Search Pass4Sure

azure

Azure Resource Manager ARM Templates and Bicep for AZ-104 Candidates

How AZ-104 tests ARM templates and Bicep: deployment modes, parameters vs variables, what-if previews, and the patterns that decide pass vs fail.

·Published April 5, 2026 ·✓ Fact-checked
12 min read·2248 views
Azure Resource Manager ARM Templates and Bicep for AZ-104 Candidates

Do AZ-104 candidates need to memorize ARM template JSON syntax?

No. The AZ-104 exam expects candidates to read ARM template JSON and Bicep declarations, identify what resources they create, predict what will happen if a parameter changes, and choose between deployment modes. Memorizing every property name is not required, but understanding parameters, variables, resource dependencies, deployment scopes, and the difference between Incremental and Complete deployment modes is mandatory. Bicep, the modern Microsoft-preferred authoring language, gets increasing exam coverage in 2026.

Azure Resource Manager is the deployment and management layer that every other Azure service rides on top of. Every portal click, every az command, every Terraform plan, and every Bicep file ultimately produces an ARM template that the Resource Manager processes. AZ-104 candidates who skip ARM and Bicep often fail the exam's deployment scenarios — which appear in roughly fifteen to twenty percent of questions despite Infrastructure as Code not being its own listed domain.

This guide explains exactly what AZ-104 expects, how ARM templates and Bicep relate, and the exam-critical patterns that separate candidates who pass from those who do not.

What Azure Resource Manager Actually Is

Azure Resource Manager (ARM) -- the control plane service that processes every create, read, update, and delete request against Azure resources, regardless of whether the request originates from the portal, the az CLI, PowerShell, the REST API, or an SDK.

When you click "Create virtual machine" in the portal, the portal generates an ARM template behind the scenes and submits it to Resource Manager. Understanding this single fact answers half of the exam's deployment questions.

Resource provider -- a service that supplies Azure resources. Examples include Microsoft.Compute (virtual machines), Microsoft.Storage (storage accounts), and Microsoft.Network (virtual networks). Each resource provider exposes specific resource types and API versions that ARM templates reference.

The exam tests Resource Manager fundamentals through scenarios. A typical question describes a failing deployment and asks the candidate to identify which resource provider must be registered first, or whether the issue is a quota, a policy, or a syntax error.

"Bicep is not a replacement for ARM templates -- it is a domain-specific language that compiles to ARM JSON. Anything you can do in JSON, you can do in Bicep, but with eighty percent less code." -- John Savill, Microsoft Technical Trainer

ARM Template Anatomy You Must Recognize

A minimal ARM template has five top-level sections. AZ-104 expects candidates to identify each on sight.

Section Purpose Required
$schema Declares the template language version Yes
contentVersion Tracks template version Yes
parameters Inputs supplied at deployment No
variables Internal computed values No
resources The actual Azure resources to deploy Yes
outputs Values returned after deployment No

A template with no resources array deploys nothing -- the exam includes at least one trick question where the template is syntactically valid but functionally empty.

Parameters Versus Variables

This distinction trips up candidates who treat them interchangeably. They are not.

  • Parameters are values supplied at deployment time by the user, the parameter file, or a calling pipeline. They support default values, allowed values, and constraints like minLength and maxValue.

  • Variables are values computed inside the template from parameters and functions. They cannot be overridden at deployment time. A common pattern is a parameter environmentName driving a variable storageAccountName via the concat() function.

  • Outputs return values after deployment, often resource IDs or connection strings, that pipelines or nested templates consume.

The exam tests scenarios like: "An administrator wants the storage account name to depend on environment but be deterministic. Where should the logic live?" The answer is a variable computed from a parameter, not a parameter the user re-enters every time.

Deployment Modes: The Question Almost Everyone Gets Wrong

ARM templates deploy in one of two modes, and the difference is more important than candidates realize.

Incremental mode -- the default. ARM adds or updates resources defined in the template. Resources that exist in the resource group but are not in the template are left untouched.

Complete mode -- ARM adds or updates resources defined in the template, then deletes any resource in the resource group that is not in the template. This is destructive.

The exam scenario: a company runs a production database in a resource group. A developer deploys a template in Complete mode that does not include the database. What happens? The database is deleted. This question appears nearly verbatim on AZ-104 practice exams from Tutorials Dojo and MeasureUp.

Mark Russinovich, the CTO of Microsoft Azure, has emphasized in multiple Azure Friday segments that Complete mode exists for cleanup workflows in CI/CD pipelines, not for routine deployments. The exam aligns with that guidance.

Bicep: The Modern Path

Bicep is a domain-specific language Microsoft introduced in 2020 to replace hand-written ARM JSON. It compiles deterministically to ARM JSON -- there is no runtime, no agent, no extra service.

A virtual network declaration in JSON requires roughly thirty lines. The same declaration in Bicep is six. The 2026 AZ-104 exam includes Bicep snippets, especially in scenarios involving module composition.

Bicep Features That Appear on the Exam

  1. Symbolic references: in Bicep, you reference another resource by its symbolic name (storageAccount.id) rather than the verbose resourceId() function used in JSON.

  2. Modules: a module block lets you reuse a Bicep file as a building block. The exam tests when modules improve maintainability versus when they add unnecessary complexity.

  3. Decorators: @allowed, @secure, @minLength, and @description constrain parameters and document intent. Decorators replace the JSON parameters constraint properties.

  4. Loops: the for expression generates multiple resources from an array. Common AZ-104 scenarios involve creating five subnets from a parameter list.

  5. Conditional deployment: the if keyword on a resource declaration deploys it only when a condition is true.

The Microsoft-published book Azure Infrastructure as Code by Henry Been, Eduard Keilholz, and Erwin Staal is the most cited Bicep reference, and Microsoft Learn's "Fundamentals of Bicep" learning path is free and aligned with the exam.

Real-World Patterns AZ-104 Borrows From

Microsoft writes exam scenarios from real customer architectures. Two patterns dominate.

The ASOS pattern: ASOS, the UK fashion retailer, runs hundreds of microservices on Azure. Their public engineering posts describe Bicep modules for standardized environments -- a single webapp.bicep module deploys an App Service, a slot, an Application Insights resource, and a Key Vault reference. AZ-104 scenarios mirror this composition pattern.

The Heineken pattern: Heineken's global Azure footprint uses ARM templates with parameter files per environment (dev.parameters.json, prod.parameters.json). The exam tests this exact split -- one template, multiple parameter files, deployment to multiple subscriptions.

What the Exam Actually Asks

Five question types repeat across AZ-104 forms.

  1. Read-the-template: a JSON or Bicep snippet appears, and the candidate selects what gets deployed. Pay attention to dependsOn and the difference between explicit and implicit dependencies.

  2. Predict-the-failure: a deployment fails. The candidate selects the cause from a list. Common answers: resource provider not registered, name not globally unique, quota exceeded, policy denied.

  3. Choose-the-mode: pick Incremental or Complete given a scenario.

  4. Scope-the-deployment: ARM templates deploy at the resource group, subscription, management group, or tenant scope. The exam tests when each is appropriate. A subscription-scope deployment can create resource groups; a resource-group-scope deployment cannot.

  5. Bicep-versus-JSON: given a requirement, the candidate selects the more maintainable approach. Bicep is the correct answer in nearly every modern scenario.

A Hands-On Practice Sequence

The single most effective way to lock in this material is to build a template, break it, and debug it. The Azure free tier is sufficient.

  • Deploy a single storage account from a Bicep file using az deployment group create

  • Convert that Bicep to JSON using bicep build and inspect the output

  • Add a parameter, redeploy, and watch how Incremental mode handles the change

  • Try Complete mode on a test resource group and observe what gets removed

  • Build a module and call it from a parent template

  • Use what-if (az deployment group what-if) to preview changes before applying them

what-if is heavily tested. It shows what would happen if the deployment ran, without making changes. Candidates who skip it on practice deployments miss exam questions that ask which command previews changes safely.

The Authentication Gotcha

ARM templates can reference Key Vault secrets at deployment time. The exam tests one specific pattern: the parameter file uses a reference block pointing to a Key Vault, and the deploying identity must have Microsoft.KeyVault/vaults/deploy/action permission, not just standard Get on the secret. This has been a stable AZ-104 question for three exam refreshes.

Jeffrey Snover, the inventor of PowerShell and a Microsoft Technical Fellow, wrote that "deployment-time secret resolution is the cleanest pattern for production credentials -- but only when the calling identity is correctly scoped." AZ-104 tests exactly this nuance.

How This Topic Connects to the Rest of AZ-104

ARM and Bicep do not exist in isolation. The exam weaves deployment questions into every other domain.

  • Identity/governance: who can deploy what is an RBAC question

  • Storage: storage account properties (allowBlobPublicAccess, minimumTlsVersion) appear in template snippets

  • Compute: virtual machine extensions are nested resources inside the VM declaration

  • Networking: VNet peering and NSG rules deploy as ARM resources with specific parent-child relationships

  • Monitoring: diagnostic settings deploy as a separate resource type that references the parent resource by ID

Candidates who study ARM only as Infrastructure-as-Code miss that the exam uses ARM as the lens through which it tests every other topic.

Common Pitfalls That Cost Exam Points

Several recurring traps catch otherwise prepared candidates on deployment scenarios. Recognizing them on practice exams is the cheapest way to claim points.

The Resource Provider Registration Trap

Every Azure subscription must register a resource provider before resources of that type can be created. Most providers register automatically on first use, but a handful, including Microsoft.PolicyInsights, Microsoft.OperationsManagement, and Microsoft.Insights, require explicit registration. The exam scenario describes a deployment failing with MissingSubscriptionRegistration, and the candidate must select az provider register --namespace Microsoft.PolicyInsights as the fix. Memorize the exact error code -- it is the only signal the question gives you.

The DependsOn Versus Implicit Dependency Distinction

ARM resolves dependencies in two ways. Implicit dependencies form when one resource references another by symbolic name or resourceId() -- ARM detects the link and orders the deployment automatically. Explicit dependencies use dependsOn to force ordering when the link is not visible to ARM. The exam tests scenarios where a developer adds an unnecessary dependsOn that already resolves implicitly, or omits one where ARM cannot infer the link, such as ordering between two parallel resources that share a managed identity but do not reference each other.

The Idempotency Assumption

Idempotent deployment means running the same template twice produces the same result. ARM is idempotent for most resource types, but a handful of operations -- including extension installs, custom script invocations, and certain VM provisioning steps -- are not. AZ-104 includes a question where re-running a template causes a Custom Script Extension to execute its payload a second time, breaking the application. The defensive pattern is the forceUpdateTag property, which tells ARM to skip the extension if its inputs have not changed. Tutorials Dojo practice exams cover this scenario verbatim.

Bicep Modules in Production

Modules are the feature that justifies Bicep over JSON for any team larger than one person. A module file declares parameters, resources, and outputs the same way a top-level template does, and a parent template consumes it with a module block.

The Microsoft Cloud Adoption Framework publishes a module library called Azure Verified Modules (AVM). Each module encapsulates a resource type with Microsoft-recommended defaults: hardened storage accounts that disable public blob access, virtual networks with default DDoS protection alignment, and Key Vaults with purge protection enabled. AZ-104 candidates are expected to recognize that AVM exists and that its modules align with the security baselines tested in compute and storage scenarios.

A team that adopts AVM benefits in three ways. First, deployments inherit the same defaults across environments without each team rediscovering them. Second, security audits trace findings to the module rather than each consumer. Third, version pinning gives predictable behavior across hundreds of deployments per day. The Maersk engineering team, in a publicly cited Microsoft case study, runs over four hundred Bicep deployments daily across more than thirty subscriptions using a custom AVM-aligned module catalog.

Loops and Conditionals That Appear on Practice Exams

Two Bicep features dominate the loop-related questions. The for expression iterates over an array to create N copies of a resource. The exam scenario gives a parameter subnets containing four address prefixes and asks for the Bicep declaration that creates one subnet per entry. The answer uses [for subnet in subnets: { ... }] syntax. The second feature is conditional deployment with if. A scenario describes a template that should deploy a Bastion host only in the production environment, controlled by a boolean parameter. The Bicep declaration appends if (deployBastion) after the resource type. Candidates who confuse if with for lose both questions.

Putting It Together: A Realistic Exam Scenario

A representative AZ-104 question reads: a company maintains three environments -- development, test, and production -- in three subscriptions. Each environment must have an identical resource group containing a virtual network, four subnets, a storage account, and a Log Analytics workspace. The storage account name must be globally unique and deterministic from the environment name. Diagnostic settings on the storage account must forward to the Log Analytics workspace. The team uses a single Bicep template with three parameter files and deploys via Azure DevOps pipelines.

The question asks the candidate to identify which deployment scope the pipeline must use. The correct answer is subscription scope, because the resource group itself is part of the deployment. A resource-group scope deployment cannot create the resource group it deploys into. Candidates who default to resourceGroup scope without reading the resource list miss this question.

A follow-up question asks where the storage account name's uniqueness logic should live. Three answers are offered: a parameter the user supplies per environment, a variable computed from uniqueString(resourceGroup().id), or a hardcoded value. The correct answer is the variable -- deterministic, environment-aware, and free of human error. This pattern repeats across AZ-104 forms because it tests three concepts at once: parameter versus variable, the uniqueString() function, and the importance of deterministic naming.

See also: /certifications/azure/az-104-azure-administrator-domains-with-highest-question-density, /certifications/azure/microsoft-azure-certifications-roadmap-which-order-makes-sense, /exam-prep/study-techniques/spaced-repetition-for-cert-exams.

References

  1. Microsoft Learn. "Azure Resource Manager overview." Microsoft Corporation, 2025.
  2. Microsoft Learn. "Fundamentals of Bicep" learning path. Microsoft Corporation, 2025.
  3. Been, Henry; Keilholz, Eduard; Staal, Erwin. Azure Infrastructure as Code. Manning Publications, 2022.
  4. Microsoft Docs. "ARM template deployment modes." Microsoft Corporation, 2025.
  5. Russinovich, Mark. "Azure Friday: Bicep Deep Dive." Channel 9, Microsoft, 2024.
  6. Microsoft Docs. "Use Azure Key Vault to pass secure parameter value during Bicep deployment." Microsoft Corporation, 2025.
  7. Savill, John. Microsoft Azure Architect Technologies and Design Complete Study Guide. Sybex, 2024.

Tags

arm-templates az-104 azure bicep

Share this article

Continue Reading