Demystifying the Azure Administrator Associate Certification: Skills, Exam, and Benefits

Practice Exams:

View All

Demystifying the Azure Administrator Associate Certification: Skills, Exam, and Benefits

Introduction to AZ-104 and Azure Administration

The Importance of Cloud Computing in Modern IT

Cloud computing has become essential for modern IT infrastructure. Organizations across industries rely on cloud platforms to drive innovation, improve operational efficiency, and scale services globally. Among the top cloud service providers, Microsoft Azure stands out for its extensive offerings, integration with existing Microsoft products, and global reach.

Azure allows businesses to host applications, store data, manage virtual networks, and deploy artificial intelligence solutions—all under a single platform. However, leveraging these capabilities effectively requires trained professionals who can manage, monitor, and secure Azure environments. This is where the AZ-104 certification comes in.

Overview of the AZ-104 Certification

The AZ-104 certification, formally known as Microsoft Certified: Azure Administrator Associate, is designed for IT professionals responsible for implementing, monitoring, and maintaining Microsoft Azure solutions. It validates the ability to manage Azure identities, governance, compute, storage, networking, and monitoring.

This certification is ideal for those with hands-on experience in Azure administration. While not strictly entry-level, it serves as a strong starting point for professionals transitioning to cloud roles. The AZ-104 is a stepping stone to more advanced certifications such as Azure Solutions Architect or DevOps Engineer.

Who Should Pursue the AZ-104 Certification

Several roles align with the AZ-104, including:

Azure Administrators manage resources daily.
System Administrators transitioning from on-premises infrastructure.
Network Administrators are integrating on-premises networks with Azure.
IT Support Staff supporting Azure users and resources.
DevOps Professionals manage cloud-based deployments.
Cloud Consultants are advising clients on infrastructure.
Project Managers oversee cloud projects.
Cybersecurity Analysts ensure secure configurations.

These professionals benefit from understanding core Azure services and how to apply administrative best practices.

Career Benefits of AZ-104

Earning the AZ-104 certification demonstrates a professional’s commitment to mastering Azure administration. It:

Validates your ability to manage Azure resources effectively.
Enhances your resume and professional credibility.
Improves job prospects in cloud-related roles.
Serves as a prerequisite for advanced certifications.
Equips you to support organizational cloud initiatives.

Certified Azure administrators are in high demand, with competitive salaries and opportunities for career advancement.

Exam Structure and Objectives

The AZ-104 exam tests candidates on five key domains:

Manage Azure Identities and Governance
Implement and Manage Storage
Deploy and Manage Azure Compute Resources
Configure and Manage Virtual Networking
Monitor and Back Up Azure Resources

Each domain comprises multiple tasks and skills. The exam is scenario-based and includes multiple-choice, drag-and-drop, and simulation questions. It emphasizes practical knowledge and the ability to perform real-world administrative tasks.

Preparation Strategy

To prepare effectively, candidates should:

Gain hands-on experience in an Azure environment.
Study Microsoft Learn modules aligned with AZ-104 objectives.
Use the Azure portal, PowerShell, and CLI for practice.
Read Microsoft documentation and papers.
Watch video tutorials and attend instructor-led courses.
Take practice exams to assess readiness.

Practical experience is the most crucial component. Building and managing resources in Azure is the best way to reinforce learning.

Cost and Registration

As of the current pricing, the AZ-104 exam costs USD 165. This fee covers one exam attempt. Costs for training materials, practice exams, and courses are separate and vary. Discounts or vouchers may be available through promotions or Microsoft partnerships.

To register, visit Microsoft’s certification website, create an account, and schedule your exam at a testing center or through online proctoring.

Summary of Key Takeaways

The AZ-104 is a mid-level Azure certification for administrators.
It covers core services like identity, compute, storage, networking, and monitoring.
It suits a range of IT roles, including administrators, support staff, and consultants.
Preparation requires a mix of study and practical experience.
The certification improves employability and prepares candidates for more advanced roles.

Managing Azure Identities and Governance

Introduction to Azure Identity Management

Managing identities in Azure is crucial for securing access to cloud resources. Azure Active Directory (Azure AD) is the backbone of identity and access management in Azure. It enables administrators to control who can access what resources and under what conditions.

Azure AD provides a centralized platform to manage user credentials, group memberships, access permissions, and security policies. It supports features like single sign-on (SSO), multi-factor authentication (MFA), and integration with external identity providers.

User and Group Management

Administrators can create and manage users and groups through various interfaces:

Azure Portal: Provides a graphical interface for user management.
Azure CLI: az ad user create
PowerShell: New-AzADUser

Groups are used to manage access collectively. Types include:

Security Groups: Control access to resources.
Microsoft 365 Groups: Used in collaboration tools.

Dynamic groups automatically add members based on user attributes. This helps automate access control.

Administrative Units

Administrative Units (AUs) allow organizations to delegate administrative control over subsets of users and groups. For example, a regional admin can manage only users in their geographical area without affecting other parts of the organization.

AUs enhance delegation and organizational efficiency, especially in large enterprises.

Role-Based Access Control (RBAC)

RBAC allows administrators to assign specific permissions to users, groups, or applications. It operates using:

Security Principals: Users, groups, service principals, or managed identities.
Role Definitions: Sets of permissions (Reader, Contributor, Owner).
Scopes: Apply roles at the subscription, resource group, or resource level.

RBAC ensures that users only have access to what they need, following the principle of least privilege. Roles can be assigned using:

Azure Portal
Azure CLI: az role assignment create
PowerShell: New-AzRoleAssignment

Custom Roles

If built-in roles do not meet organizational requirements, custom roles can be created. For example, a custom role can allow starting VMs but not deleting them. Custom roles are defined using JSON templates and can be assigned to any scope.

Azure AD Connect and Hybrid Identity

Organizations with on-premises Active Directory often use Azure AD Connect to synchronize identities with Azure AD. Synchronization options include:

Password Hash Synchronization (PHS)
Pass-through Authentication (PTA)
Federation with AD FS

Key tasks:

Installing and configuring Azure AD Connect.
Defining synchronization rules.
Using tools like IdFix to clean up directory data.

Azure AD Connect enables seamless sign-on and unified identity management.

Azure Policy

Azure Policy enforces rules and standards across resources. It ensures that deployments comply with organizational guidelines. Policies can:

Restrict VM sizes.
Enforce tagging standards.
Deny creation of public IPs.

Policies can be assigned at different scopes and evaluated in:

Audit mode: Logs non-compliant actions.
Deny mode: Blocks non-compliant resources.
Append mode: Adds settings automatically.

Use Azure CLI to assign policies:
az policy assignment create –policy “policyDefinitionID” –scope “/subscriptions/{subscription-id}/resourceGroups/{resource-group}”

Azure Blueprints

Blueprints combine multiple governance elements:

ARM Templates
Policies
Role Assignments
Resource Groups

They help organizations deploy compliant environments consistently. Though Microsoft is transitioning to newer tools, Blueprints are still part of the AZ-104 exam.

Resource Locks and Tags

Resource Locks prevent accidental modification or deletion. Types:

CanNotDelete
ReadOnly

Example:
New-AzResourceLock -LockName “ProtectVM” -LockLevel CanNotDelete -ResourceName “VM01” -ResourceType “Microsoft.Compute/virtualMachines” -ResourceGroupName “ProdRG”

Tags are key-value pairs for organizing resources. They help with:

Billing
Resource categorization
Automation

CLI example:
az resource tag –tags Environment=Production Owner=Admin –name MyVM –resource-group MyRG

Conditional Access and MFA

Conditional Access enforces policies based on user and device conditions. Examples:

Require MFA from untrusted locations.
Block access from high-risk sign-ins.

MFA strengthens security by requiring multiple verification methods. Supported methods include:

Password + Authenticator app
Password + SMS
Password + Biometrics

Configure policies using the Azure AD portal or the security center.

Management Groups and Subscriptions

Management Groups allow hierarchical organization of subscriptions. Example:

Root
- Production
  - Prod Sub 1
  - Prod Sub 2
- Development
  - Dev Sub 1

Policies and RBAC roles can be assigned at the management group level for centralized control.

Monitoring with Azure Monitor

Azure Monitor collects logs and metrics across Azure. It integrates with:

Log Analytics
Alerts
Dashboards

Enable diagnostics and use KQL to query logs. Example:
SigninLogs | where ResultType != 0 | project UserPrincipalName, ResultDescription, Location, TimeGenerated

You can set alerts for failed logins, permission changes, or policy violations.

Azure Identity and Governance for AZ-104

Azure Identity and Governance is a foundational domain within the AZ-104 Microsoft Azure Administrator certification. It focuses on ensuring secure, structured, and accountable access and control mechanisms in an Azure environment. This part will cover the key topics in this domain: Azure Active Directory, Role-Based Access Control, Governance tools like Azure Policy and Blueprints, and related operational practices.

Understanding Azure Active Directory (Azure AD)

Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. It helps organizations manage user identities and control access to resources across Microsoft services, third-party applications, and internal enterprise systems.

Differences from Traditional Active Directory

Azure AD is designed for cloud-first environments, whereas traditional Active Directory (AD DS) is domain-centric and optimized for on-premises infrastructures. Azure AD is

Web-based and supports protocols like OAuth 2.0, SAML, and OpenID Connect
Integrated with Microsoft 365, SaaS applications, and Azure services
Designed for single sign-on (SSO), multi-factor authentication (MFA), and conditional access

Managing Users and Groups

Proper identity management is critical in Azure environments. Administrators must create, update, and manage users and groups to ensure secure access control.

Creating Users

Users can be created through multiple methods:

Azure Portal (GUI-based interface)
Azure CLI (az ad user create)
PowerShell (New-AzADUser)

These users can be cloud-only or synchronized from on-premises using Azure AD Connect.

Managing Groups

Groups streamline access management. The two main types of groups in Azure AD are:

Security Groups: Used to assign access to resources (e.g., VMs, storage)
Microsoft 365 Groups: Used primarily for collaboration tools like Teams and Outlook

Groups can be:

Static: Members are added manually
Dynamic: Membership is based on user attributes (e.g., department, location)

Administrative Units (AUs)

Administrative Units allow scoped role assignments within Azure AD. They are especially useful in large organizations. For example, you can grant a help desk admin access only to manage users in a specific department without giving them global permissions.

Administrative Units are commonly used to:

Delegate control to regional or departmental administrators
Segment permissions for compliance or operational reasons

Role-Based Access Control (RBAC)

RBAC is used to grant users the minimum necessary permissions. It is one of the most powerful governance features in Azure.

Core Components

Security Principal: The identity (user, group, service principal, or managed identity)
Role Definition: A collection of permissions (e.g., Reader, Contributor, Owner)
Scope: The boundary where the role applies (e.g., subscription, resource group)

Example Scenario

If a user needs to monitor resources but not make changes, you can assign them the Reader role at the resource group level.

Assigning Roles

You can assign roles using:

Azure Portal
Azure CLI (az role assignment create)
PowerShell (New-AzRoleAssignment)

Custom Roles

If built-in roles do not meet your needs, you can define custom roles. For example, a role that allows a user to restart virtual machines but not delete them.

Azure AD Connect and Hybrid Identity

Many organizations operate hybrid identity systems, combining on-premises Active Directory with Azure AD. Azure AD Connect is used to synchronize identities between the two systems.

Synchronization Methods

Password Hash Sync (PHS): Most common; syncs the hash of the password
Pass-through Authentication (PTA): Authenticates against on-prem AD
Federation (AD FS): Uses a federation server for authentication

Tasks You Should Know

Installing Azure AD Connect
Configuring synchronization rules
Managing sync cycles using Start-ADSyncSyncCycle
Using tools like IdFix to clean up data before syncing

Azure AD Connect is essential for scenarios where users need seamless access to both on-prem and cloud-based resources.

Conditional Access

Conditional Access provides policy-based controls to enforce security based on conditions such as location, device state, and risk level.

Common Use Cases

Require MFA when accessing from an untrusted location.
Block access to legacy apps from outside the corporate network.k
Allow access only to compliant devices.

Policies can be enforced via the Azure AD Portal. Each policy includes assignments (users, apps, conditions) and controls (grant/deny, enforce MFA, session limits).

Multi-Factor Authentication (MFA)

MFA enhances security by requiring more than one method of verification:

Something the user knows (password)
Something the user has (phone, app token)
Something the user is (biometrics)

Azure AD MFA can be enabled at:

User level (per-user MFA)
Policy level (via Conditional Access)

It supports multiple verification options, including SMS, app notification, and hardware tokens.

Azure Policy

Azure Policy enforces organizational standards and ensures resource compliance.

Features

Policy Definitions: Rules and effects (e.g., deny creation of certain VM sizes)
Initiatives: Group multiple policies into one set
Assignment: Apply a policy or initiative to a scope (subscription, resource group)

Modes of Operation

Audit: Reports non-compliance
Deny: Blocks non-compliant deployments.
Append: Adds settings to resource configuration

CLI Example

az policy assignment create \

–policy “policyDefinitionID” \

–scope “/subscriptions/{subscription-id}/resourceGroups/{resource-group}”

Policies are central to ensuring consistency and governance across all deployed resources.

Azure Blueprints

Azure Blueprints help standardize and automate resource deployments along with governance settings. A blueprint can include:

Role assignments
Policy assignments
ARM templates
Resource groups

BluePrints are useful in regulated industries where deployment consistency and compliance are essential.

Even though Azure is transitioning to using ARM templates and Bicep with policy initiatives for some of these functions, the AZ-104 still covers Blueprints.

Management Groups and Subscriptions

Management Groups organize subscriptions into hierarchies to apply policies and RBAC centrally. The structure might look like this:

Root Management Group
- Production
  - Subscription A
  - Subscription B
- Development
  - Subscription C

This allows IT teams to

Apply a policy to all production environments
Delegate access without managing each subscription individually

Commands for managing this hierarchy are available in both PowerShell and CLI.

Tags and Resource Locks

Tags and resource locks are operational governance tools.

Resource Locks

Locks prevent unintended changes to critical resources. There are two types:

CanNotDelete: Resource can be read and modified, but not deleted
ReadOnly: Resource cannot be changed or deleted

Example using PowerShell:

New-AzResourceLock -LockName “VMProtection” -LockLevel CanNotDelete -ResourceName “CriticalVM” -ResourceType “Microsoft.Compute/virtualMachines” -ResourceGroupName “ProdGroup”

Monitoring Governance with Azure Monitor

Azure Monitor integrates with Azure AD and governance services to provide visibility and control.

Capabilities

Log Analytics: Query logs for specific events like failed logins or policy violations
Activity Logs: Record changes in subscriptions, roles, and policy states
Alerts: Notify administrators of suspicious activity or compliance violations

Sample KQL Query

Sign-in Logs

| where ResultType != 0

| project UserPrincipalName, ResultDescription, Location, AppDisplayName, TimeGenerated

You can also export logs to a Log Analytics Workspace or external SIEM systems.

Summary of Key Tasks

For the AZ-104 exam and practical Azure administration, you should be able to:

Create and manage users and groups in Azure AD
Implement and assign RBAC roles at various scopes.
Configure and troubleshoot Azure AD Connect
Deploy Conditional Access and enforce MFA.
Apply Azure Policies and evaluate compliance.
Organize subscriptions with Management Groups.
Use Blueprints for consistent environment deployment.
Tag resources and apply a resource lock.
Monitor governance activity with Azure Monitor and Log Analytics.

Managing Azure Storage and Compute Resources for AZ-104

Managing storage and compute resources is a critical domain within the AZ-104 Microsoft Azure Administrator exam. It tests your ability to provision, configure, secure, and maintain Azure Virtual Machines (VMs) and storage services. These resources form the backbone of nearly every cloud application, and understanding how to manage them efficiently is key to any Azure administrator role.

This section covers core services including Azure Storage accounts, Blob and File Storage, Managed Disks, Virtual Machines, Scale Sets, Availability options, and backup strategies.

Understanding Azure Storage Types

Azure Storage provides scalable, secure, and durable storage solutions for a variety of use cases. Understanding the types of storage is foundational to selecting the right solution.

Types of Storage Services

Blob Storage: Unstructured object storage for text, images, videos, and backups.
File Storage: Fully managed shared file systems (SMB/NFS).
Queue Storage: Message-based communication between components.
Table Storage: NoSQL key-value store for structured data.
Disk Storage: Persistent block storage for Azure VMs.

Each of these services can be used in different scenarios depending on the application architecture and workload.

Storage Accounts

All storage services in Azure start with a storage account. A storage account provides a namespace and manages billing and replication.

Types of Storage Accounts

General-purpose v2 (GPv2): Most flexible; supports all services and features.
Blob Storage: For scenarios focused on object storage only.
FileStorage: Premium performance for file shares.
BlockBlobStorage: High-throughput workloads.

Redundancy Options

To ensure high availability and durability, Azure offers different redundancy models:

Locally Redundant Storage (LRS): 3 copies within a single region.
Zone-Redundant Storage (ZRS): Replication across availability zones.
Geo-Redundant Storage (GRS): Replication to a secondary region.
Read-Access GRS (RA-GRS): GRS with read-only access to secondary.

Choose the appropriate redundancy based on cost, performance, and disaster recovery requirements.

Creating a Storage Account (CLI)

az storage account create \

–name mystorageaccount \

–resource-group myRG \

–location eastus \

–sku Standard_LRS \

–kind StorageV2

Azure Blob Storage

Blob storage is Azure’s object storage solution for the cloud. It is optimized for storing massive amounts of unstructured data.

Types of Blobs

Block Blobs: For storing documents, backups, and media files.
Append Blobs: Optimized for append operations (e.g., logs).
Page Blobs: Used for virtual hard disks (VHDs).

Access Tiers

Blob storage offers tiered pricing based on access frequency:

Hot: Frequent access.
Cool: Infrequent access, lower cost.
Archive: Rare access, very low cost, retrieval takes hours.

Uploading a Blob (CLI)

az storage blob upload \

–account-name mystorageaccount \

–container-name mycontainer \

–name myfile.txt \

–file ./myfile.txt

Azure File Storage

Azure Files provides shared file storage that can be accessed via standard protocols like SMB or NFS.

Features

Mount file shares on Windows, Linux, and macOS
Integration with Active Directory for access control
Support for snapshots, quotas, and backup

Creating a File Share (CLI)

az storage share create \

–name myfileshare \

–account-name mystorageaccount \

–quota 100

Mounting File Share on Windows

net use Z: \\mystorageaccount.file.core.windows.net\ myfileshare /u:Azure\mystorageaccount <storage-key>

Azure Disk Storage

Azure Disk Storage provides high-performance block storage for Azure Virtual Machines.

Disk Types

Standard HDD: Low cost, suitable for infrequent access.
Standard SSD: Better performance for cost-conscious workloads.
Premium SSD: High IOPS and low latency.
Ultra Disk: Extreme performance for mission-critical apps.

Roles

OS Disk: Required for the VM operating system.
Data Disk: Used for application and data storage.

Creating a Managed Disk (CLI)

az disk create \

–resource-group myRG \

–name myDisk \

–size-gb 128 \

–sku Premium_LRS

Azure Virtual Machines (VMs)

Azure VMs provide scalable, on-demand compute resources. They are ideal for applications that require full control over the operating system and environment.

VM Series

D-Series: General-purpose.
E-Series: Memory-optimized.
F-Series: Compute-optimized.
L-Series: Storage-optimized.
B-Series: Burstable workloads.

Creating a VM (CLI)

az vm create \

–name myVM \

–resource-group myRG \

–image UbuntuLTS \

–admin-username azureuser \

–generate-ssh-keys

VM Sizing and Availability

Selecting the right VM size and availability configuration is key to performance and reliability.

Availability Options

Availability Sets: Spread VMs across fault and update domains within a region.
Availability Zones: Spread VMs across physically separate data centers in a region.
Proximity Placement Groups: Reduce latency by co-locating resources.

VM Scale Sets

Scale Sets allow you to deploy and manage a set of identical VMs with load balancing and auto-scaling capabilities.

az vmss create \

–name myScaleSet \

–resource-group myRG \

–image UbuntuLTS \

–upgrade-policy-mode automatic \

–admin-username azureuser \

–generate-ssh-keys

Custom Script Extensions

Custom Script Extensions run scripts post-deployment to configure or install software.

Common Use Cases

Install web servers
Configure firewall rules
Apply OS-level settings

az vm extension set \

–resource-group myRG \

–vm-name myVM \

–name CustomScriptExtension \

–publisher Microsoft.Azure.Extensions \

–settings ‘{ “fileUris”: [“https://<url>/script.sh”], “commandToExecute”: “sh script.sh” }’

Azure Backup for VMs

Azure Backup provides scalable and cost-effective backup for Azure VMs without requiring on-premises infrastructure.

Steps to Protect a VM

Create a Recovery Services Vault
Enable backup for selected VMs
Define policies for retention and frequency.

az backup protection enable-for-vm \

–vm myVM \

–vault-name myVault \

–resource-group myRG \

–policy-name DefaultPolicy

Storage Security and Access Control

Security is a crucial aspect of managing Azure Storage. Azure offers multiple access methods:

Shared Access Signatures (SAS)

SAS tokens provide time-bound and permission-limited access to storage.

az storage blob generate-sas \

–account-name mystorageaccount \

–container-name mycontainer \

–name myfile.txt \

–permissions r \

–expiry 2025-05-01T00:00Z \

–output tsv

Azure AD Authentication

Provides identity-based access control using Azure RBAC. More secure than account keys or SAS.

Storage Firewall and Private Endpoints

Restrict access to trusted IPs or subnets
Use Private Endpoints to access storage over a private IP

Monitoring and Diagnostics

Monitoring performance and usage is essential for optimization and troubleshooting.

Tools

Azure Monitor: Centralized performance and health metrics.
Log Analytics: Query logs and set alerts.
Diagnostics Settings: Collect metrics and logs for storage accounts or VMs.

Sample KQL Query

Perf

| where ObjectName == “Processor” and CounterName == “% Processor Time”

| summarize avg(CounterValue) by bin(TimeGenerated, 5m), Computer

Lifecycle and Automation

Automation helps streamline operations and optimize costs.

Storage Lifecycle Policies

Move blobs to lower-cost tiers or delete them after a certain time.

VM Automation

Automation Accounts: Schedule VM start/stop.
Runbooks: Execute scripts at defined times.
Logic Apps: Integrate automation with events or external systems.

Managing Azure Networking and Monitoring for AZ-104

Networking and monitoring are core components of managing infrastructure in Microsoft Azure. Azure networking ensures secure, scalable, and high-performance connectivity, while monitoring services enable visibility and control over cloud operations. The AZ-104 exam expects candidates to understand how to configure virtual networks, secure resources using network security groups, connect on-premises and Azure environments, implement DNS, and monitor resources using built-in tools like Azure Monitor and Network Watcher.

This section provides a comprehensive breakdown of the essential Azure networking and monitoring features, tools, and best practices.

Understanding Azure Virtual Networks (VNets)

A Virtual Network (VNet) is the fundamental building block for private networking in Azure. VNets allow resources to communicate securely with each other, with on-premises infrastructure, and with the internet.

Key Components of VNets

Address Space: Defined using CIDR notation (e.g., 10.0.0.0/16)
Subnets: Segments within a VNet that isolate workloads
Network Interfaces (NICs): Connect virtual machines to the network
DNS Settings: Control name resolution within the VNet

Creating a Virtual Network (CLI)

az network vnet create \

–name MyVNet \

–resource-group MyRG \

–address-prefix 10.0.0.0/16 \

–subnet-name MySubnet \

–subnet-prefix 10.0.1.0/24

Subnets and IP Addressing

Subnets are logical divisions within a VNet that allow you to separate workloads and apply different security and routing policies.

Best Practices

Assign unique, non-overlapping IP ranges.
Use smaller CIDR blocks to avoid IP exhaustion.
Separate public-facing and backend services into different subnets

Network Security Groups (NSGs)

NSGs are firewall-like rules that control inbound and outbound traffic to Azure resources. NSGs can be associated with subnets or individual NICs.

Components of NSG Rules

Source/Destination IP or range
Source/Destination port
Protocol (TCP, UDP, or Any)
Action (Allow or Deny)
Priority (Lower numbers take precedence)

Creating NSG and Rules (CLI)

az network nsg create \

–resource-group MyRG \

–name MyNSG

az network nsg rule create \

–resource-group MyRG \

–nsg-name MyNSG \

–name AllowSSH \

–protocol Tcp \

–direction Inbound \

–priority 1000 \

–source-address-prefix ‘*’ \

–source-port-range ‘*’ \

–destination-address-prefix ‘*’ \

–destination-port-range 22 \

–access Allow

Route Tables and User-Defined Routes (UDRs)

Azure uses system-defined routes by default. You can override these using route tables and user-defined routes.

Common Use Cases

Routing traffic to a network virtual appliance (e.g., firewall)
Forcing outbound traffic through on-premises networks
Segmenting traffic between VNets or subnets

Creating a Route Table and Adding Routes (CLI)

az network route-table create \

–name MyRouteTable \

–resource-group MyRG

az network route-table route create \

–resource-group MyRG \

–route-table-name MyRouteTable \

–name RouteToFirewall \

–address-prefix 0.0.0.0/0 \

–next-hop-type VirtualAppliance \

–next-hop-ip-address 10.0.2.4

Azure DNS and Custom Name Resolution

Azure DNS allows you to host your domain names in Azure and use them for public and private name resolution.

Custom DNS Servers

You can override the default Azure-provided DNS with custom DNS servers for internal resolution or integration with on-prem environments.

az network vnet update \

–name MyVNet \

–resource-group MyRG \

–dns-servers 10.1.0.4 10.1.0.5

Azure Private DNS Zones

These allow for name resolution within VNets without exposing them to the public internet. Link VNets to private DNS zones to enable seamless internal resolution.

VNet Peering

VNet Peering allows you to connect two VNets for private communication using Azure’s backbone network. Peered VNets can be in the same or different regions (global peering).

Benefits

Low-latency and high-bandwidth
No gateway required
Supports transitive access with configuration

Creating VNet Peering (CLI)

az network vnet peering create \

–name PeerAtoB \

–resource-group MyRG \

–vnet-name VNetA \

–remote-vnet VNetB_ID \

–allow-vnet-access

Azure Load Balancing Services

Azure provides multiple load balancing services depending on your application needs.

Load Balancer (Layer 4)

Distributes TCP/UDP traffic among virtual machines.

Basic Load Balancer: Suitable for simple use cases
Standard Load Balancer: Recommended for production with zone redundancy

az network lb create \

–resource-group MyRG \

–name MyPublicLB \

–sku Standard \

–frontend-ip-name myFrontEnd \

–backend-pool-name myBackEndPool \

–public-ip-address MyPublicIP

Application Gateway (Layer 7)

Used for HTTP/HTTPS traffic, provides advanced routing and Web Application Firewall (WAF) capabilities.

az network application-gateway create \

–name MyAppGW \

–resource-group MyRG \

–capacity 2 \

–sku Standard_v2 \

–vnet-name MyVNet \

–subnet MySubnet

Azure Front Door and Traffic Manager

Azure Front Door: Offers global HTTP(S) load balancing with SSL offloading and application acceleration
Traffic Manager: DNS-based load balancing using routing methods like performance, priority, and geographic

Use Front Door when you need global application acceleration and SSL termination. Use Traffic Manager for DNS failover and location-based routing.

Hybrid Connectivity: VPN and ExpressRoute

Azure supports connecting on-premises environments using VPN or ExpressRoute.

Site-to-Site VPN

Secure connection between your on-prem network and Azure VNet using IPsec.

az network vpn-connection create \

–name MyConnection \

–resource-group MyRG \

–vnet-gateway1 MyVNetGW \

–local-gateway2 MyOnPremGateway \

–shared-key MySharedKey

Point-to-Site VPN

Used by individual clients (e.g., developers, remote staff). Supports certificate-based or Azure AD-based authentication.

ExpressRoute

A dedicated private connection between your datacenter and Azure through a service provider.

Offers higher bandwidth and reliability
Bypasses the public internet
Ideal for compliance-sensitive workloads

Network Watcher

Network Watcher provides diagnostics and monitoring tools for Azure networks.

Key Capabilities

Connection Monitor: Tracks connectivity and latency
IP Flow Verify: Tests if traffic is allowed/denied by NSG.
Packet Capture: Captures live network traffic for analysis
Topology Viewer: Visualizes your network layout

az network watcher configure \

–resource-group MyRG \

–locations eastus \

–enabled true

az network watcher show-topology \

–resource-group MyRG \

–location eastus

Private Link and Private Endpoints

Azure Private Link enables private access to Azure services over your VNet, bypassing the internet entirely.

Benefits

Enhanced security and compliance
Prevents data exfiltration
Ideal for accessing PaaS services like Storage or SQL

Creating a Private Endpoint (CLI)

az network private-endpoint create \

–name MyPrivateEP \

–resource-group MyRG \

–vnet-name MyVNet \

–subnet MySubnet \

–private-connection-resource-id <resource-id> \

–group-ids blob \

–connection-name MyConnection

Service Endpoints

Extend your VNet’s identity to Azure services. Traffic still goes over the internet, but is secured and routed through Microsoft’s backbone.

az network vnet subnet update \

–name MySubnet \

–vnet-name MyVNet \

–resource-group MyRG \

–service-endpoints Microsoft.Storage

Azure Bastion Host

Azure Bastion allows RDP/SSH access to VMs directly from the Azure portal without requiring a public IP.

Benefits

No exposure of VM to the public internet
Browser-based secure access
Ideal for lockdown environments

az network bastion create \

–name MyBastion \

–resource-group MyRG \

–vnet-name MyVNet \

–public-ip-address MyPublicIP \

–location eastus \

–subnet BastionSubnet

Monitoring Azure Resources with Azure Monitor

Azure Monitor collects, analyzes, and acts on telemetry data from your Azure and on-premises environments.

Components

Metrics: Numeric performance indicators (e.g., CPU usage)
Logs: Activity logs, diagnostic logs
Alerts: Automated responses to specific thresholds or patterns
Dashboards: A Visual representation of system health

Log Analytics and KQL

Log Analytics is a query tool for analyzing Azure Monitor logs using Kusto Query Language (KQL).

Sample Query for CPU Monitoring

Perf

| where ObjectName == “Processor” and CounterName == “% Processor Time”

| summarize avg(CounterValue) by bin(TimeGenerated, 5m), Computer

Activity Log Query

AzureActivity

| where ResourceGroup == “MyRG” and ActivityStatus == “Failed”

Setting Up Alerts

Alerts help notify or automate actions based on system states.

Metric-based alerts: Triggered by numeric thresholds (e.g., disk usage > 90%)
Log-based alerts: Triggered by patterns in logs (e.g., failed login attempts)

Diagnostic Settings

Enable diagnostics to send data to Log Analytics, Event Hub, or Storage Account.

az monitor diagnostic-settings create \

–resource MyVM \

–resource-group MyRG \

–name MyDiagnosticSetting \

–workspace MyLogAnalyticsWorkspace \

–metrics ‘[{“category”: “AllMetrics”, “enabled”: true}] ‘ \

–logs ‘[{“category”: “AuditLogs”, “enabled”: true}]’

Best Practices for Networking and Monitoring

Use NSGs at both the subnet and NIC levels for layered security.
Implement VNet Peering with route control for a hub-spoke topology.
Use Private Link where available instead of Service Endpoints.
Tag network resources consistently for billing and automation
Configure alerts for high CPU, memory, and failed login attempts.
Use Network Watcher regularly to diagnose connectivity issues.

Final Thoughts

The AZ-104: Microsoft Azure Administrator certification is a pivotal credential for IT professionals looking to validate their skills in managing cloud-based infrastructure. It emphasizes hands-on expertise in core administrative tasks such as managing Azure identities, implementing governance strategies, provisioning compute resources, configuring storage solutions, and designing secure virtual networks. Beyond the exam, the knowledge gained is immediately applicable to real-world environments, making certified administrators more effective and valuable to their organizations. As cloud adoption continues to grow, Azure administrators play a critical role in ensuring performance, security, and scalability across business applications and services. Earning the AZ-104 not only demonstrates proficiency with Microsoft Azure but also opens the door to more advanced certifications and career opportunities in cloud architecture, security, and DevOps. For anyone serious about a future in cloud technology, this certification is a practical and respected step forward.