intermediateAZ-1046-8 weeks prep9 min read

AZ-104: Azure Administrator — Study Guide

Complete study guide for the AZ-104 Azure Administrator Associate exam. Covers identities & governance, storage, compute, networking, and monitoring — with hands-on lab guidance.

azureaz-104azure-administratorintermediatemicrosoftidentitynetworkingstoragecomputemonitoring

Domains

Key concepts

Study time

6-8 weeks

Exam Overview

Detail	Info
Exam code	AZ-104
Duration	100 minutes
Questions	40–60 (multiple choice, case studies, labs)
Passing score	700 / 1000
Cost	~$165 USD
Validity	Renew annually (free online assessment)
Prerequisite	AZ-900 recommended but not required

Domain Weightings

Domain	Weight
Manage Azure Identities and Governance	20–25%
Implement and Manage Storage	15–20%
Deploy and Manage Azure Compute Resources	20–25%
Implement and Manage Virtual Networking	15–20%
Monitor and Maintain Azure Resources	10–15%

Domain 1: Identities and Governance (20–25%)

Microsoft Entra ID (formerly Azure AD)

Users — create, invite guests (B2B), bulk import, dynamic groups.
Groups — Security groups (access) and Microsoft 365 groups. Dynamic membership via attribute rules.
RBAC — assign built-in or custom roles at Management Group / Subscription / Resource Group / Resource scope.
Administrative Units — delegate admin to a subset of users (e.g., regional IT teams).

Key RBAC roles

Role	Permissions
Owner	Full access + manage access
Contributor	Full resource access, cannot grant access
Reader	Read only
User Access Administrator	Manage access, not resources

Custom roles — JSON definition with specific Actions, NotActions, DataActions. Assigned at subscription or resource group scope.

Governance

Management Groups — hierarchy above subscriptions; apply RBAC and Policy to many subscriptions at once.
Azure Policy — enforce rules (Deny, Audit, DeployIfNotExists, Modify). Initiatives group multiple policies.
Resource Locks — CanNotDelete or ReadOnly. Overrides all RBAC — even Owners cannot delete a locked resource.
Tags — key-value metadata for organisation and cost attribution. Max 50 tags per resource.

Managed Identities

System-assigned — tied to one resource; deleted with it.
User-assigned — standalone; can be assigned to multiple resources.
Use managed identities to authenticate to Azure services (Key Vault, Storage) without storing credentials.

Domain 2: Storage (15–20%)

Storage account types

Type	Use case
Standard general-purpose v2	Most scenarios; all storage services
Premium block blobs	High-throughput, low-latency blob workloads
Premium file shares	High-performance Azure Files
Premium page blobs	VHD storage for VMs

Blob storage tiers

Tier	Access frequency	Minimum duration
Hot	Frequent	None
Cool	Infrequent	30 days
Cold	Rare	90 days
Archive	Very rare	180 days

Key storage features to know

Lifecycle management — auto-tier blobs from Hot → Cool → Archive → delete.
Blob versioning — preserve previous versions; recover overwritten data.
Soft delete — retain deleted blobs for a configurable period.
Replication — LRS, ZRS, GRS, GZRS, RA-GRS, RA-GZRS.
Shared Access Signatures (SAS) — delegate limited, time-bound access to storage without sharing the account key.
Azure Files — SMB/NFS file shares; mount on Windows, Linux, macOS.
Azure File Sync — cache Azure Files on Windows Server on-premises.

Domain 3: Compute (20–25%)

Virtual Machines

VM sizes — General purpose (D-series), Compute optimised (F-series), Memory optimised (E-series), GPU (N-series).
Availability options — Availability Zones (99.99% SLA), Availability Sets (99.95% SLA), no HA option (99.9% SLA).
Scale Sets (VMSS) — auto-scale a group of identical VMs; up to 1000 instances.
Azure Spot VMs — discounted unused capacity; can be evicted; not for critical workloads.

VM management tasks (exam focus)

Add a data disk → attach in portal or CLI → partition + format in OS.
Resize a VM → stop (deallocate) first for most size changes.
Capture a custom image → generalise (sysprep/waagent) → create image.
VM extensions — configure via portal or ARM; e.g., CustomScriptExtension runs scripts post-deploy.

App Service

App Service Plan — defines the compute tier (Free, Shared, Basic, Standard, Premium, Isolated).
Scale up = bigger plan. Scale out = more instances.
Deployment slots — swap staging ↔ production with zero downtime.
Custom domains + TLS certificate management.

Containers

Azure Container Instances (ACI) — quickest way to run a container; no cluster needed.
Azure Kubernetes Service (AKS) — managed Kubernetes; Azure manages the control plane.
Azure Container Registry (ACR) — private Docker image registry.

ARM Templates / Bicep

ARM templates — JSON-based IaC; declare resources, parameters, variables, outputs.
Bicep — DSL that compiles to ARM; cleaner syntax; first-class Azure support.
Deploy via portal, CLI (az deployment group create), or pipelines.

Domain 4: Virtual Networking (15–20%)

Core networking concepts

VNet — isolated network (CIDR range, e.g., 10.0.0.0/16). Resources in same VNet communicate freely.
Subnet — divide VNet into segments (e.g., web: 10.0.1.0/24, db: 10.0.2.0/24). Azure reserves 5 IPs per subnet.
NSG — Layer 4 stateful firewall rules. Apply at subnet or NIC level.
Route tables — custom routes to override default Azure routing (e.g., force traffic through NVA).
VNet Peering — low-latency connection between VNets (same or different regions). Not transitive.
Service endpoints — route traffic to Azure services (Storage, SQL) over Azure backbone.
Private endpoints — inject an Azure service into your VNet with a private IP.

Connectivity options

Option	Use case
VPN Gateway	Site-to-site IPsec VPN to on-premises; point-to-site for remote users
ExpressRoute	Dedicated private connection to Azure; no internet
Azure Bastion	Secure RDP/SSH to VMs via browser; no public IP on VMs
Azure NAT Gateway	Outbound internet for private subnet VMs

Load balancing

Service	Layer	Use case
Azure Load Balancer	Layer 4	TCP/UDP; high throughput; internal or external
Application Gateway	Layer 7	HTTP/HTTPS; WAF; URL-based routing
Azure Front Door	Global Layer 7	CDN + WAF + global load balancing
Traffic Manager	DNS-based	Route to closest region; failover

Azure DNS

Host public DNS zones in Azure.
Private DNS zones — name resolution within VNets; link to VNet for auto-registration.

Domain 5: Monitor and Maintain (10–15%)

Azure Monitor

Metrics — platform metrics (auto), guest OS metrics (Azure Monitor Agent required).
Logs — send to Log Analytics workspace; query with KQL.
Alerts — metric alerts, log alerts, activity log alerts, action groups (email, SMS, webhook, runbook).
Workbooks — rich visualisation dashboards.
VM Insights — pre-built performance + dependency maps.

Log Analytics and KQL basics

// Heartbeat missed in last 5 min
Heartbeat | summarize LastHB = max(TimeGenerated) by Computer
| where LastHB < ago(5m)

// CPU > 90% for a VM
Perf | where ObjectName == "Processor" and CounterName == "% Processor Time"
| where CounterValue > 90 | project TimeGenerated, Computer, CounterValue

Azure Backup

Recovery Services Vault — holds backup data.
Backup policy — schedule + retention (daily/weekly/monthly/yearly).
Supports: Azure VMs, SQL in VMs, Azure Files, on-premises via MARS/MABS agent.
Soft delete — 14-day retention for deleted backup items (enabled by default).

Azure Site Recovery (ASR)

Replicates VMs to a secondary region for disaster recovery.
RPO typically < 30 seconds; RTO in minutes.
Test failover — validates DR without impacting production.
Recovery plans — orchestrate failover order + pre/post scripts.

Hands-on Lab Focus Areas

The AZ-104 exam has lab questions — practice these tasks:

Create a VNet, add subnets, create an NSG, apply rules
Deploy a VM, add a data disk, resize the VM
Configure VNet peering between two VNets
Create a storage account, upload blobs, configure a lifecycle policy
Set RBAC on a resource group; verify effective permissions
Apply an Azure Policy, verify compliance
Create a Log Analytics workspace, connect a VM, run a KQL query
Back up a VM; restore a file from backup

Study Plan (6–8 Weeks)

Week	Focus
1–2	Identity & Governance — Entra ID, RBAC, Policy, Management Groups
3	Storage — accounts, blob tiers, lifecycle, Azure Files
4	Compute — VMs, VMSS, App Service, containers
5	Networking — VNet, NSG, peering, VPN, load balancers
6	Monitoring — Azure Monitor, Log Analytics, Backup, ASR
7–8	Full practice exams + lab practice + weak area review

Key Resources

Resource	Notes
Microsoft Learn AZ-104	Free official learning path (highly detailed)
John Savill's AZ-104 Study Cram	Free YouTube — best pre-exam cram
Scott Duffy on Udemy	Popular paid video course
Tutorials Dojo	Best practice exam questions
Azure Free Account	12 months free services — essential for labs

Common Exam Traps

RBAC vs Policy — RBAC controls who can do something. Policy controls what resources can be created and in what state. You need both.
VNet peering is not transitive — A↔B and B↔C does not mean A can reach C. You must also peer A↔C.
NSG vs Azure Firewall — NSG is subnet/NIC level, port/IP rules. Azure Firewall is a managed Layer 7 firewall for full inspection.
Locks override RBAC — even the Owner cannot delete a resource with a CanNotDelete lock without first removing the lock.
Soft delete — deleting a VM backup doesn't immediately delete the data; 14-day retention prevents data loss.