AZ-104 🧠
✓ VERIFIED APR 2025
Progress 0%
Topics done 0/0
You've Got This 💛
This guide is built for how your brain actually works — short chunks, clear patterns, real-world comparisons, no jargon walls. Verified against Microsoft's official AZ-104 exam objectives (April 2025).
700/1000 to pass
40–60 questions
150 minutes
Click topics to expand ↓
Users & Groups
KEY CONCEPT
✓
▶
🏢
Think of it like this
Entra ID is your company's HR system in the cloud. Users = employees. Groups = departments. Guest users = temporary contractors with a visitor badge. You manage who they are and what they can access.
👤 User Types
- Cloud-only: Lives only in Azure. You create/manage everything here.
- Synced: Copied from on-prem Active Directory. Managed on-prem — Azure is the copy.
- Guest (B2B): External person invited by email. Type = "Guest". Has limited access by default.
👥 Group Types
- Security Group: Controls access to Azure resources (most common)
- Microsoft 365 Group: For collaboration — Teams, email, SharePoint
- Assigned: You pick who's in it manually
- Dynamic User: Auto-joins users by rule (e.g., department = "IT")
- Dynamic Device: Same, but for devices
🪪 Licenses
- Free: Basic users/groups, simple SSO
- P1: Dynamic groups, SSPR, Conditional Access, Hybrid Join
- P2: Everything in P1 + Privileged Identity Management (PIM)
Exam Trap
- Dynamic groups need P1 or P2 — won't work on Free tier.
- Dynamic membership is NOT instant — can take minutes to hours to update.
- Synced users: their name/attributes are managed on-prem. You can't change them in Azure.
Dynamic group = needs P1/P2. Changes aren't instant.
Self-Service Password Reset (SSPR)
EXAM FAVE
✓
▶
🔓
Think of it like this
SSPR is the "forgot my password" button — but Microsoft wants to be sure it's really you. It checks 1 or 2 things (like your phone number or an authenticator app) before letting you reset.
| What | How it works |
|---|---|
| Who can use it | Users with Entra ID P1/P2 or Microsoft 365 license |
| Admin accounts | Always need 2 auth methods — can't be reduced to 1 |
| Auth methods | Mobile app notification, authenticator code, email, mobile phone, security questions |
| On-prem writeback | Requires P1/P2 + Entra Connect + Password Writeback enabled in settings |
| Enable scope | None / Selected group / All users (you control the rollout) |
Admins always need 2 methods. Writeback to on-prem needs P1/P2 + Entra Connect.
Role-Based Access Control (RBAC)
EXAM FAVE
✓
▶
🎫
Think of it like this
RBAC is a key card system. The formula is: WHO (a person/group/app) + WHAT they can do (a role) + WHERE (which resources). Like: "Alice gets the Manager keycard, valid only on Floor 3."
🏅 The 4 Core Roles
- Owner: Full access + can give access to others
- Contributor: Full access but CANNOT give access to others
- Reader: Can look, can't touch
- User Access Admin: Manages who gets access — but can't use resources themselves
🗂️ Scope Hierarchy
Management Group (top level)
Subscription
Resource Group
Resource (single thing)
Roles at a higher level flow DOWN to everything below it.
⚠️ Key RBAC Facts
- Additive: No deny assignments by default. More roles = more access.
- Max 4,000 role assignments per subscription
- Custom roles: Possible, but complex — start with built-in
- Deny assignments: Exist but only set by Azure Blueprints/management
RBAC is additive — no deny by default. Max 4,000 assignments per subscription.
Azure Policy, Tags & Locks
KEY CONCEPT
✓
▶
📜 Azure Policy
- Enforces rules — "thou shalt only create VMs in East US"
- Assigned to: Management Group, Subscription, or Resource Group
- Initiative: A group of policies (like a bundle)
- Effect options: Deny, Audit, Append, Modify, DeployIfNotExists
🏷️ Tags
- Name/value pairs on resources:
env=prod,team=finance - Do NOT inherit — resource groups don't pass tags to resources
- Max 50 tags per resource
- Use Policy to enforce required tags
🔒 Resource Locks
- CanNotDelete: Can read + modify, but can't delete
- ReadOnly: Can read only — no changes at all
- Locks override RBAC — even Owner can't delete a locked resource
- Must remove the lock first, then delete
Exam Trap
Tags don't inherit — a tag on a Resource Group does NOT automatically appear on resources inside it. You need Azure Policy to enforce tag inheritance. This trips up a lot of people.
Tags don't inherit. Locks override RBAC. Policy enforces governance rules.
Azure Blueprints & Management Groups
KEY CONCEPT
✓
▶
🏗️
Think of it like this
Management Groups are folders for subscriptions. Blueprints are template packages — deploy a Blueprint and you get RBAC, Policies, Resource Groups, and ARM templates all at once, locked and versioned.
| Feature | Management Groups | Azure Blueprints |
|---|---|---|
| Purpose | Organize subscriptions into hierarchy | Package + deploy governance at scale |
| Contains | Subscriptions, other MGs | Policies, RBACs, Resource Groups, ARM templates |
| Max depth | 6 levels below root | N/A |
| Deny ability | No direct deny | Yes — Blueprint deny assignments stick even against Owner |
MGs organize subscriptions. Blueprints package governance and can create true deny assignments.
🧠
Brain Break — Chapter 1 Done!
Identity & Governance is the highest-weighted chapter. If you've got RBAC, SSPR, Policy, Tags, and Locks down cold — you're ahead of most test-takers. Take 5 minutes, then hit Chapter 2.
Chapter 1 complete! Click to celebrate and move on 🎉
Storage Account Types & Redundancy
EXAM FAVE
✓
▶
| Redundancy | Copies | Scope | Read from secondary? |
|---|---|---|---|
| LRS | 3 | Single datacenter | No |
| ZRS | 3 | 3 zones same region | No |
| GRS | 6 | Primary + secondary region | No (need failover) |
| RA-GRS | 6 | Primary + secondary region | Yes — always |
| GZRS | 6 | 3 zones + secondary region | No |
| RA-GZRS | 6 | 3 zones + secondary region | Yes — always |
Exam Trap
RA-GRS only lets you read from the secondary region without a failover. Regular GRS = you cannot read secondary until you trigger a failover. The "RA" prefix = "Read Access."
RA- prefix = read access to secondary WITHOUT failing over. GRS alone requires failover first.
Blob Access Tiers & Lifecycle Management
EXAM FAVE
✓
▶
| Tier | Access freq. | Storage cost | Retrieval cost | Online? |
|---|---|---|---|---|
| Hot | Frequent | Highest | Lowest | Yes |
| Cool | Infrequent | Medium | Medium | Yes |
| Cold | Rare | Lower | Higher | Yes |
| Archive | Very rare | Lowest | Highest + wait | Offline (rehydrate) |
Archive Tier Traps
- Archive = offline. You cannot read it directly — must rehydrate first (up to 15 hours for standard priority).
- Early deletion fees: Cool = 30-day minimum, Archive = 180-day minimum
- Soft delete for containers is a separate setting from blob soft delete (commonly tested)
Archive = offline. Up to 15h to rehydrate. Early deletion fees apply for Cool/Archive.
Azure Files, Disks & Storage Services
KEY CONCEPT
✓
▶
📁 Azure Files
- Fully managed SMB/NFS file shares in the cloud
- Mount on Windows, Linux, macOS
- Use: replace on-prem file servers
- Supports Azure File Sync to cache files on-prem
💽 Managed Disks
- Standard HDD: Dev/test, low-cost
- Standard SSD: Web servers, lightly loaded apps
- Premium SSD: Production workloads, databases
- Ultra Disk: SAP HANA, top-tier IOPS
📊 Storage Services
- Blob: Unstructured data (images, videos, backups)
- Queue: Message queuing between services
- Table: NoSQL key-value store
- Files: SMB/NFS file shares
Azure Files = managed SMB shares. Azure File Sync caches them on-prem. Blobs = unstructured data.
Chapter 2 complete — Storage is done! 💾
Virtual Machines — Core Concepts
EXAM FAVE
✓
▶
| SLA Type | SLA | What it requires |
|---|---|---|
| Single VM (Premium SSD) | 99.9% | Premium storage on all disks |
| Availability Set | 99.95% | 2+ VMs, same datacenter, different fault/update domains |
| Availability Zones | 99.99% | 2+ VMs in different physical zones |
Key Distinction
Availability Set = protects from hardware failure within a single datacenter (fault domains) and rolling updates (update domains). Availability Zone = protects from entire datacenter failure — physically separate buildings with independent power, cooling, and networking.
AZ = 99.99% (different buildings). AS = 99.95% (same building, different rack/update cycle).
VM Scale Sets & Azure App Service
KEY CONCEPT
✓
▶
📈 VM Scale Sets
- Auto-scale out/in based on load (CPU, queue depth, custom metrics)
- All VMs run same image — great for stateless apps
- Supports Availability Zones for high availability
- Load Balancer or App Gateway distributes traffic
🌐 App Service
- Managed PaaS for web apps, APIs, mobile backends
- Free/Shared: Dev/test only, no SLA
- Basic: Dedicated compute, manual scale, no autoscale
- Standard+: Autoscale, deployment slots, custom domains, SSL
- Premium: VNet integration, Private Endpoints
🔄 Deployment Slots
- Staging environments within App Service
- Swap staging → production with zero downtime
- Requires Standard tier or above
- App settings can be "slot sticky" (don't swap with slot)
Autoscale + deployment slots = Standard App Service tier minimum.
Azure Container Instances & AKS
KEY CONCEPT
✓
▶
📦 ACI (Container Instances)
- Run a single container, no infrastructure management
- Fastest way to run a container in Azure
- Good for: burst workloads, simple tasks, testing
- Billed per second — cost-effective for short runs
☸️ AKS (Kubernetes Service)
- Managed Kubernetes cluster
- Good for: complex microservices, production workloads
- Azure manages the control plane for free
- You pay for agent nodes (VMs)
📋 ACR (Container Registry)
- Private Docker registry in Azure
- Store and manage container images
- Integrates with ACI and AKS for deployments
- Geo-replication available on Premium SKU
ACI = fast, simple, short-lived. AKS = orchestrated, complex, production. ACR = private image registry.
ARM Templates & Azure Bicep
KEY CONCEPT
✓
▶
| Feature | ARM Template (JSON) | Bicep |
|---|---|---|
| Language | JSON (verbose) | Cleaner DSL (transpiles to ARM) |
| Idempotent | Yes | Yes |
| Deployment modes | Incremental / Complete | Incremental / Complete |
| Complete mode risk | Deletes resources not in template | Same — deletes unlisted resources |
Exam Trap — Complete Mode
Complete mode deployment deletes resources NOT in the template. If you deploy a template in Complete mode and forget to include an existing resource, Azure deletes it. Incremental mode (the default) only adds/modifies — it does not delete existing resources.
Complete mode = deletes resources not in template. Incremental = safe, additive only.
Chapter 3 complete — Compute conquered! ⚙️
Virtual Networks (VNet) & Peering
EXAM FAVE
✓
▶
🏙️
Think of it like this
A VNet is your private neighborhood in Azure. Subnets are streets within it. VNet Peering connects two neighborhoods directly — but it's not transitive: if A connects to B and B connects to C, that doesn't mean A and C can talk.
The #1 Networking Exam Trap
VNet peering is NOT transitive. A↔B + B↔C does NOT give A↔C. To connect A and C you need a direct peering, or route through a hub VNet using a Network Virtual Appliance (NVA) with IP forwarding enabled. This comes up constantly in scenario questions.
| Feature | VNet Peering | VPN Gateway |
|---|---|---|
| Latency | Very low (Microsoft backbone) | Higher (encrypted tunnel) |
| Cost | Per GB transferred | Hourly + per GB |
| Transitive | No | No (unless using hub-spoke) |
| Cross-region | Yes (Global Peering) | Yes |
| Connect on-prem | No | Yes |
Peering = NOT transitive. A-B + B-C ≠ A-C. Need NVA with IP forwarding for hub-spoke routing.
Network Security Groups (NSGs)
EXAM FAVE
✓
▶
🚦
Think of it like this
An NSG is a list of traffic rules — like a firewall rulebook. Each rule has a priority number: lower number = checked first. First matching rule wins. After a match, no more rules are checked.
📋 Rule Components
- Priority: 100–4096, lower = higher priority
- Source/Dest: IP, CIDR, Service Tag, or ASG
- Port: Single port or range
- Protocol: TCP, UDP, ICMP, or Any
- Action: Allow or Deny
🏷️ Service Tags
Internet— all public internet trafficVirtualNetwork— all VNet address spaceAzureLoadBalancer— health probe trafficStorage— Azure Storage service endpoints
📍 NSG Placement
- Apply to: subnet OR NIC (or both)
- Subnet NSG: evaluated first for inbound
- NIC NSG: evaluated second for inbound
- Both must allow for traffic to pass when applied to both
Lower priority number = checked first. First match wins. Both subnet + NIC NSGs must allow traffic.
Load Balancers & Application Gateway
KEY CONCEPT
✓
▶
| Feature | Azure Load Balancer | Application Gateway | Traffic Manager |
|---|---|---|---|
| Layer | Layer 4 (TCP/UDP) | Layer 7 (HTTP/S) | DNS-level (global) |
| SSL offload | No | Yes | No |
| URL routing | No | Yes | No |
| WAF | No | Yes (WAF SKU) | No |
| Basic SKU | Retiring | N/A | N/A |
| Standard SKU default | Closed (needs NSG rule) | N/A | N/A |
Standard Load Balancer Trap
Standard Load Balancer is closed by default — you must explicitly add an NSG rule to allow traffic. Basic Load Balancer was open by default (but Basic Public IP is retiring September 2025). Exam questions about "why traffic isn't flowing" often involve this.
Standard LB = closed by default (needs NSG rule). App Gateway = Layer 7 + WAF + SSL offload.
Azure Bastion, Private Endpoints & Service Endpoints
EXAM FAVE
✓
▶
🏰 Azure Bastion
- Browser-based RDP/SSH — no public IP needed on VM
- Requires subnet named exactly
AzureBastionSubnet - Subnet must be /27 or larger
- Eliminates need to expose VM ports to internet
🔌 Service Endpoint vs Private Endpoint
- Service Endpoint: Traffic stays on Azure backbone BUT uses public IP of the service
- Private Endpoint: Gives the service a private IP in your VNet — fully private
- Private Endpoint = more secure, more complex, DNS changes required
🌐 VPN Gateway Types
- Site-to-Site: On-prem network to Azure VNet (IPsec/IKE)
- Point-to-Site: Individual device to Azure VNet
- VNet-to-VNet: Two Azure VNets via VPN (vs peering)
- ExpressRoute: Private circuit, not over internet
AzureBastionSubnet = exact name, /27+. Service Endpoint = public IP. Private Endpoint = private IP in VNet.
Chapter 4 complete — Networking mastered! 🌐
Azure Monitor & Log Analytics
KEY CONCEPT
✓
▶
📊 Azure Monitor
- Central platform for all Azure metrics and logs
- Metrics: Numerical data, near-real-time (CPU%, disk IOPS)
- Logs: Text/events, queried with KQL
- Alerts trigger on metric thresholds or log query results
🔍 Log Analytics Workspace
- Central store for log data from all sources
- Query with KQL (Kusto Query Language)
- VMs need Log Analytics agent (or Azure Monitor Agent)
- Diagnostic settings send resource logs here
🚨 Action Groups
- Who to notify + what to do when an alert fires
- Notify: Email, SMS, Push, Voice
- Automate: Azure Function, Logic App, Runbook, Webhook
- One action group can be used by many alert rules
Azure Monitor = metrics + logs. Log Analytics = query logs with KQL. Action Groups = what happens when alert fires.
Azure Backup & Site Recovery (ASR)
EXAM FAVE
✓
▶
| Feature | Azure Backup | Azure Site Recovery |
|---|---|---|
| Purpose | Data protection / restore | Disaster recovery / failover |
| VM backup → vault | Recovery Services Vault | Recovery Services Vault |
| Blob backup → vault | Backup Vault | N/A |
| Soft delete | 14 days to recover | N/A |
| RTO | Minutes to hours | Can be minutes (pre-replication) |
Vault Confusion Trap
VM backup → Recovery Services Vault. Blob backup → Backup Vault. These are two different vault types. The exam specifically tests that you know which workload uses which vault. Don't mix them up.
1
Enable Replication ASR begins continuous replication of the source VM to the target region.
2
Test Failover Spin up a copy in the target region to verify the plan — source VM keeps running.
3
Real Failover DR event — traffic moves to target. Commit to make it permanent.
4
Commit Confirms the failover is complete. No going back after commit.
5
Re-protect → Failback Start replicating back to original region, then failback when ready.
Test failover = safe rehearsal, original VM still runs. Real failover = DR event. Commit → Re-protect → Failback to return home.
ALL CHAPTERS COMPLETE! You've covered everything on the AZ-104 exam! 🎉
1
Dynamic groups need P1/P2 license — Free tier won't work
2
Admin SSPR always needs 2 auth methods — can't reduce to 1
3
Tags don't inherit — resource groups don't pass tags to resources automatically
4
RBAC is additive — no deny. Max 4,000 role assignments per subscription
5
Complete mode deployment deletes resources NOT in the template
6
Archive tier = offline, up to 15-hour rehydration. Early deletion fees apply.
7
RA-GRS only allows reading secondary WITHOUT a failover. Regular GRS = failover required first.
8
Soft delete for containers = separate setting from blob soft delete
9
VNet peering is NOT transitive — A↔B + B↔C does NOT give A↔C
10
NSG lower number = higher priority — checked first, first match wins
11
Availability Zones = 99.99% SLA. Availability Sets = 99.95%.
12
Autoscale + deployment slots = Standard App Service tier or above
13
AzureBastionSubnet = exact name required. Must be /27 or larger.
14
Service Endpoint = still public IP. Private Endpoint = private IP in your VNet.
15
VM backup → Recovery Services Vault. Blob backup → Backup Vault.
16
Backup soft delete = 14 days to recover deleted backup items
17
Standard Load Balancer = closed by default. Needs NSG rule to allow traffic.
18
Basic Public IP retiring September 2025 — use Standard SKU
19
NVA routing = must enable IP Forwarding on the NVA's network interface card
20
Private DNS zones must be linked to VNet — they don't resolve automatically
You're Ready. Here's Your Final Reminder.
Score to pass: 700 out of 1000. That means you can get roughly 30% wrong and still pass. You don't need to be perfect — you need to be solid on the high-weight topics (Identity/Gov 20-25%, Compute 20-25%). Read each question twice. Watch for the words "always", "never", "cannot", and "without". You've got this. 💛