DEV Community

CrackCerts
CrackCerts

Posted on • Originally published at crackcerts.com

AZ-104 Last-Minute Cheat Sheet: The Rules, Limits, and Traps That Actually Show Up

#azure #az104 #certification #administration

You've studied the domains. You've done the labs. Now it's 48 hours before
your AZ-104 exam and you need one place with the rules that actually trip
people up — not another overview of what the exam covers.

This is that page.

Everything below is pulled from what the exam actually tests. Bookmark it,
read it the morning of your exam, and don't let any of these cost you marks.

Exam Format — Know This Before You Start

  • Questions: 50–55 total
  • Time: 100 minutes of actual exam time (timer starts when you click "Start Exam," not before)
  • Passing score: 700 out of 1000 (scaled — this is not 70% correct)
  • Sections: Two sections. Section 1 has ~45–51 questions including one case study. Section 2 has 4–6 scenario-based questions.
  • Critical: Once you move to Section 2, you cannot go back to Section 1. Review everything in Section 1 before proceeding.
  • Result: Shown immediately on screen — Pass or Fail, your score, and a domain-by-domain breakdown.

Domain 01 — Identity and Governance (20–25%)

RBAC scope inheritance flows downward. A role assigned at a management group applies to all child subscriptions, resource groups, and resources
beneath it. It does not flow upward.

Management-plane ≠ data-plane. This is one of the most tested
distinctions on the exam:

  • Storage Account Contributor lets you manage the storage account — it does not grant access to blob data
  • Storage Blob Data Contributor grants blob data access
  • A user with an account access key bypasses RBAC entirely — they can read any content regardless of their role assignments

Contributor cannot delegate. If a user needs to assign roles to others
on a specific resource, Contributor alone is not enough. You need
User Access Administrator or Owner for that scope.

Azure Policy does not apply retroactively. An append policy only
affects newly created resources. Existing resources at the time of
assignment keep their current state.

Resource locks apply at: resource, resource group, and subscription
level. Management groups do not support resource locks.

Budgets do not stop anything. When a Budget threshold is reached, Azure
sends a notification. It does not deallocate VMs, pause services, or
block new deployments — regardless of how far over budget you go.

Two lock types:

  • CanNotDelete — read and modify allowed, delete blocked
  • ReadOnly — no modifications or deletes permitted

Dynamic groups require Azure AD Premium P1. Static groups do not.

📖 Full breakdown of every sub-topic in this domain:
AZ-104 Domain 01 — Identities and Governance

Domain 02 — Storage (15–20%)

Three SAS types — know which works when:

  • User delegation SAS — backed by Entra ID credentials, works even when account key access is disabled
  • Service SAS — signed with account key, blocked when account key access is disabled
  • Account SAS — also signed with account key, blocked when account key access is disabled

If the exam disables account key access, user delegation SAS is the only
type that continues to function.

SAS effective permissions = intersection of RBAC role + SAS permissions.
The SAS cannot grant more than the role allows.

Redundancy options at a glance:

  • LRS — 3 copies in one datacenter
  • ZRS — 3 copies across availability zones in one region
  • GRS — LRS + async replication to a secondary region
  • GZRS — ZRS + async replication to a secondary region
  • RA-GRS / RA-GZRS — read access to the secondary region

Archive tier is offline. Blobs in Archive cannot be read without
rehydration first. This adds delay. Blobs in Cool or Hot tier are
immediately readable.

Minimum storage durations:

  • Hot — no minimum
  • Cool — 30 days (early deletion = penalty)
  • Cold — 90 days (early deletion = penalty)
  • Archive — 180 days (early deletion = penalty)

Lifecycle rules apply to new state, not past state. When a blob
matches two rules simultaneously, the more restrictive action wins.

Soft delete vs versioning:

  • Soft delete protects against accidental deletion
  • Versioning protects against accidental overwrites

📖 Full sub-topic breakdown including SAS gotchas and lifecycle JSON
rules: AZ-104 Domain 02 — Storage

Domain 03 — Compute (20–25%)

Bicep/ARM deployments are idempotent. Deploying the same template
multiple times will not cause errors — it brings resources to the declared
state.

Availability sets vs availability zones:

  • Availability sets — protect against hardware failures and planned maintenance within a single datacenter (fault domains and update domains)
  • Availability zones — protect against full datacenter failure within a region

Fault domains vs update domains in availability sets:

  • Fault domains — separate physical hardware (power, network). Protects against hardware failures.
  • Update domains — separate groups for planned maintenance. Only one update domain is rebooted at a time.

VMSS autoscale cooldown matters. The exam will give you a starting
instance count, a CPU threshold, and a cooldown window, then ask you to
calculate the count after a sequence of events. No scale event can fire
during the cooldown period after the previous one.

App Service plan OS is a hard constraint. A Windows plan cannot host a
Linux runtime stack (Python, for example). This drives the minimum plan
count when multiple apps have different runtime requirements.

Deployment slots are not free. Slot support requires Standard tier or
above. If the Slots option is greyed out, you need to scale up (not
scale out) the plan.

Container Apps minimum subnet size: /27 for workload profiles
environment — make sure you know how to check remaining address space in a
VNet before deploying.

📖 Full compute sub-topic breakdown including ARM/Bicep, containers, and
App Service: AZ-104 Domain 03 — Compute

Domain 04 — Networking (15–20%)

VNet peering is not transitive. VNet A peered with VNet B, VNet B
peered with VNet C — VNet A cannot reach VNet C. This is one of the
most commonly tested networking facts.

Overlapping address spaces cannot be peered. You must modify one VNet's
address space before peering is possible.

Azure Bastion — SKU differences:

  • Basic SKU — browser-based access only (Azure portal)
  • Standard SKU — native client access (mstsc.exe, SSH client)
  • Bastion reach follows one hop of direct peering only — VMs on VNet2 (directly peered with VNet1 where Bastion lives) are reachable; VMs on VNet3 (only peered with VNet2) are not.

AzureBastionSubnet minimum size: /26 for Standard SKU. Public IP must
be Standard SKU, static assignment, IPv4.

NSG regional constraint. An NSG can only be associated with subnets in
the same region as the NSG. Cross-region association is not possible.

NSG on subnet ≠ control over App Service inbound traffic unless the app
is deployed into that subnet (App Service Environment / Isolated tier). A
VNet-integrated app using the subnet for outbound traffic is not controlled
by a subnet NSG for inbound requests.

Standard Load Balancer requirements: Standard SKU public IPs only.
VMs must have an NSG configured. IPv6 addresses are not supported as
frontend IPs on a Standard public load balancer.

Private endpoint vs service endpoint:

  • Private endpoint — gives a PaaS resource a private IP in your VNet, traffic stays off the public internet
  • Service endpoint — optimises routing to the PaaS service but does not give it a private IP

📖 Full networking sub-topic breakdown including NSG rules, Bastion, DNS,
and peering: AZ-104 Domain 04 — Networking

Domain 05 — Monitor and Maintain (10–15%)

Recovery Services vault vs Backup vault — know which protects what:

  • Recovery Services vault — Azure VMs, Azure Files, SQL in Azure VMs, on-premises workloads
  • Backup vault — Azure Managed Disks, Azure Database for PostgreSQL, Azure Blobs at account level
  • Blob containers cannot be protected by either vault — use blob soft delete or versioning instead

Alert rules target the Log Analytics workspace, not the VM, when
monitoring Windows event log entries. Event log data is collected into the
workspace — the alert must target the workspace.

Budgets send notifications. They do not stop resources. (Worth
repeating — this appears in both Domain 01 and Domain 05 contexts.)

Alert suppression rules prevent notifications, but the alert still fires
and appears in the portal. Suppression ≠ cancelling the alert.

Activity log alert scope inheritance: An operation on a resource
triggers alerts scoped to that resource AND alerts scoped to its parent
resource group. An operation on the resource group itself only triggers the
RG-scoped alert — not any resource-scoped alerts.

Site Recovery subnet matching: During test failover, Site Recovery maps
source subnets to target subnets by matching subnet names. If the same
subnet name exists in the target VNet, the VM is connected to it.

📖 Full monitoring and backup sub-topic breakdown:
AZ-104 Domain 05 — Monitor and Maintain

One More Thing

A cheat sheet gets you through the last 48 hours. What gets you through
the exam itself is working through real scenario-based questions under
timed conditions — the format the AZ-104 actually uses.

If you haven't done full-length timed practice tests yet, that's the
highest-leverage thing you can do before exam day.

Try a FREE AZ-104 Practice Test on CrackCerts

Good luck. You've got this.

Top comments (0)