AZ-104 Azure Administrator Cheat Sheet — 2026 Exam Notes

I sat the AZ-104: Microsoft Azure Administrator exam recently and pulled my revision notes into a single cheat sheet. If you're in the final week before the test, this is the stuff worth memorizing.

Exam at a glance

• Questions: ~40–60 (mix of multiple choice, case studies, and the occasional drag-and-drop / hot-area)
• Time: ~120 minutes
• Pass score: 700 / 1000 (scaled — not a raw 70%)
• Cost: ~$165 USD
• Prereqs: none official, but you'll struggle without hands-on Azure portal + a little CLI/PowerShell

Domain weights (2026 objectives)

Domain	Weight
Manage Azure identities & governance	20–25%
Implement & manage storage	15–20%
Deploy & manage Azure compute resources	20–25%
Configure & manage virtual networking	15–20%
Monitor & maintain Azure resources	10–15%

Networking + compute are the heaviest combined. If you're short on time, drill those two first.

The services that actually show up

Identity & governance

• Entra ID (formerly Azure AD): users, groups, RBAC vs. Azure Policy (RBAC = who can do what; Policy = what is allowed to exist). This distinction is tested constantly.
• Management groups → subscriptions → resource groups → resources (know the scope hierarchy cold).
• Custom roles, Conditional Access basics, self-service password reset.

Storage

• Storage account tiers: Hot / Cool / Cold / Archive — and the rehydration latency for Archive.
• Redundancy: LRS / ZRS / GRS / GZRS — know which survives a region loss (GRS/GZRS) vs. a zone (ZRS).
• SAS tokens, access keys, Azure Files vs. Blob, AzCopy, lifecycle management rules.

Compute

• VM sizing/resizing, availability sets vs. availability zones vs. VMSS.
• Custom images, the difference between a VM Scale Set and a single VM with a load balancer.
• App Service plans, container instances, and when to pick which.

Networking

• NSG rule evaluation order (priority, lowest number wins) — a classic trick question.
• VNet peering (non-transitive!), service endpoints vs. private endpoints.
• Public vs. private load balancer, Application Gateway (L7) vs. Load Balancer (L4), Azure DNS.

Monitoring

• Azure Monitor, Log Analytics + KQL basics, Metrics vs. Logs, alerts + action groups.
• Network Watcher (connection troubleshoot, NSG flow logs), Backup + Recovery Services vault.

Gotchas that cost people the pass

1. VNet peering is NOT transitive — A↔B and B↔C does not give A↔C.
2. NSG priority: lower number = higher priority; the first match wins and stops evaluation.
3. Archive tier blobs can't be read until rehydrated (hours) — watch for "immediate access" wording.
4. ZRS protects a zone, not a region. If the question says "survive a regional outage," you need GRS/GZRS.
5. RBAC ≠ Policy. "Prevent anyone from creating resources outside Europe" → Azure Policy, not RBAC.

Two quick practice questions

Q1. You must guarantee blob data survives a full Azure region outage at lowest cost. Which redundancy?
A: GRS (geo-redundant; GZRS also works but costs more — "lowest cost" → GRS).

Q2. A subnet has an NSG allowing 3389 at priority 300 and denying 3389 at priority 200. Is RDP allowed?
A: No. Priority 200 (deny) is evaluated before 300 and wins.

How I drilled

Reading objectives only gets you so far — the exam is scenario-heavy, so timed question banks are what move the needle. I used a free AZ-104 practice test (no signup, full objective breakdown) to find weak domains, then re-drilled those:

• Free AZ-104 practice test: https://www.examcert.app/exams/azure-az-104/free-practice-test/
• Full AZ-104 study guide & objectives: https://www.examcert.app/exams/azure-az-104/

Drill to a consistent 85%+ across all five domains before booking. Good luck — drop your exam date in the comments and I'll send a focused revision list.