DEV Community

Brent G Saucedo
Brent G Saucedo

Posted on

AZ-104 Azure Administrator Cheat Sheet – 2026 Exam Notes

#azure #cloud #certification #devops

The Microsoft Azure Administrator (AZ-104) is the gold standard for cloud admins. It’s not just about clicking buttons in the portal; it’s about understanding governance, networking logic, and troubleshooting.

If you are preparing for this exam, this deep-dive cheat sheet covers the critical concepts, specific SKU limits, and configuration "gotchas" you need to know.

🆔 1. Identity & Governance (Azure AD / Entra ID)

The security perimeter is no longer the firewall; it's Identity.

Users & Groups

  • Dynamic Groups: Rules are evaluated to add/remove members automatically.
    • Requires: Azure AD Premium P1 license.
    • Syntax: (user.department -eq "IT") -and (user.accountEnabled -eq true)
  • Administrative Units: Restrict scope of administrative permissions (e.g., Allow "Helpdesk User" to only reset passwords for users in the "Marketing" AU).
  • External Identities (B2B): Guest users invited from other tenants. They do not need a license in your tenant if your MAU (Monthly Active Users) count is low (first 50k free).

Role-Based Access Control (RBAC)

Know the difference between Azure Roles and Azure AD Roles:

  • Azure Roles: Control access to Resources (VMs, Storage).
    • Scope: Mgmt Group > Subscription > Resource Group > Resource.
    • Key Roles: Owner (Access + Manage), Contributor (Manage only), Reader (View only), User Access Administrator (Manage Access only).
  • Azure AD Roles: Control access to Directory (Users, Passwords).
    • Key Roles: Global Admin, User Admin.

Policy & Compliance

  • Azure Policy: Enforces rules on resources (e.g., "Allowed Locations = East US" or "Require Tag 'CostCenter'").
    • Effect: Deny (Blocks creation), Audit (Flags it), Append (Adds tag automatically), DeployIfNotExist (Remediates configuration).
  • Resource Locks:
    • CanNotDelete: Admins can read/modify, but cannot delete.
    • ReadOnly: Admins can only read. (Blocks starting/stopping a VM because that changes state!).

💾 2. Storage Accounts

Storage is the backbone. Know the redundancy and access tiers.

Redundancy Options (The "Durability" Question)

  • LRS (Locally Redundant): 3 copies in 1 datacenter. (Cheapest).
  • ZRS (Zone Redundant): 3 copies across 3 Availability Zones in 1 region. (Survives datacenter fire).
  • GRS (Geo-Redundant): 3 copies in Primary Region (LRS) + 3 copies in Paired Region (LRS).
  • GZRS: 3 copies in Primary (ZRS) + 3 copies in Paired Region (LRS).

Access Tiers

  • Hot: Frequent access. High storage cost, low access cost.
  • Cool: Infrequent access (>30 days). Lower storage cost, higher access cost.
  • Archive: Rare access (>180 days). Lowest storage cost, highest rehydration cost. (Takes hours to retrieve).

File Shares

  • Azure Files: SMB protocol (Windows/Linux).
  • Azure File Sync: Syncs on-prem Windows Server file shares to Azure. Cloud tiering keeps hot files on-prem and moves cold files to the cloud.

💻 3. Azure Compute (VMs & App Service)

How to run workloads and keep them available.

Virtual Machines

  • Availability Sets: Protects against hardware failure within one datacenter.
    • Update Domain (UD): Reboot groups (Patching).
    • Fault Domain (FD): Rack/Power groups (Hardware failure).
    • SLA: 99.95%.
  • Availability Zones: Protects against datacenter failure.
    • SLA: 99.99%.
  • Scale Sets (VMSS): Auto-scaling based on metrics (CPU > 75%).
    • Orchestration Mode: Uniform (Identical VMs) vs. Flexible (Mix of VM types).

App Service (PaaS)

  • App Service Plan: Defines the Region, OS, and SKU (Resources).
  • Scaling:
    • Scale Up: Change SKU (B1 -> S1) for more RAM/CPU.
    • Scale Out: Increase instance count (1 VM -> 3 VMs).
  • Deployment Slots: (Standard tier+). Swap "Staging" to "Production" instantly. If it fails, swap back.

Containers

  • ACI (Azure Container Instances): "Serverless containers." Good for burst jobs or simple apps. No orchestration.
  • AKS (Kubernetes Service): Full orchestration. You manage the worker nodes (Node Pools).

🌐 4. Networking

The hardest part of the exam. Master VNETs and DNS.

VNET Peering

  • Connects two VNETs. Traffic stays on Microsoft backbone (private).
  • Global Peering: Connects VNETs in different regions.
  • Gateway Transit: Allows VNET A to use VNET B's VPN Gateway. (A must "Use Remote Gateway", B must "Allow Gateway Transit").

Load Balancing

  • Azure Load Balancer (Layer 4): TCP/UDP. Distribution based on 5-tuple hash (Source IP, Port, Dest IP, Port, Protocol).
    • Internal: Private IPs only.
    • Public: Public IP frontend.
  • Application Gateway (Layer 7): HTTP/HTTPS. Web Application Firewall (WAF), Cookie affinity, URL path routing.
  • Front Door: Global Layer 7 load balancer. (CDN + routing).

DNS

  • Public DNS: Azure hosts your domain (e.g., contoso.com).
  • Private DNS: Resolves hostnames within a VNET.
    • Auto-registration: Automatically creates A-records for VMs in a linked VNET.

🛡️ 5. Monitoring & Backup

Keeping the lights on and recovering when they go off.

Azure Monitor

  • Metrics: Numerical data (CPU %, Disk IO). Real-time.
  • Logs: Structured data (Event Logs, Query Logs). Stored in Log Analytics Workspace (KQL).
  • Alerts: Action Groups trigger notifications (Email, SMS, Webhook, ITSM Ticket).

Network Watcher

  • IP Flow Verify: "Can VM A talk to VM B?" (Checks NSG rules).
  • Next Hop: "Where is my traffic going?" (Checks UDR/Routes).
  • Connection Monitor: Continuous monitoring of connectivity between two points.

Recovery Services Vault

  • Backup: Files, Folders, System State, Azure VMs.
    • Soft Delete: Retains deleted backup data for 14 days (Protection against ransomware/accidental delete).
  • Site Recovery (ASR): DR solution. Replicates VMs to a secondary region.
    • RTO (Recovery Time Objective): How long to restore?
    • RPO (Recovery Point Objective): How much data can I lose?

📝 Exam "Gotchas"

  1. Tags don't inherit. If you tag a Resource Group, the resources inside do NOT inherit the tag automatically. You need Azure Policy for that.
  2. Resource Moves: You can move resources between subscriptions/resource groups, but the Source and Destination must be in the same Azure AD Tenant.
  3. NSG Priority: Lower number = Higher priority. Rule 100 overrides Rule 200.
  4. Import/Export Job: You must ship the physical hard drive to an Azure Datacenter. You cannot just "download" 50TB over the internet efficiently.
  5. PIM (Privileged Identity Management): Requires Azure AD Premium P2.

Good luck with your AZ-104!

Top comments (0)