Azure | Azure Migrate | Assessment, dependency analysis, and replication are separate phases |
| Migrate file servers and preserve shares/permissions | Storage Migration Service | Name cutover and identity/permission preservation are key details |
| Sync branch files with cloud tiering | Azure File Sync | It is not a replacement for a backup strategy |
| Local high availability for roles/VMs | Failover clustering | Cluster availability does not protect against all-site failure |
| Replicate volumes between servers or clusters | Storage Replica | Replication can copy corruption or deletion; still back up |
| Patch clustered workloads with reduced disruption | Cluster-Aware Updating | Nodes must drain and resume correctly |
| Manage servers through browser-based tooling | Windows Admin Center | WAC is a management tool, not a monitoring platform by itself |
Security review
Identity and administrative access
AZ-802 security questions often reward least privilege and controlled administration over broad local admin access.
| Concept | Know this | Candidate mistake |
|---|---|---|
| Least privilege | Grant only the rights needed for the task, preferably through roles or delegated administration | Giving Domain Admin for routine server management |
| Just Enough Administration | PowerShell constrained endpoints can expose only approved commands | Thinking JEA is the same as ordinary remote PowerShell |
| Privileged Access Workstations | Use hardened admin workstations for privileged operations | Administering domain controllers from general-purpose workstations |
| Local Administrator Password Solution | Manages unique local admin passwords | Reusing one local administrator password across many servers |
| Group Managed Service Accounts | Service accounts with automatic password management | Using normal user accounts for services and manually rotating passwords |
| Credential Guard | Helps protect credentials from theft on supported systems | Assuming it replaces all endpoint hardening |
| Windows Defender Firewall | Host-based traffic control | Disabling the firewall to “fix” connectivity instead of allowing required traffic |
| Secure remote access | Prefer secured management paths and audited administrative access | Exposing RDP broadly to the internet |
Active Directory Domain Services hardening
For hybrid Windows Server environments, AD DS is often the most important security dependency.
High-yield reminders:
- Domain controllers should be patched, monitored, backed up, and isolated from general workloads.
- Do not install unnecessary server roles or applications on domain controllers.
- Use separate administrative accounts for privileged administration.
- Protect privileged groups such as Domain Admins, Enterprise Admins, and Schema Admins.
- Audit authentication failures, privilege use, account changes, and directory changes.
- Confirm time synchronization; Kerberos depends on time.
- Use secure DNS configuration because AD DS depends heavily on DNS.
- Use read-only domain controllers where appropriate for locations with lower physical security.
Common trap: a question describes a branch office with poor physical security and asks how to provide local authentication. A read-only domain controller may be better than placing a writable domain controller there.
Server hardening decision rules
| If the scenario says… | Think… |
|---|---|
| “Reduce attack surface” | Remove roles/features, close ports, apply baselines, enforce firewall rules |
| “Protect credentials on servers” | Credential Guard, LSASS protection, admin tiering, avoid interactive logons |
| “Delegate a narrow admin task” | JEA, RBAC where available, constrained PowerShell |
| “Secure local admin passwords” | LAPS-style local password management |
| “Protect data at rest” | BitLocker, EFS where suitable, storage encryption |
| “Protect SMB traffic” | SMB signing/encryption depending on confidentiality/integrity need |
| “Detect threats and get recommendations” | Defender for Cloud / Defender integrations |
| “Assess compliance against security baselines” | Security policy, baselines, Defender for Cloud recommendations |
Certificates and PKI
Know the difference between certificate problems and identity problems.
| Symptom | Likely area to check |
|---|---|
| TLS warning or service refuses secure connection | Certificate name, trust chain, expiration, EKU, private key |
| Smart card or certificate logon fails | Certificate template, mapping, revocation, domain trust, time |
| Enrollment fails | Template permissions, autoenrollment policy, CA availability |
| Revocation check fails | CRL/OCSP publication and reachability |
| Internal service works on LAN but not externally | Subject/SAN, trust chain, firewall, DNS, certificate binding |
Common trap: renewing a certificate does not automatically update every application binding. The service may still be using the old certificate.
Hybrid management with Azure Arc and Windows Admin Center
Azure Arc-enabled servers
Azure Arc is central to hybrid operations. It lets you project non-Azure Windows Servers into Azure for management.
| Capability | What it enables |
|---|---|
| Inventory and governance | See hybrid servers as Azure resources |
| Policy and compliance | Apply Azure Policy where supported |
| Monitoring integration | Send logs and metrics to Azure Monitor / Log Analytics |
| Security posture | Surface recommendations through Microsoft security tooling |
| Extension management | Install supported agents/extensions from Azure |
Decision rule: choose Azure Arc when the server remains on-premises or outside Azure but needs Azure-based management, governance, monitoring, or security visibility.
Trap: Azure Arc does not automatically convert a server into an Azure VM and does not eliminate the need for network connectivity, permissions, or agents.
Windows Admin Center
Windows Admin Center is useful for managing Windows Server roles, failover clusters, Hyper-V, updates, certificates, storage, and Azure integrations.
| Use Windows Admin Center for… | Do not confuse it with… |
|---|---|
| Browser-based server administration | A replacement for all enterprise monitoring |
| Managing Hyper-V and clusters | Azure Site Recovery orchestration by itself |
| Azure hybrid service onboarding | The Azure control plane itself |
| Certificate, event, service, and role management | A substitute for security governance |
Exam clue: if the question asks for a practical management tool for on-premises Windows Server with optional Azure integrations, Windows Admin Center is often relevant.
High availability review
Failover clustering essentials
A failover cluster provides high availability for supported workloads by moving clustered roles between nodes.
Know these concepts:
| Concept | Meaning |
|---|---|
| Node | Server participating in the cluster |
| Clustered role | Workload managed by the cluster |
| Quorum | Voting mechanism that determines whether the cluster can continue running |
| Witness | Tie-breaker resource such as disk, file share, or cloud witness |
| CSV | Cluster Shared Volumes for shared access to storage by cluster nodes |
| Drain roles | Move workloads off a node before maintenance |
| Cluster-Aware Updating | Coordinates patching of cluster nodes while maintaining availability |
Quorum and witness logic
Avoid memorizing only one witness type. Understand the scenario.
| Witness type | Common fit |
|---|---|
| Cloud witness | Hybrid or multi-site environments with Azure connectivity |
| File share witness | Simple witness option when a reliable file share is available |
| Disk witness | Traditional shared-storage cluster scenarios |
| No witness | Certain configurations where node votes alone are appropriate |
Trap: a witness does not host the workload. It helps the cluster make quorum decisions.
High availability versus disaster recovery
| Requirement | Better fit |
|---|---|
| Survive a single host failure in the same datacenter | Failover clustering |
| Maintain app availability during node maintenance | Cluster-Aware Updating and role draining |
| Replicate a VM to another host/site for recovery | Hyper-V Replica or Azure Site Recovery, depending on scenario |
| Recover an entire site in Azure | Azure Site Recovery |
| Restore accidentally deleted or corrupted data | Backup |
| Keep two storage copies synchronized | Storage Replica |
Common mistake: choosing failover clustering for site disaster recovery without considering shared dependencies. A cluster may still fail if the entire site, network, storage, or identity dependency is unavailable.
Storage Spaces Direct and Storage Replica
| Feature | Primary purpose | Key exam angle |
|---|---|---|
| Storage Spaces Direct | Software-defined storage using local drives in clustered servers | High availability and scalable storage inside a cluster |
| Storage Replica | Block-level volume replication between servers or clusters | Disaster recovery or stretch-cluster storage replication |
| DFS Replication | File-level replication for certain file data scenarios | Not ideal for open files, databases, or low-RPO block replication |
Trap: Storage Replica is not a backup. If malware encrypts replicated data, the encrypted data may replicate too.
Backup and disaster recovery review
Azure Backup
Azure Backup is for protected recovery points and restore operations.
| Backup target | Typical approach |
|---|---|
| Azure VMs | Azure VM backup |
| On-premises files/folders/system state | Microsoft Azure Recovery Services agent or related backup architecture |
| Workloads at scale | Azure Backup with appropriate agents, vaults, and policies |
| System state recovery | Use supported backup method for Windows Server system state |
Know the workflow:
- Create or use a Recovery Services vault.
- Configure backup policy.
- Register/protect the workload.
- Run initial backup.
- Monitor jobs and alerts.
- Test restore procedures.
Common traps:
- Backups must be restorable; a configured backup policy is not enough.
- System state backup is different from full application-aware workload protection.
- Backup helps with corruption, deletion, ransomware recovery, and point-in-time restore; replication alone may not.
Azure Site Recovery
Azure Site Recovery focuses on workload replication and orchestrated failover.
| Requirement | ASR relevance |
|---|---|
| Replicate VMs to Azure | Strong fit |
| Test disaster recovery without disrupting production | Strong fit when test failover is supported/configured |
| Create recovery plans with ordered failover | Strong fit |
| Keep long-term historical restore points | Backup is usually the better concept |
| Protect individual files only | Backup or file-level solutions are usually better |
ASR decision clues:
- “Fail over workloads to Azure”
- “Orchestrate recovery”
- “Minimize downtime during site outage”
- “Run a test failover”
- “Replicate VMs”
Hyper-V Replica
Hyper-V Replica replicates VMs between Hyper-V hosts or clusters.
Use it when the scenario is specifically about Hyper-V-based replication and does not require broader Azure recovery orchestration.
Trap: Hyper-V Replica is not the same as failover clustering. Clustering handles high availability within the cluster; Replica handles VM replication for recovery.
Disaster recovery decision path
flowchart TD
A[What is the protection goal?] --> B[Restore deleted/corrupt data]
A --> C[Keep workload running after host failure]
A --> D[Fail over to another site or Azure]
A --> E[Replicate storage volumes]
B --> F[Use backup and tested restores]
C --> G[Use failover clustering / HA design]
D --> H[Use Azure Site Recovery or Hyper-V Replica]
E --> I[Use Storage Replica where appropriate]
Migration review
Azure Migrate
Azure Migrate is commonly used to assess and migrate servers to Azure.
| Phase | What to know |
|---|---|
| Discovery | Inventory servers and dependencies |
| Assessment | Evaluate readiness, sizing, cost, and compatibility |
| Replication | Prepare migration by copying workload data |
| Test migration | Validate before production cutover |
| Cutover | Finalize migration with planned downtime as required |
Common traps:
- Assessment and migration are not the same step.
- Dependency mapping matters for multi-tier applications.
- Sizing should reflect observed utilization, not just allocated resources.
- Network, identity, DNS, and firewall dependencies can break an otherwise successful server migration.
- Test migration reduces risk; it does not replace application validation.
Storage Migration Service
Storage Migration Service is high-yield for file server migrations.
| It helps migrate… | Important details |
|---|---|
| Shares | Share names and paths must be planned |
| Files and folders | Permissions and ownership matter |
| Server identity | Cutover can preserve client access patterns |
| Legacy file servers | Useful when moving from older Windows Server file servers |
Decision rule: if the scenario says “migrate file servers while preserving shares, permissions, and server identity,” think Storage Migration Service.
Trap: copying files manually may lose permissions, share configuration, timestamps, or client access continuity.
Azure File Sync
Azure File Sync synchronizes on-premises Windows Server file shares with Azure Files.
| Feature | Meaning |
|---|---|
| Cloud endpoint | Azure file share |
| Server endpoint | Path on a registered Windows Server |
| Sync group | Relationship between cloud and server endpoints |
| Cloud tiering | Keeps frequently used files local and tiers cooler data to Azure |
| Registered server | On-premises server participating in sync |
Common mistakes:
- Treating Azure File Sync as backup. It synchronizes changes, including unwanted changes.
- Forgetting that users may still access local file servers while data synchronizes with Azure Files.
- Ignoring bandwidth, initial sync time, and namespace design.
Migration choice table
| Scenario language | Best concept to consider |
|---|---|
| “Assess on-premises servers before moving to Azure” | Azure Migrate assessment |
| “Move VMs to Azure with minimal guesswork about sizing” | Azure Migrate with assessment data |
| “Migrate a file server and keep shares/permissions” | Storage Migration Service |
| “Keep branch file access local while centralizing in Azure” | Azure File Sync |
| “Replicate VMs for disaster recovery” | Azure Site Recovery, not a migration-only tool |
| “Move application with databases and dependencies” | Dependency mapping, app validation, staged migration |
Monitoring and troubleshooting review
Azure Monitor and Log Analytics
Azure Monitor collects and analyzes telemetry. Log Analytics is commonly used for querying collected logs.
| Need | Concept |
|---|---|
| Query logs across servers | Log Analytics workspace |
| Collect Windows events | Agent/data collection configuration |
| Alert on conditions | Azure Monitor alerts |
| Visualize trends | Workbooks, metrics, dashboards |
| Investigate security posture | Defender for Cloud plus logs/recommendations |
| Manage hybrid server visibility | Azure Arc plus monitoring configuration |
KQL basics to recognize:
| Pattern | Meaning |
|---|---|
where | Filter rows |
summarize | Aggregate results |
count | Count records |
project | Select columns |
order by | Sort results |
| Time filters | Narrow results to a relevant investigation window |
Trap: Log Analytics only shows data that has been collected and sent. If a server is not connected, configured, or authorized, queries will not magically return its logs.
Windows Server troubleshooting checklist
Use this order when a scenario gives symptoms but not the cause:
- Scope — one user, one server, one subnet, one site, or all systems?
- Recent change — patch, GPO, certificate, DNS, firewall, route, storage, identity?
- Identity — authentication, authorization, Kerberos, SPN, time sync?
- Name resolution — DNS records, suffixes, conditional forwarders, stale records?
- Network path — firewall, routing, NSG if Azure, VPN/ExpressRoute, ports?
- Service health — service status, event logs, dependencies?
- Performance — CPU, memory, disk latency, queue length, network throughput?
- Storage — free space, permissions, locks, replication status?
- Cluster state — node status, quorum, role ownership, CSV health?
- Logs and metrics — correlate time of failure with events.
Common symptom-to-cause map
| Symptom | High-yield checks |
|---|---|
| Users cannot access file share | DNS, SMB port/firewall, share permissions, NTFS permissions, server service |
| Admin cannot connect remotely | WinRM/RDP enabled, firewall, local policy, credentials, network path |
| Kerberos authentication fails | Time sync, SPN, DNS, domain controller reachability |
| Cluster role will not fail over | Dependencies, storage, network name, quorum, node health |
| VM migration fails | CPU compatibility, network, storage, permissions, cluster configuration |
| Slow file access | Disk latency, network latency, SMB settings, antivirus scanning, tiering state |
| Backup job fails | Agent health, vault registration, credentials, storage, VSS writers |
| ASR replication unhealthy | Connectivity, agent/provider health, storage churn, credentials, replication policy |
| Azure Arc server offline | Agent service, outbound connectivity, proxy, identity, permissions |
| Certificate-based service fails | Expiration, trust chain, subject/SAN, private key, binding |
Networking and hybrid connectivity review
AZ-802 may embed networking details inside migration, backup, monitoring, and hybrid management scenarios.
| Area | Know this |
|---|---|
| DNS | AD DS, Kerberos, file access, and app connectivity depend heavily on correct name resolution |
| Firewall rules | Prefer specific allowed ports over disabling firewalls |
| VPN/ExpressRoute | Connectivity choice affects latency, routing, resilience, and private access |
| Private endpoints | Used to access supported Azure services privately where configured |
| Proxies | Hybrid agents often require outbound connectivity and proxy awareness |
| Time sync | Authentication and clustering can fail when time is inconsistent |
| Routing | Hybrid failures are often route table, gateway, or asymmetric routing issues |
Common trap: a server can appear “healthy” locally while Azure management fails because outbound connectivity, proxy configuration, or required identity permissions are missing.
Update and patch management
Patch questions often test service continuity, not just “install updates.”
| Environment | Review focus |
|---|---|
| Standalone servers | Maintenance windows, restart planning, rollback approach |
| Clusters | Drain roles, patch node, reboot, resume, repeat |
| Hybrid servers | Inventory, compliance visibility, Azure management integration |
| Security-sensitive systems | Prioritization, testing, emergency patch process |
| Domain controllers | Redundancy, replication health, staged patching |
Cluster patching rule: never think of a cluster as one server. Patch one node at a time, maintain quorum, drain workloads, and verify role health after each node.
Role-specific quick hits
File services
| Topic | Review point |
|---|---|
| NTFS vs share permissions | Effective access is constrained by both |
| Access-based enumeration | Hides folders users cannot access |
| FSRM | Quotas, file screens, classification/reporting |
| DFS Namespace | Logical namespace for shares |
| DFS Replication | File replication, not database replication |
| Azure File Sync | Hybrid file sync with Azure Files |
Trap: “User cannot access a share” may be a permissions issue, a name resolution issue, a firewall issue, or a server availability issue. Do not jump directly to NTFS permissions without reading the symptom.
Hyper-V
| Topic | Review point |
|---|---|
| Checkpoints | Useful for some rollback scenarios but not a backup replacement |
| Live migration | Moves running VMs between hosts when configured |
| Replica | Replicates VMs for recovery |
| Shielded VMs | Protect VMs from compromised fabric administrators in supported environments |
| Virtual switches | External, internal, private connectivity models |
| Integration services | Affect guest operations and management |
Trap: checkpoints can create operational risk if left unmanaged, especially on production workloads.
Containers and application workloads
If containers appear, focus on the operational distinction:
| Concept | Review point |
|---|---|
| Windows containers | Process-isolated or Hyper-V-isolated Windows workloads |
| Image | Packaged application filesystem and configuration |
| Registry | Stores container images |
| Host compatibility | Windows container compatibility depends on host and image requirements |
| Orchestration | May involve broader platform choices outside basic server administration |
Do not over-focus on developer details unless the scenario specifically asks about container hosting, isolation, or compatibility.
Exam-style decision rules
Use these fast rules during practice:
- If the problem is visibility/governance for non-Azure servers, consider Azure Arc.
- If the problem is server migration to Azure, consider Azure Migrate.
- If the problem is file server migration with permissions and shares, consider Storage Migration Service.
- If the problem is branch/local file caching with Azure Files, consider Azure File Sync.
- If the problem is point-in-time recovery, consider Azure Backup.
- If the problem is orchestrated failover, consider Azure Site Recovery.
- If the problem is local workload availability, consider failover clustering.
- If the problem is cluster patching, consider Cluster-Aware Updating.
- If the problem is block-level volume replication, consider Storage Replica.
- If the problem is narrow delegated administration, consider Just Enough Administration.
- If the problem is unique local admin passwords, consider LAPS-style management.
- If the problem is centralized logs and queries, consider Azure Monitor and Log Analytics.
Common AZ-802 traps
| Trap | Better thinking |
|---|---|
| Backup and replication are interchangeable | Backup restores previous points; replication supports failover or copy continuity |
| Azure Arc migrates servers | Arc manages and governs hybrid servers; migration is separate |
| Azure File Sync is backup | Sync can propagate deletions and corruption |
| Failover clustering protects against all disasters | It protects against certain local failures, not every site-wide dependency |
| Storage Replica removes the need for backup | Replication can replicate bad changes |
| Disabling firewalls is an acceptable fix | Create precise rules and verify required ports |
| Domain Admin is needed for routine tasks | Use delegation, JEA, and least privilege |
| A certificate renewal fixes all TLS issues | Bindings, trust chains, SANs, and private keys still matter |
| Monitoring starts after an incident | Telemetry must be collected before useful historical analysis |
| A successful migration means the app works | App dependencies, identity, DNS, and performance still require validation |
Final review checklist
Before moving into original practice questions, make sure you can explain:
- When to use Azure Backup versus Azure Site Recovery.
- When to use failover clustering versus Hyper-V Replica.
- How quorum and witnesses affect cluster availability.
- Why Storage Replica is not backup.
- How Azure Arc changes hybrid server management.
- How Azure Monitor, Log Analytics, and agents fit together.
- How Storage Migration Service differs from Azure File Sync.
- How Azure Migrate assessment differs from migration execution.
- How to troubleshoot DNS, Kerberos, firewall, and certificate issues.
- How to apply least privilege to Windows Server administration.
- How to patch clustered workloads safely.
- How to read scenario clues around downtime, RPO/RTO, identity, and connectivity.
Practice connection
Use this Quick Review as a map, then move immediately into IT Mastery practice:
- Start with topic drills for security, HA/DR, migration, and monitoring.
- Use original practice questions to force service-selection decisions.
- Review detailed explanations for every missed question, especially when two Microsoft services sound similar.
- Finish with mixed question bank sets so you practice reading full scenarios instead of recognizing isolated keywords.
A practical next step: choose one weak area from the checklist, complete a focused topic drill, and write down the decision rule that would have helped you answer each missed AZ-802 question correctly.
Continue in IT Mastery
Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official Microsoft questions, copied live-exam content, or exam dumps.