What topics does the AZ-104 exam cover most heavily?
The AZ-104 exam weights Manage Azure identities and governance at 20-25%, Implement and manage storage at 15-20%, Deploy and manage Azure compute resources at 20-25%, Implement and manage virtual networking at 15-20%, and Monitor and maintain Azure resources at 10-15%. Identity management (Azure Active Directory / Entra ID), virtual machine configuration, and virtual network design are the highest-value areas for focused study.
The Microsoft Azure Administrator (AZ-104) certification validates skills for managing Azure cloud services. The exam covers five domain areas and is known for its breadth of content and the practical nature of its questions. Many AZ-104 questions present Azure portal scenarios and ask candidates to select the correct configuration, identify problems in existing setups, or choose the most appropriate Azure service for a given requirement.
This cheat sheet covers the high-frequency topics across all five AZ-104 domains in a condensed reference format for review in the final preparation stage.
Domain 1: Manage Azure Identities and Governance (20-25%)
Azure Active Directory / Entra ID Essentials
| Concept | Key Points |
|---|---|
| Azure AD (Entra ID) | Cloud-based identity service, not domain controller |
| Azure AD Tenant | Dedicated instance of Entra ID per organization |
| Azure AD User | Identity with sign-in and management capabilities |
| Azure AD Group | Security group or Microsoft 365 group |
| Service Principal | Application identity for non-human authentication |
| Managed Identity | Azure-managed identity for Azure resources (no credentials) |
Types of managed identities:
- System-assigned: tied to one resource, deleted with resource
- User-assigned: created as standalone resource, assigned to multiple resources
Role-Based Access Control (RBAC)
Built-in roles (most commonly tested):
| Role | Scope | Permissions |
|---|---|---|
| Owner | Resource, RG, Subscription | Full access + assign access |
| Contributor | Resource, RG, Subscription | Full access, cannot assign access |
| Reader | Resource, RG, Subscription | View only |
| User Access Administrator | Resource, RG, Subscription | Manage access only |
RBAC assignment formula: Role + Security principal + Scope = Access assignment
Azure Policy vs. RBAC
- RBAC controls what actions users can take (manage permissions)
- Azure Policy controls what can be created/configured (enforce standards)
Both can be applied at subscription, resource group, or resource scope.
"A common AZ-104 question asks which tool to use to prevent users from creating VMs in expensive regions. The answer is Azure Policy, not RBAC. RBAC governs who can do things; Policy governs what can be done." -- AZ-104 preparation community guidance
Domain 2: Implement and Manage Storage (15-20%)
Azure Storage Account Types
| Type | Use Case | Redundancy Options |
|---|---|---|
| General-purpose v2 | Standard blobs, files, queues, tables | LRS, ZRS, GRS, GZRS |
| Premium block blobs | High transaction workloads | LRS, ZRS |
| Premium file shares | NFS/SMB file shares | LRS, ZRS |
| Premium page blobs | OS and data disks | LRS only |
Redundancy Options
| Option | Description | Copies |
|---|---|---|
| LRS (Locally Redundant) | 3 copies in one datacenter | 3 |
| ZRS (Zone Redundant) | 3 copies across 3 availability zones | 3 |
| GRS (Geo-Redundant) | LRS + async copy to secondary region | 6 |
| GZRS (Geo-Zone Redundant) | ZRS + async copy to secondary region | 6 |
Blob Access Tiers
| Tier | Storage Cost | Access Cost | Minimum Storage |
|---|---|---|---|
| Hot | Highest | Lowest | None |
| Cool | Lower | Higher | 30 days |
| Cold | Lower still | Higher still | 90 days |
| Archive | Lowest | Highest + rehydration | 180 days |
Archive tier key point: Objects in Archive are offline. Rehydrating to Hot or Cool can take up to 15 hours (or 1 hour with priority rehydration).
Domain 3: Deploy and Manage Azure Compute (20-25%)
Virtual Machine Essentials
VM series quick reference:
| Series | Purpose |
|---|---|
| B-series | Burstable, variable workloads |
| D-series | General purpose, balanced compute/memory |
| E-series | Memory-optimized |
| F-series | Compute-optimized |
| M-series | Memory-heavy, large databases |
| N-series | GPU (graphics, ML, rendering) |
| H-series | High Performance Computing |
VM High Availability Options
| Option | SLA | What It Protects Against |
|---|---|---|
| Single VM with Premium SSD | 99.9% | No HA; single point of failure |
| Availability Set | 99.95% | Hardware failures in same rack |
| Availability Zones | 99.99% | Datacenter failure within region |
| Scale Set | 99.95% / 99.99% | Auto-scaling + HA |
App Service Plans
| Tier | Purpose | Features |
|---|---|---|
| Free/Shared | Development only | Shared infrastructure, no SLA |
| Basic | Small apps | Dedicated VMs, manual scale |
| Standard | Production apps | Auto-scale, 5 deployment slots |
| Premium | Enhanced performance | More scale, network integration |
| Isolated | Max isolation | Private environment (ASE) |
Domain 4: Implement and Manage Virtual Networking (15-20%)
VNet Key Concepts
- VNet (Virtual Network): Isolated network in Azure with private IP space
- Subnet: Subdivision of VNet address space
- NSG (Network Security Group): Stateful packet filter for subnets or NICs
- Application Security Group: Logical grouping for NSG rules
- Azure Firewall: Fully stateful managed firewall service
- VNet Peering: Low-latency connection between VNets (same or different regions)
NSG Rule Properties
Each NSG rule has:
- Priority (100-4096, lower number = higher priority)
- Source (IP, CIDR, service tag, ASG)
- Destination (IP, CIDR, service tag, ASG)
- Port range
- Protocol (TCP, UDP, ICMP, Any)
- Action (Allow or Deny)
Default NSG rules (always present, cannot be deleted):
- Allow inbound from VNet
- Allow inbound from Azure Load Balancer
- Deny all inbound
- Allow outbound to VNet
- Allow outbound to Internet
- Deny all outbound
Load Balancer vs. Application Gateway
| Feature | Azure Load Balancer | Application Gateway |
|---|---|---|
| OSI Layer | Layer 4 (TCP/UDP) | Layer 7 (HTTP/HTTPS) |
| Routing basis | IP address and port | URL path, headers, cookies |
| SSL termination | No | Yes |
| WAF support | No | Yes (WAF tier) |
| Use case | VM pools, non-HTTP | Web applications |
Domain 5: Monitor and Maintain Azure Resources (10-15%)
Azure Monitor Components
| Component | Purpose |
|---|---|
| Azure Monitor | Central monitoring platform |
| Log Analytics | Query log data with KQL |
| Application Insights | Application performance monitoring |
| Azure Alerts | Notify based on metric thresholds |
| Azure Diagnostics | Collect diagnostic logs from resources |
| Activity Log | Subscription-level events (who did what) |
| Network Watcher | Network diagnostic tools |
Key KQL query structure:
TableName
| where TimeGenerated > ago(24h)
| where Level == "Error"
| summarize count() by ResourceGroup
| order by count_ desc
"AZ-104 exam questions on monitoring frequently test whether you know the difference between Activity Log (subscription-level management operations) and Diagnostic Logs (resource-level operational data). They are different logs in different places." -- AZ-104 study community
Frequently Asked Questions
What Azure CLI commands are tested on AZ-104?
The AZ-104 exam tests understanding of Azure CLI and PowerShell concepts but does not require memorizing exact command syntax for most scenarios. Portal-based questions are more common. However, knowing the pattern az vm create, az group create, az network vnet create and their key parameters helps with scenario questions that include CLI snippets.
How does AZ-104 differ from AZ-900? AZ-900 tests conceptual awareness of Azure services. AZ-104 tests practical administrative skills and requires knowing how to configure, troubleshoot, and optimize Azure services. The difficulty difference is substantial. AZ-104 expects candidates to know specifics like RBAC role permissions, storage redundancy options, and NSG rule processing.
What is the passing score for AZ-104? Microsoft sets the AZ-104 passing score at 700 out of 1000. Score reports show performance by domain, which is useful for identifying weak areas if you need to retake.
References
- Microsoft. (2024). AZ-104: Microsoft Azure Administrator Exam. https://learn.microsoft.com/en-us/credentials/certifications/azure-administrator/
- Microsoft. (2024). Azure Active Directory documentation. https://learn.microsoft.com/en-us/azure/active-directory/
- Microsoft. (2024). Azure Storage redundancy. https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy
- Microsoft. (2024). Azure Virtual Machines documentation. https://learn.microsoft.com/en-us/azure/virtual-machines/
- Miles, S. (2021). Microsoft Azure Administrator Study Guide: Exam AZ-104. Sybex/Wiley.
- Microsoft. (2024). Azure Monitor documentation. https://learn.microsoft.com/en-us/azure/azure-monitor/