What Azure Monitor concepts does AZ-104 actually test?
AZ-104 tests the structure of Azure Monitor (metrics versus logs versus alerts), the role of Log Analytics workspaces as the destination for diagnostic logs, KQL fundamentals, alert rules and action groups, workbooks and dashboards at a basic level, and the difference between platform metrics, custom metrics, and resource logs. The exam dedicates roughly ten to fifteen percent to monitoring -- smaller than identity or compute, but consistent across every form. Candidates who skip Monitor lose a domain that is comparatively easy to study.
Azure Monitor is the unified observability stack across compute, networking, storage, identity, and platform services. Every diagnostic log, every metric, every alert, and every dashboard ultimately routes through Monitor. AZ-104 dedicates a smaller share of the exam to monitoring than to identity or compute, but the questions are predictable and the content is among the easiest to study for points-per-hour.
This guide covers what the exam tests, the architecture that links the pieces, and the patterns that catch candidates who learned monitoring on a different platform.
The Azure Monitor Architecture
Azure Monitor -- the unified telemetry collection, storage, query, and action service for every Azure resource and many on-premises sources.
The architecture has three pillars.
Metrics -- numeric time-series data with high cardinality, sub-minute granularity, and short retention (default 93 days)
Logs -- text-based event data stored in Log Analytics workspaces, queried with KQL, with longer retention options
Distributed traces -- Application Insights captures end-to-end request traces
The exam tests the distinction between metrics and logs as a recurring theme. Metrics are fast and cheap; logs are flexible and expensive. A scenario asking for "real-time alerting on CPU utilization" answers metrics; a scenario asking for "alert when a specific Active Directory event signature appears" answers logs.
| Pillar | Source | Storage | Query | Latency |
|---|---|---|---|---|
| Metrics | Platform + custom | Time-series database | Metrics Explorer | Sub-minute |
| Logs | Diagnostic settings, agents | Log Analytics workspace | KQL | Minutes |
| Traces | Application Insights SDK | Log Analytics workspace | KQL | Minutes |
"Most monitoring failures are not data failures -- they are routing failures. Logs go where you tell them, and most teams tell them somewhere wrong." -- Charity Majors, CEO of Honeycomb and frequent Microsoft observability collaborator
Log Analytics Workspaces -- The Destination
A Log Analytics workspace is the storage and query container for log data. Every resource that produces logs sends them to one or more workspaces via diagnostic settings.
Workspace decisions tested on AZ-104:
Region: workspaces are regional resources. Cross-region log ingestion incurs egress cost.
Retention: default 30 days, configurable up to 730 days, with archive tiers beyond that
Pricing tier: Pay-as-you-go (per-GB), Commitment Tiers (discounted at volume), legacy Per-Node tier for older deployments
Workspace count: one per environment, one per business unit, one per resource group, or hub-and-spoke patterns
The exam scenario for workspace count: an organization runs production and non-production resources and must separate retention and access. The correct answer is two workspaces, with RBAC and retention configured separately. Candidates who default to "one workspace for everything" miss the question.
Diagnostic Settings -- The Routing Layer
Diagnostic settings -- per-resource configuration that routes platform logs and metrics to one or more destinations: a Log Analytics workspace, a storage account (for archive), an Event Hub (for streaming to third-party SIEM), or a partner solution.
A resource without a diagnostic setting produces no logs in Log Analytics. This single fact answers many "why don't I see logs" questions on the exam.
The exam tests:
Where to configure diagnostic settings (per resource, sometimes per category)
What destinations a single diagnostic setting can target (up to five)
Which log categories are available per resource type
The Azure Policy pattern for enforcing diagnostic settings tenant-wide
ASOS, the UK retailer, publicly described its monitoring architecture using a centralized Log Analytics workspace per region with Azure Policy enforcing diagnostic settings on every storage account, key vault, and SQL database. AZ-104 scenarios mirror this pattern.
KQL Basics for AZ-104
Kusto Query Language is the query language for Log Analytics. AZ-104 expects basic familiarity, not deep mastery.
Common patterns the exam expects candidates to recognize:
| where TimeGenerated > ago(1h)-- time filter| summarize count() by ResourceGroup-- aggregation| project TimeGenerated, Computer, EventID-- column selection| sort by TimeGenerated desc-- ordering| take 10-- limit results
A typical exam question presents a KQL query and asks what it returns. Candidates do not need to write KQL on the exam, but they must read it confidently.
The Saved Query and Function Pattern
Frequently used queries can be saved to the workspace as saved queries or as functions (parameterized, callable like a custom command). The exam tests scenarios where a function is the right answer for reusable, parameterized logic that multiple alert rules call.
Alerts and Action Groups
Alert rules evaluate metric or log data on a schedule and trigger an action when conditions are met. Action groups are the reusable definition of what happens when an alert fires -- email, SMS, webhook, Logic App, ITSM connector, runbook.
The exam tests:
The difference between metric alerts (low latency, simple conditions) and log alerts (KQL-based, more flexible, slightly higher latency)
Activity log alerts for management-plane events like resource deletion
Smart groups that auto-correlate related alerts
Suppression rules and dynamic thresholds
A typical scenario describes an organization that wants to notify the on-call engineer if a virtual machine becomes unhealthy. The correct answer is a metric alert on VM availability with an action group containing the on-call email and SMS. Candidates who select a Logic App without an action group miss the architecture.
Dynamic Thresholds
Dynamic thresholds use machine learning to calculate normal behavior bands and alert on anomalies. They reduce noise on metrics with daily or weekly seasonality. The exam tests scenarios where dynamic thresholds are correct -- typically traffic, request count, or transaction volume metrics with predictable patterns.
The Heineken IoT brewery telemetry, publicly described in Microsoft case studies, uses dynamic thresholds on flow-meter metrics to detect equipment anomalies without alerting on normal shift patterns. AZ-104 alert questions follow this pattern.
Workbooks, Dashboards, and Visualizations
Workbooks are interactive, parameterized reports that combine queries, metrics, and visualizations. Dashboards are static collections of pinned tiles. The exam expects candidates to know when each is appropriate.
Dashboards: shared at-a-glance views, pinned to the portal, simple
Workbooks: parameterized analysis, drill-down, exportable
A scenario asking for "an executive view of monthly cost across resource groups" answers a dashboard. A scenario asking for "an interactive report letting an operator filter by region and time range" answers a workbook.
Insights -- Pre-Built Workbooks
Azure Monitor includes Insights -- pre-built workbooks for VMs, Containers, Storage, Networks, and other resource types. The exam tests their existence and the prerequisites: VM Insights requires the Azure Monitor agent and dependency agent on the target VM.
Alert Processing in 2026
Microsoft consolidated several alert and notification pipelines in 2024-2025. The 2026 AZ-104 reflects this consolidation.
Alert processing rules -- modern replacement for action rules; centralize suppression, filtering, and action overrides
Maintenance windows -- new construct that pauses alerting on resources during planned maintenance
Notification preferences -- per-user preferences in Microsoft Entra Communications API, replacing older email-list patterns
Candidates who studied with 2022 materials should specifically refresh alert processing rules and maintenance windows. The Microsoft Press AZ-104 Exam Ref by Harshul Patel covers each in the 2024 edition.
Common Patterns That Appear on the Exam
| Scenario | Correct Answer |
|---|---|
| Real-time alert on CPU > 90% | Metric alert with static threshold |
| Alert on specific Activity Log event | Activity log alert |
| Alert on log signature with KQL | Log alert (Scheduled Query) |
| Reduce alert noise on seasonal metric | Dynamic threshold |
| Centralize action definitions | Action group |
| Pause alerts during maintenance | Maintenance window |
| Archive logs cheaply for compliance | Diagnostic setting to Storage account |
| Forward logs to third-party SIEM | Diagnostic setting to Event Hub |
Memorizing this table of mappings covers most monitoring questions on AZ-104.
Real-World Patterns
The Microsoft IT enterprise: Microsoft's internal Azure footprint uses regional Log Analytics workspaces, centralized Azure Policy enforcement of diagnostic settings, and Microsoft Sentinel as the security-focused SIEM layer above Log Analytics. AZ-104 scenarios borrow from this published architecture.
The ASOS pattern: ASOS uses a hub workspace for shared services and per-environment workspaces for production and non-production. RBAC and retention differ per workspace. The exam test this exact split.
Hands-On Practice Sequence
Each step takes under thirty minutes on the Azure free tier.
Create a Log Analytics workspace and set retention to 30 days
Deploy a virtual machine and install the Azure Monitor agent
Configure a diagnostic setting on a storage account routing to the workspace
Run a KQL query against
AzureDiagnosticsto confirm log ingestionCreate a metric alert on VM percentage CPU with an email action group
Create a log alert on a specific KQL signature with a webhook action
Build a workbook that shows VM CPU and memory side by side with parameter filters
Apply Azure Policy that enforces diagnostic settings on all storage accounts in a resource group
Each step maps to one or more exam objectives.
Cost-Awareness on the Exam
AZ-104 increasingly tests cost considerations across domains. For monitoring specifically:
Log Analytics ingestion is the largest cost, charged per GB
Metric storage is included in Azure Monitor at no cost up to 93 days
Long-term retention can use the Archive tier of Log Analytics at lower cost than active retention
Application Insights is now consolidated into Log Analytics workspaces (workspace-based Application Insights)
The exam scenario: a workload generates 100 GB of logs per day. The candidate must select the most cost-effective configuration. The correct answer typically combines Commitment Tier pricing, retention reduction on noisy categories, and Archive tier for long-term compliance retention. Candidates who default to "increase retention" without considering cost lose the question.
Mark Russinovich, Chief Technology Officer at Microsoft Azure, has written that "monitoring cost is the single most underestimated category in cloud budgeting" -- the exam reflects this concern.
Common Mistakes That Cost Points
Confusing platform metrics and platform logs: metrics are emitted automatically; logs require diagnostic settings. Many resources emit both, and the exam tests the distinction.
Forgetting workspace-resource RBAC modes: workspaces support workspace-context and resource-context access modes. Resource-context grants access based on the source resource's RBAC; workspace-context requires direct workspace permission.
Mixing Log Analytics agent and Azure Monitor agent: the legacy Log Analytics agent is being deprecated. The Azure Monitor agent is the modern replacement. The exam tests the migration scenario.
Treating Application Insights as separate: workspace-based Application Insights stores telemetry in a Log Analytics workspace and uses KQL. The exam tests their unified architecture.
The Microsoft Learn "Monitor Azure resources" learning path and the AZ-104 Exam Ref together cover every question pattern tested on the 2026 exam.
See also: /certifications/azure/az-104-azure-administrator-domains-with-highest-question-density, /certifications/azure/az-500-azure-security-engineer-hardest-azure-cert-explained, /resources/practice-question-banks/azure-az-104-practice-questions.
Workspace Design at Scale
When an organization grows beyond a few subscriptions, the question of how many workspaces becomes a design decision the exam tests directly.
Three patterns dominate enterprise deployments.
Centralized single workspace: every resource sends logs to one workspace. Simplest, easiest to query across the organization, but creates RBAC and retention conflicts in regulated industries.
Federated by environment: separate workspaces for production, non-production, and security operations. Common in mid-size organizations that need separation but not granular ownership.
Federated by business unit: each business unit owns a workspace. Maximum autonomy, hardest to query across the organization without cross-workspace queries.
Cross-workspace queries combine results from multiple workspaces in a single KQL query using the workspace() function or the union operator with workspace references. The exam tests the syntax indirectly by presenting a query and asking what it returns.
Microsoft Press author Yuri Diogenes has written that "the workspace question is not a technology question -- it is an organizational question that the technology amplifies." The exam reflects this with scenarios where the organizational requirements drive the workspace count.
Sentinel Versus Plain Log Analytics
Microsoft Sentinel is Microsoft's cloud-native SIEM, built on top of Log Analytics. AZ-104 does not test Sentinel deeply, but the exam expects candidates to know that Sentinel adds analytics rules, threat hunting, automated playbooks, and threat intelligence on top of the Log Analytics workspace it sits on. AZ-500 tests Sentinel in detail; AZ-104 tests its existence and the workspace-coexistence pattern.
Data Collection Rules and the Modern Agent
The 2024 transition from Log Analytics agent to Azure Monitor agent (AMA) introduced Data Collection Rules (DCRs) -- declarative configurations that describe what to collect, how to transform it, and where to send it. The 2026 AZ-104 expects familiarity with DCRs.
A DCR contains:
Data sources -- performance counters, Windows event logs, Linux syslog, custom logs
Streams -- typed pipelines that the data flows through
Destinations -- one or more Log Analytics workspaces, plus optional transformation steps
Data flows -- the linkage between sources, streams, transformations, and destinations
The exam scenario for DCRs typically involves an organization that needs to collect Windows Security event logs from a thousand servers and route different event IDs to different workspaces. The correct answer uses a single DCR with multiple data flows, each filtering on event ID and routing to a separate destination. Candidates who default to "one DCR per server" miss the scaling pattern.
The DCR pattern also enables ingestion-time transformations -- KQL expressions that filter or reshape data before it lands in the workspace. This reduces ingestion cost on noisy log streams, which is a 2026 cost-optimization scenario.
"Ingestion-time transformations are the cheapest cost optimization in observability that nobody runs the day they enable diagnostic settings -- which is also the day they should." -- John Savill, Microsoft Technical Trainer
VM Insights Versus Container Insights
Two pre-configured monitoring solutions appear repeatedly on the exam.
VM Insights -- automatic performance and dependency monitoring for Windows and Linux VMs. Requires Azure Monitor agent and dependency agent.
Container Insights -- automatic monitoring for AKS clusters. Requires the Azure Monitor agent for containers.
The exam tests scenarios where each is the right answer. A scenario asking for "process-level dependency mapping" answers VM Insights; a scenario asking for "AKS pod-level CPU and memory" answers Container Insights.
The Microsoft Cloud Adoption Framework recommends enabling both at landing zone level for any production environment. AZ-104 borrows this guidance directly.
References
- Microsoft Learn. "Azure Monitor overview." Microsoft Corporation, 2025.
- Microsoft Docs. "Log Analytics workspace overview." Microsoft Corporation, 2025.
- Microsoft Docs. "Kusto Query Language reference." Microsoft Corporation, 2025.
- Patel, Harshul. Exam Ref AZ-104 Microsoft Azure Administrator. Microsoft Press, 2024.
- Microsoft Docs. "Diagnostic settings in Azure Monitor." Microsoft Corporation, 2025.
- Majors, Charity. Observability Engineering. O'Reilly Media, 2022.
- Microsoft Docs. "Azure Monitor agent overview." Microsoft Corporation, 2025.