Becoming an Azure Pro: Complete AZ-104 Study Manual

The AZ-104 certification serves as a pivotal milestone for professionals seeking validation in managing Microsoft Azure environments. Designed with a pragmatic approach, this exam focuses on administrative skills necessary for provisioning, managing, and monitoring Azure-based services.

Purpose and Relevance of the AZ-104 Exam

The Microsoft Certified: Azure Administrator Associate certification, achieved by passing the AZ-104 exam, validates an individual’s capacity to operate within the Azure ecosystem. It is not merely a theoretical assessment but a real-world benchmark for essential tasks such as identity management, governance, storage configuration, compute deployment, and virtual network operations. Employers often consider it a baseline qualification for cloud infrastructure roles.

Who Should Pursue AZ-104?

This certification is curated for system administrators, cloud specialists, and IT professionals transitioning from on-premises solutions to cloud-native architectures. Candidates should ideally have a minimum of six months of direct experience with Azure services, including familiarity with PowerShell, Command Line Interface (CLI), the Azure portal, and deployment via ARM templates.

Key Skills Evaluated in the AZ-104 Exam

The exam assesses candidates on a wide spectrum of Azure administrative domains. These include:

• Azure identity and governance management

• Configuration and maintenance of Azure storage

• Deployment and oversight of compute resources

• Virtual networking in an Azure environment

• Monitoring strategies and backup implementations

Each domain carries a weighted percentage, ensuring a holistic evaluation of an individual’s capabilities.

Role of Azure Administrators in Modern IT

Azure Administrators serve as the custodians of cloud-based resources, responsible for ensuring secure, efficient, and cost-effective deployments. They manage user identities, implement compliance policies, oversee scalable compute solutions, and maintain network connectivity. A certified administrator possesses the acumen to diagnose system issues, automate routine tasks, and reinforce security measures across virtual infrastructure.

Getting Familiar with the Exam Structure

The AZ-104 exam is composed of various question types such as multiple-choice, drag-and-drop, case studies, and active screen configurations. It tests both theoretical understanding and applied knowledge. Understanding the format and practicing with realistic simulations can drastically improve performance and confidence.

Azure Identity and Governance Management

The identity and governance section, which accounts for 15-20% of the exam, emphasizes the manipulation and oversight of Azure Active Directory (Azure AD). Tasks within this domain include creating and managing users and groups, configuring role-based access control (RBAC), implementing security policies, and auditing user activity.

Effective identity governance involves streamlining authentication, ensuring access is granted on a need-to-know basis, and managing guest user access through business-to-business (B2B) collaboration models. Administrators should also be adept at using tools like Azure AD Join and self-service password reset configurations.

Managing Azure Subscriptions and Resources

Azure’s resource management capabilities rely on hierarchies and policies. Candidates must be proficient in creating and organizing resource groups, assigning policies, and enforcing tagging strategies for efficient resource identification. Azure Policies allow administrators to define rules for compliance, whereas management groups help organize subscriptions hierarchically.

Understanding cost management and billing configurations is also paramount. This includes analyzing consumption patterns, setting up budgets, and using locks to prevent inadvertent deletion or modification of critical assets.

Implementing and Managing Storage Solutions

The storage component, which contributes to 10-15% of the exam, examines a candidate’s prowess in configuring storage accounts, implementing secure access strategies, and ensuring data resilience. Tasks include setting up firewalls for storage access, managing shared access signatures (SAS), and configuring Azure AD-based access to blobs and queues.

Azure provides redundancy through locally redundant storage (LRS), zone-redundant storage (ZRS), geo-redundant storage (GRS), and read-access geo-redundant storage (RA-GRS). Candidates must understand these replication options to architect for durability and availability.

Storage Data Management Tools

Professionals should be conversant with data import/export procedures and tools like Azure Storage Explorer and AzCopy. These utilities facilitate large-scale data migrations and day-to-day storage operations. Furthermore, mastery of blob lifecycle management and tiering strategies—such as hot, cool, and archive storage tiers—is essential for cost optimization.

Deploying and Managing Compute Resources

Comprising 25-30% of the exam, this domain delves into provisioning virtual machines (VMs), setting up high availability, and automating deployments. Candidates must demonstrate the ability to use scale sets, manage availability zones, and implement custom script extensions for configuration management.

Knowledge of disk types (Standard HDD, Standard SSD, Premium SSD), encryption practices, and backup configurations contributes to robust virtual machine management. Automation via ARM templates and scripting ensures repeatability and reduces deployment errors.

Container Services and App Hosting

Beyond VMs, candidates are expected to understand how to deploy and manage containerized workloads using Azure Kubernetes Service (AKS) and Azure Container Instances (ACI). They should also be skilled in creating and scaling web applications through Azure App Services and managing App Service Plans.

Understanding how to configure health checks, custom domains, and deployment slots for zero-downtime deployments is crucial. These capabilities offer scalability and flexibility for modern application architectures.

Mastery of Virtual Networking

Virtual networking, accounting for 30-35% of the exam, is a critical area. Candidates should understand how to create and configure virtual networks (VNets), implement subnets, assign static and dynamic IPs, and route traffic effectively.

Tasks also involve setting up network security groups (NSGs), configuring application gateways, implementing load balancers, and integrating on-premises networks through VPN gateways and ExpressRoute. Understanding private endpoints and service endpoints is essential for securing communications.

Network Monitoring and Performance Management

Azure Network Watcher and Network Performance Monitor are indispensable tools for diagnosing latency, packet loss, and connectivity issues. Candidates should also know how to use diagnostic logs, NSG flow logs, and metrics to identify and resolve anomalies.

Incorporating these monitoring practices ensures optimal performance and helps preempt potential system disruptions. Coupled with a solid understanding of hybrid connectivity options, these skills elevate the operational capabilities of Azure administrators.

Preparing Effectively for AZ-104

An effective preparation plan involves a combination of practical labs, simulated assessments, and conceptual studies. Immersing oneself in the Azure portal, scripting daily tasks, and creating infrastructure from scratch can significantly reinforce understanding.

Candidates should frequently assess their progress with practice tests that mirror the real exam. Keeping abreast of updates within Azure, as the platform evolves rapidly, also contributes to exam readiness and long-term success.

Mastering the AZ-104 Microsoft Azure Administrator Certification requires a comprehensive grasp of cloud administration principles. It is not a rote memorization exercise but an opportunity to internalize practical skills that reflect real-world responsibilities. Whether for career advancement or organizational growth, this certification serves as a formidable asset in the cloud computing landscape.

Configure Virtual Machines for High Availability and Scalability

Ensuring your virtual machines are resilient and adaptable is essential. High availability in Azure involves distributing VMs across availability sets or zones to reduce downtime during maintenance or unexpected failures. Scalability, on the other hand, is about adjusting resources to meet workload demands dynamically.

Azure supports VM Scale Sets which allow you to deploy and manage identical VMs. These can scale out automatically based on metrics like CPU usage. Understanding fault domains and updating domains within availability sets helps in planning for resiliency.

Deploy and Configure Scale Sets

Azure VM Scale Sets are instrumental in deploying large numbers of identical virtual machines. They allow for centralized management and load balancing. Configuration typically includes defining instance count, OS type, image, VM size, and auto-scaling policies.

Load balancing is often paired with scale sets to distribute traffic effectively. Application Gateway or Azure Load Balancer are common tools for achieving this. Make sure to configure health probes to ensure traffic is routed only to healthy instances.

Automate Deployment and Configuration of VMs

Automation is crucial in reducing manual errors and increasing deployment speed. ARM templates offer declarative syntax to define and deploy infrastructure. These templates are JSON files that specify resources and configurations.

To deploy an ARM template, use Azure CLI or PowerShell. Templates can also be stored in repositories for version control and reuse. For configuration, custom script extensions can execute scripts post-deployment, enabling tasks like software installation or configuration tweaks.

Modify ARM Templates

ARM templates are powerful for infrastructure as code. Modifying them involves updating parameters, variables, and resource definitions. Ensure you validate the template using tools like az deployment validate before deploying.

You can define conditional logic, use linked templates for modularity, and apply tags for resource categorization. Integrating with Azure DevOps pipelines adds another layer of automation, allowing for continuous integration and deployment.

Configure VHD Templates

Virtual Hard Disk (VHD) templates are used to create custom VM images. Start by configuring a VM with required settings and software. Generalize the VM using sysprep (for Windows) or waagent (for Linux), then capture the image.

Store the VHD in a storage account, and reference it in your ARM template or Azure CLI command during VM creation. Custom images save time when deploying multiple VMs with identical configurations.

Deploy from Template

Templates enable rapid, consistent deployments. Use the Azure Portal, CLI, or PowerShell to deploy a saved template. Define a parameter file to streamline repetitive deployments.

It’s essential to follow best practices, such as parameterizing values, using variables for repeat elements, and documenting your templates. Templates should be modular to enhance reuse across projects.

Save a Deployment as an ARM Template

Once a resource is deployed via the Azure Portal, you can export the configuration as an ARM template. This template includes parameters and resource definitions that can be edited and redeployed.

Download it from the “Automation” section of the resource group blade. It serves as a starting point for customizing deployments and ensures consistency across environments.

Automate Configuration Management Using Custom Script Extensions

Custom script extensions execute PowerShell or shell scripts post-deployment. They’re useful for tasks like installing software, changing configurations, or setting registry keys.

Define the script location (local or URL), and pass parameters during deployment. Scripts can be rerun manually or triggered through automation tools. For better management, consider storing scripts in secure, version-controlled locations.

Create and Configure Virtual Machines

Creating VMs involves choosing the OS image, size, region, and network settings. During configuration, assign a virtual network, subnet, public IP, and optionally, an availability set or zone.

Additional configurations include enabling boot diagnostics, setting OS and data disks, and defining extensions for post-deployment tasks. Automation using ARM templates or Azure CLI ensures rapid and standardized deployment.

Configure Azure Disk Encryption

Azure Disk Encryption uses BitLocker for Windows and DM-Crypt for Linux to protect data at rest. Encryption is enabled via the Azure Portal, CLI, or PowerShell.

You must use Azure Key Vault to manage encryption keys. Key management involves setting up access policies and ensuring that keys are backed up and rotated periodically.

Move VMs Between Resource Groups or Subscriptions

Azure supports moving VMs between resource groups and subscriptions with minimal downtime. Use the Azure Portal, CLI, or PowerShell for the move operation.

Ensure that associated resources like network interfaces, disks, and public IPs are moved together. Permissions must be set correctly in both the source and target subscriptions.

Manage VM Sizes

VM sizing is critical to performance and cost optimization. Azure offers a wide range of VM series tailored for general use, compute-optimized, memory-optimized, and more.

Resize operations can be done through the portal or CLI. Ensure the VM is deallocated before resizing, and validate that the target size is available in your chosen region.

Add Data Disks

Attaching data disks expands storage capabilities. You can add managed or unmanaged disks to a VM. Configure disk settings like size, caching, and storage type during the attachment.

Once added, initialize and format the disk within the guest OS. For automation, use PowerShell or CLI scripts during VM creation.

Configure Networking for VMs

Networking configuration includes assigning network interfaces, IP addresses, and DNS settings. Security groups are applied to control traffic.

Use PowerShell or the Azure Portal to open required ports, attach NICs, and configure static or dynamic IP addressing. For complex configurations, define networking in your ARM templates.

Redeploy VMs

Redeploying a VM moves it to a new Azure node, which can resolve issues like remote desktop problems or failed patching. Use the “Redeploy” option in the Azure Portal.

This operation retains the VM’s configuration and public IP, but it’s always wise to back up important data beforehand. Post-redeployment, verify connectivity and performance.

Create and Configure Containers

Containers are lightweight, portable solutions for running applications. Azure offers Azure Kubernetes Service (AKS) and Azure Container Instances (ACI) for orchestration and single-container deployments respectively.

Define container settings like image source, environment variables, and ports. Use YAML files for AKS deployments, or CLI commands for ACI.

Create and Configure Azure Kubernetes Service (AKS)

AKS simplifies Kubernetes cluster deployment and management. Configuration includes node pools, networking, and scaling settings. You can enable features like monitoring and RBAC during setup.

Ensure your cluster uses the latest Kubernetes version and integrates with Azure Container Registry or Docker Hub. Post-deployment, use kubectl to manage workloads.

Create and Configure Azure Container Instances (ACI)

ACI enables quick deployment of containers without managing infrastructure. Specify the image, CPU, memory, and environment variables.

You can expose containers to the internet, mount Azure Files as volumes, and use secure credentials via environment variables. ACI is ideal for development, testing, or stateless workloads.

Create and Configure Web Apps

Web Apps on Azure App Service provide a PaaS environment for hosting web applications. Configuration includes framework selection, deployment method, and scaling settings.

App Service integrates with DevOps tools for CI/CD. You can configure custom domains, SSL bindings, and authentication. Enable autoscaling based on performance metrics to optimize resource use.

Create and Configure App Service Plans

App Service Plans define the compute resources for web apps. Options include shared, basic, standard, premium, and isolated tiers. Each tier offers different scaling and feature capabilities.

Scaling can be manual or automatic, and plan size can be adjusted post-deployment. Ensure you choose a plan that aligns with your app’s performance and availability requirements.

Configure Virtual Networks and Subnets

A virtual network (VNet) in Azure functions like a traditional network in your data center, with the benefits of scalability, availability, and isolation. Subnets help segment the VNet into manageable sections. While setting up a VNet, define the IP address range using CIDR notation and logically separate workloads using subnets.

Subnets can be associated with network security groups (NSGs) to control traffic flow. For better organization, consider naming conventions and IP planning upfront. Remember, subnet IP ranges cannot overlap, and changes require careful planning, especially in production environments.

Configure Public and Private IP Addresses

Azure supports both public and private IP addressing. Public IPs allow internet access, whereas private IPs enable secure communication within VNets. During resource creation, you choose the IP type and assignment method (static or dynamic).

Use static public IPs for predictable endpoints, especially for services like DNS or firewall rules. Private IPs are allocated from the subnet’s address range and should be planned to avoid conflicts. For higher resilience, integrate IP addresses with Azure Load Balancer or Application Gateway.

Configure Network Security Groups (NSGs)

NSGs act as virtual firewalls for controlling inbound and outbound traffic at the subnet or NIC level. They contain rules defined by priority, protocol, direction, source/destination, and port.

To harden security, use deny-all rules with allow rules for necessary ports. NSG flow logs can be enabled for troubleshooting or auditing traffic. Be cautious when applying rules broadly, as overly permissive configurations can lead to exposure.

Configure Azure Firewall

Azure Firewall is a managed, cloud-native firewall that provides network and application-level protection. Deploy it to a dedicated subnet within your VNet.

Configure application rules for domain-based filtering and network rules for IP-based traffic. Use threat intelligence filtering to block known malicious IPs. Integrate it with Azure Monitor for logging and analytics. Azure Firewall supports high availability and auto-scaling, making it suitable for enterprise scenarios.

Configure Azure DNS

Azure DNS hosts your domain name system records in Azure, allowing you to manage DNS without managing your own DNS servers. Use it to resolve hostnames in your domains.

Create DNS zones for each domain and add record sets for A, AAAA, MX, and CNAME records. Azure DNS supports alias records to point to Azure resources directly. You can also enable private DNS zones for internal name resolution within VNets.

Configure Network Routing and Azure Virtual Network NAT

Routing in Azure is managed via system routes and user-defined routes (UDRs). Use UDRs to override the default behavior and direct traffic to virtual appliances or firewalls.

Azure Virtual Network NAT simplifies outbound connectivity for VNets. It allows multiple subnets to share a single public IP address while hiding internal IPs. Configure NAT gateway with appropriate public IP or IP prefix and associate it with subnets to streamline egress traffic.

Configure Peering

VNet peering connects two VNets, allowing them to communicate privately without gateways. Peered VNets appear as one for connectivity purposes.

Peering supports transitive routing and can be done across regions (Global VNet Peering). Ensure address spaces don’t overlap. Traffic between peered VNets stays on Microsoft’s backbone network, ensuring low latency and high reliability.

Configure ExpressRoute and Site-to-Site VPN

ExpressRoute establishes private, dedicated connectivity between your on-premises network and Azure. It bypasses the public internet, offering more reliability and lower latency. Work with a connectivity provider to set up ExpressRoute circuits.

Site-to-Site VPN connects your on-premises network to Azure via IPsec tunnels. Configure VPN Gateway in Azure and a compatible VPN device on-prem. Ensure IP ranges do not overlap and that routing tables are properly configured.

Configure Azure Bastion

Azure Bastion provides secure RDP and SSH connectivity to your VMs directly from the Azure Portal without exposing public IPs. Deploy it in a dedicated subnet called “AzureBastionSubnet.”

Bastion scales automatically and supports session logging. It reduces the attack surface significantly and integrates seamlessly with the portal UI, eliminating the need for external clients.

Configure Network Watcher

Network Watcher offers tools for monitoring, diagnosing, and gaining insights into your network. Enable it per region to utilize features like connection troubleshoot, IP flow verify, NSG flow logs, and packet capture.

Use topology views to visualize your network setup and diagnose connectivity issues. Integrate with Log Analytics for long-term storage and advanced queries. Regular use of Network Watcher helps maintain a healthy and secure network infrastructure.

Troubleshoot Network Connectivity Issues

When diagnosing connectivity problems, start with basic ping and trace route tests. Use Network Watcher’s connection troubleshoot tool to verify path and identify issues.

Check NSG rules, UDRs, and route tables for misconfigurations. DNS resolution problems may stem from incorrect or missing records. For VM-specific issues, inspect NIC settings and verify IP address assignments.

Implement Application Gateway

Azure Application Gateway is a layer 7 load balancer offering SSL termination, path-based routing, and web application firewall (WAF) capabilities. Deploy it to manage traffic to your web apps securely.

Configure backend pools, listeners, and routing rules. Enable WAF to protect against OWASP top threats. Application Gateway integrates with Azure Key Vault for SSL certificates and supports autoscaling for dynamic workloads.

Implement Load Balancer

Azure Load Balancer operates at layer 4 and distributes inbound traffic among healthy VM instances. Use it for both internal and public-facing applications.

Define frontend IP configuration, backend pools, and health probes. Load balancing rules control traffic flow. Use zone-redundant frontends for high availability across regions. It supports both TCP and UDP protocols.

Implement Azure Traffic Manager

Traffic Manager is a DNS-based traffic distribution service that routes clients to the most appropriate endpoint based on routing method. It supports performance, priority, weighted, geographic, and multi-value routing.

Define profiles and associate endpoints like Azure Web Apps, VMs, or external sites. Health checks ensure traffic is directed only to healthy endpoints. It enables high availability and global responsiveness for your services.

Implement Network Load Balancer

Though often confused with Azure Load Balancer, the term “Network Load Balancer” typically refers to internal configurations distributing traffic among backend services. Azure Load Balancer itself can be configured as an internal load balancer for traffic within a VNet.

Apply it when external access is unnecessary. Use backend health probes and NSG configurations to ensure proper traffic flow. It’s optimal for microservices or service tiers needing private, distributed access.

Secure Access to Virtual Networks

Access to VNets must be tightly controlled to maintain security. Use NSGs, Azure Firewall, and user-defined routes to limit exposure. Implement identity-based access via Azure RBAC.

Combine Bastion with just-in-time VM access to minimize open ports. Use Private Endpoints to access services securely without traversing the public internet. Enforce policy using Azure Policy for consistent governance across VNets.

Configure Virtual Networks and Subnets

A virtual network is the foundational component of Azure networking. It’s essential to define your IP address space using CIDR notation and divide it into subnets based on workload isolation or security requirements. Subnetting ensures granular control over resource traffic and allows for targeted network security configurations.

When configuring subnets, assign them non-overlapping address spaces and associate network security groups to control inbound and outbound traffic. Enabling service endpoints on subnets extends Azure services directly into your VNet, enhancing performance and security.

Configure Public and Private IP Addresses

Public IP addresses allow Azure resources to communicate with the internet, while private IPs enable internal communication within the virtual network. Choose static IPs for predictable addressing or dynamic for flexible allocations.

When assigning public IPs, select the appropriate SKU and allocation method. Private IPs are typically assigned to VMs, load balancers, and other internal resources. Use DNS settings to enhance name resolution for both internal and external endpoints.

Configure Network Security Groups (NSGs)

NSGs provide control over traffic flow at the subnet and network interface level. Define inbound and outbound security rules using parameters like source/destination IP, protocol, port range, and priority.

Create application-specific NSGs and assign them to subnets or individual NICs. Monitor NSG flow logs to gain visibility into allowed and denied traffic patterns. Fine-tuning rules enhances both security and performance.

Configure Azure Firewall

Azure Firewall is a managed, cloud-native security service that protects Azure Virtual Network resources. It offers high availability and unrestricted cloud scalability. Configuration includes setting up application and network rules, threat intelligence filtering, and logging.

Deploy Azure Firewall into its own subnet within a virtual network. Define rules to allow or deny traffic based on IP addresses, FQDNs, and protocols. Integrate with Azure Monitor for logging and alerting.

Configure Azure DNS

Azure DNS allows you to host DNS zones and manage records for your domains within Azure. This service ensures low-latency, high-availability name resolution for internal and external domains.

Create DNS zones and add records such as A, AAAA, CNAME, MX, and TXT to support your applications. For internal DNS, use Azure-provided DNS or custom DNS servers defined in the VNet settings.

Configure Network Peering

Virtual network peering connects two VNets to enable private traffic routing between them. Peering reduces latency compared to using a VPN and simplifies resource access across regions or subscriptions.

Configure peering settings to allow forwarded traffic, gateway transit, and access to remote virtual network resources. Peered VNets must have non-overlapping address spaces.

Configure VPN Gateway

VPN Gateways provide secure connectivity between Azure and on-premises environments or other cloud providers. You can choose between route-based and policy-based VPNs depending on your requirements.

Deployment involves creating a gateway subnet, selecting a SKU, and setting up a public IP. Configure the local network gateway to represent your on-premises address space and define the shared key for authentication.

Configure ExpressRoute

ExpressRoute establishes a private, dedicated connection between your on-premises infrastructure and Azure. It’s ideal for scenarios demanding high bandwidth, low latency, or compliance with regulatory requirements.

You must work with a connectivity provider to set up ExpressRoute circuits. Configure peering types (private, Microsoft, and public), define routing domains, and integrate with your existing WAN architecture.

Configure Application Gateway

Application Gateway is a web traffic load balancer that provides SSL termination, cookie-based session affinity, and application firewall capabilities. It’s particularly effective for Layer 7 routing scenarios.

Define backend pools, HTTP settings, listeners, and routing rules. You can use URL-based routing to direct traffic to specific backend pools based on the request path. Enable Web Application Firewall (WAF) for enhanced security.

Configure Load Balancer

Azure Load Balancer distributes incoming traffic across multiple virtual machines to ensure high availability. It supports inbound and outbound scenarios for both internet-facing and internal applications.

Set up frontend IP configurations, backend pools, health probes, and load balancing rules. Choose between Basic and Standard SKUs based on scalability and feature requirements.

Monitor and Troubleshoot Virtual Networking

Monitoring tools such as Network Watcher provide deep visibility into network performance and traffic patterns. Use tools like connection troubleshoot, topology viewer, and IP flow verify for diagnostics.

Enable NSG flow logs, packet capture, and diagnostic logging for comprehensive auditing. Regularly review metrics and alerts in Azure Monitor to detect anomalies or performance bottlenecks.

Integrate On-Premises Networks with Azure Virtual Networks

Hybrid networking extends your on-premises infrastructure to the cloud. Use VPN Gateway or ExpressRoute to establish secure connections.

Ensure your address spaces do not overlap and update route tables to enable seamless communication. Configure BGP if dynamic routing is required. Implement redundancy and failover strategies for high availability.

Implement Azure Bastion

Azure Bastion provides secure and seamless RDP and SSH access to VMs without exposing them via public IPs. It’s deployed in a virtual network and supports browser-based access.

Set up a Bastion host in a dedicated subnet called “AzureBastionSubnet”. Assign role-based access controls to manage user access and ensure that NSGs allow required traffic to the Bastion host.

Configure Private Endpoints

Private Endpoints allow you to access Azure services over a private IP within your virtual network. This enhances security by eliminating the need to traverse the internet.

Associate a private endpoint with a resource instance, and configure DNS to resolve to the private IP. This setup is commonly used with services like Azure Storage, SQL Database, and Key Vault.

Configure Route Tables

Route tables determine how traffic is directed within a virtual network. Use user-defined routes (UDRs) to override Azure’s default system routes.

Assign route tables to subnets and define custom routes with next-hop types like virtual appliance, internet, or none. Route tables are vital in complex network topologies or when using network virtual appliances.