AZ-104 Cheatsheet — High-Yield Defaults, Tables, and Quick Commands
Fast reference for Microsoft Azure Administrator (AZ-104): RBAC scopes, Policy vs Locks, storage redundancy & tiers, private access patterns, load-balancing choices, VM/VMSS tips, monitoring/KQL snippets, backup/restore gotchas.
On this page
Use this as your last-mile cram sheet. Pair with the Syllabus for coverage and Practice to validate speed/accuracy.
Identity, RBAC, Policy, Locks — who does what?
Scope order: Management Group → Subscription → Resource Group → Resource
Inheritance: Most assignments flow down unless explicitly denied/overridden.
| Feature | What it controls | Where you assign | Typical use | Notes |
|---|---|---|---|---|
| RBAC | Who can do which actions | Any scope | Grant least-privilege access | Use built-in roles first; custom JSON as last resort |
| Policy | Compliance/config drift | Any scope | Enforce allowed regions/SKUs/tags | Effects: Deny, Audit, Append, Modify, DeployIfNotExists |
| Locks | Delete vs change protection | RG/Resource | Guardrails for prod assets | Types: CanNotDelete, ReadOnly; can break automation if overused |
| Tags | Metadata for cost/ops | Resource & RG | Owner/Env/CostCenter | Inherit via Policy (Append/Modify) |
Quick checks:
- Effective access: Resource → Access control (IAM) → Check access
- What-If / Policy compliance: Policy → Compliance; Resource → Policies tab
Storage — redundancy, tiers, networking
Redundancy (pick for SLA/region/zone needs)
| Redundancy | Scope | Zone-aware | Cross-region | Notes |
|---|---|---|---|---|
| LRS | Single datacenter | ✖ | ✖ | Cheapest; no zone resilience |
| ZRS | Multiple zones in region | ✔ | ✖ | Zone outage tolerance |
| GRS | Region pair (async) | ✖ | ✔ | Secondary read blocked (unless RA) |
| GZRS | Zones + region pair | ✔ | ✔ | Highest durability in GA regions |
| RA-GRS / RA-GZRS | Adds read access to secondary | — | ✔ | App can read from secondary endpoint |
Access tiers (Blob)
| Tier | Optimized for | Billing | Typical use |
|---|---|---|---|
| Hot | Frequent access | Higher storage, lower access | Active data |
| Cool | Infrequent (≥30 days) | Lower storage, higher access | Logs, backups |
| Archive | Rare (≥180 days) | Lowest storage, highest access; rehydrate | Compliance retention |
Private access decision
- Need private IP & no public exposure? → Private Endpoint + Private DNS zone records
- Same VNet, keep public endpoint but restrict over Microsoft backbone? → Service Endpoints
- Remember DNS: Private Endpoint → create
Arecords in Private DNS Zone; link to VNet (consider split-horizon)
CLI snippets
1# Private Endpoint + Private DNS zone for a storage account
2az network private-dns zone create -g RG -n privatelink.blob.core.windows.net
3az network private-endpoint create -g RG -n pe-stg --vnet-name VNET --subnet SUBNET \
4 --private-connection-resource-id "/subscriptions/<sub>/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/<name>" \
5 --group-id blob --connection-name pe-stg-conn
6# Link zone and add auto-registration if needed (for PaaS zones, usually manual records)
7az network private-dns link vnet create -g RG -n link-stg --virtual-network VNET \
8 --zone-name privatelink.blob.core.windows.net --registration-enabled false
Networking — quick choices
NSG vs ASG
- NSG = stateless rules at subnet/NIC.
- ASG = dynamic group of NICs used as source/destination in NSG rules → fewer rule edits.
Routes & management
- UDR for custom next hops (NVA inspection, forced tunneling).
- Bastion for VM console over HTTPS (no public IP on VM).
Load-balancing chooser
| Need | Pick | Why |
|---|---|---|
| L4/TCP-UDP inside a VNet | Load Balancer | SNAT, HA, health probes |
| L7/WAF, path-based, TLS offload | Application Gateway | App-aware, WAF, rewrite |
| Global anycast + CDN + WAF | Front Door | Global edge, caching, smart routing |
Compute — VM/VMSS essentials
Availability & resilience
- Single VM: Availability Set (fault/update domains) or best: Zones (Z=1/2/3).
- Scale out: VMSS with Zones + autoscale rules.
Images & extensions
1# Create image from a generalized VM and publish to a gallery
2az image create -g RG -n baseImage --source VMNAME
3az sig create -g RG -r MyGallery
4az sig image-definition create -g RG -r MyGallery -i webImage --os-type linux
5az sig image-version create -g RG -r MyGallery -i webImage -e 1.0.0 --target-regions "eastus=2" "westus2=1" --managed-image "/subscriptions/<sub>/resourceGroups/RG/providers/Microsoft.Compute/images/baseImage"
6
7# Run Command (quick script)
8az vm run-command invoke -g RG -n VMNAME --command-id RunShellScript --scripts "sudo apt-get update -y"
Scale set autoscale
1az monitor autoscale create -g RG --resource "/subscriptions/<sub>/resourceGroups/RG/providers/Microsoft.Compute/virtualMachineScaleSets/vmss1" \
2 --min-count 2 --max-count 10 --count 2
3az monitor autoscale rule create -g RG --autoscale-name vmss1 \
4 --condition "Percentage CPU > 70 avg 5m" --scale out 2
5az monitor autoscale rule create -g RG --autoscale-name vmss1 \
6 --condition "Percentage CPU < 30 avg 10m" --scale in 1
Monitoring — alerts, logs, KQL
Metric alert → Action Group
1az monitor action-group create -g RG -n ops-ag --action email Ops ops@example.com
2az monitor metrics alert create -g RG -n cpu-high --scopes "/subscriptions/<sub>/resourceGroups/RG/providers/Microsoft.Compute/virtualMachines/VMNAME" \
3 --condition "avg Percentage CPU > 80" --window-size 5m --evaluation-frequency 1m \
4 --action-group ops-ag
KQL quickies
// VM CPU > 80% in last 24h
Perf
| where ObjectName == "Processor" and CounterName == "% Processor Time" and TimeGenerated > ago(24h)
| summarize AvgCPU=avg(CounterValue) by Computer
| where AvgCPU > 80
| order by AvgCPU desc
// NSG denied flows (NSG flow logs sent to LA via NSG Flow Logs v2)
AzureDiagnostics
| where Category == "NetworkSecurityGroupFlowEvent"
| where msg_s contains "Deny"
| summarize count() by bin(TimeGenerated, 1h), srcIp_s, dstIp_s, l4Protocol_s
| order by TimeGenerated desc
// Storage 403s by account
AzureDiagnostics
| where Category == "StorageBlobLogs" or Category == "StorageRead"
| where httpStatusCode_s == "403"
| summarize Count403=count() by StorageAccount=Resource, bin(TimeGenerated, 1h)
| order by TimeGenerated desc
Backup & restore — must-knows
- Protect VMs with policy (schedule, retention). Test a restore (replace vs new).
- Azure Files needs its own backup policy (snapshot vs vault-based options where available).
- Cross-zone awareness: ensure backup vault region/zone coverage meets your RTO/RPO.
- Soft delete (storage, Key Vault) prevents accidental data loss—enable it.
CLI
1# Enable VM backup
2az backup vault create -g RG -n Vault01 -l eastus
3az backup protection enable-for-vm -g RG -v Vault01 --vm VMNAME --policy-name DefaultPolicy
4
5# Restore to a new VM
6az backup restore restore-disks --vault-name Vault01 -g RG --container-name VM;Compute;VMNAME \
7 --item-name VMNAME --rp-name "RecoveryPoint_2025-09-10T01-00-00Z" --storage-account SADEST
Common gotchas (fast fixes)
- 403 to storage from private networks → Missing Private DNS
Arecord; checkprivatelink.*zone link to VNet. - RBAC looks right but still denied → Policy or lock blocking; check Resource → Locks and Policy Compliance.
- Health probe failing on LB → Probe path/port mismatch or NSG blocking probe IPs.
- VMSS rollout stuck → App health probe failing → consider automatic vs rolling upgrade policy, check extension exit codes.
- Costs spiking → Public egress, premium SKUs, orphaned disks/snapshots; use Cost Management filters + tags.
Port & endpoint mini-table
| Service | Default Ports | Notes |
|---|---|---|
| RDP (Windows) | 3389/TCP | Prefer Bastion or JIT access |
| SSH (Linux) | 22/TCP | Prefer Bastion or JIT access |
| HTTP/HTTPS | 80/443 | Offload TLS at App Gateway/Front Door when possible |
| DNS (Private DNS) | 53/UDP/TCP | Forwarders for hybrid name resolution |
| Probe (LB/AppGW) | Custom | Ensure NSG allows health probe source ranges |
Exam patterns (pick the safest, most operable option)
- Least privilege RBAC at lowest workable scope.
- Prefer Zones over single-AZ when SKU/region supports it.
- Private Endpoint for PaaS data plane; fix DNS first when things fail.
- Metric alert for quick symptoms; pivot to KQL for root cause.
- Favor solutions that are repeatable (policy/ARM/Bicep/Terraform) over one-off clicks.
Keep going
- Full objectives: Syllabus →
- Validate under time: Practice →