AZ-104 Syllabus — Objectives by Domain (Administrator)

Use this syllabus as your source of truth for AZ-104. Work through each domain in order and drill targeted sets after every section.

What’s covered

• Manage Azure Identities & Governance (20%)
• Implement & Manage Storage (15%)
• Deploy & Manage Azure Compute Resources (25%)
• Configure & Manage Virtual Networking (25%)
• Monitor & Maintain Azure Resources (15%)

Manage Azure Identities & Governance (20%)

Practice this topic →

Microsoft Entra ID (formerly Azure AD) — Tenants, Users, Groups

• Differentiate tenant vs subscription and how identities are scoped across both.
• Create users and groups; choose between assigned, dynamic user, and dynamic device groups.
• Assign built-in directory roles (e.g., Global Admin) and explain least-privilege principles.
• Configure self-service password reset and conditional access basics at a high level.
• Compare service principals vs app registrations vs enterprise apps.

Access Control to Azure Resources (RBAC & Managed Identities)

• Apply RBAC at management group, subscription, resource group, and resource scopes.
• Select appropriate built-in roles and design a custom role with least privileges.
• Enable system-assigned vs user-assigned managed identities for apps/VMs.
• Grant a managed identity access to Azure resources (e.g., Key Vault secrets).
• Audit access with Access control (IAM) blade and activity logs.

Governance: Management Groups, Policy, and Tagging

• Organize subscriptions under management groups aligned to landing zones.
• Enforce standards using Azure Policy definitions, parameters, assignments, and initiatives.
• Use policy effects (Deny, Audit, Append, DeployIfNotExists) and remediation tasks.
• Apply tags for cost/showback and automate tag inheritance where possible.
• Evaluate compliance state and remediate drift.

Cost Management, Budgets, and Locks

• Analyze cost by subscription, resource group, tag, and service in Cost Management.
• Create budgets with alerts and forecast spend using built-in views.
• Explain Reservation and Savings Plan basics for VMs and compute.
• Apply Read-only and Delete locks to protect critical resources.
• Identify and stop cost leaks (unused IPs, idle disks, over-provisioned SKUs).

Identity Lifecycle & Privileged Access

• Integrate on-prem identities with Microsoft Entra Connect Sync (high level).
• Use Privileged Identity Management (PIM) for time-bound role assignments.
• Set up access reviews and approvals for role governance.
• Describe break-glass accounts and emergency access procedures.
• Harden sign-in with MFA/conditional access (concepts for admins).

Infrastructure as Code & Resource Organization

• Deploy resources with ARM templates and Bicep; compare pros/cons.
• Parameterize and re-use deployments; store templates in template specs.
• Use Azure Resource Graph to query inventory at scale.
• Design naming conventions and resource group strategies.
• Automate role assignments and policy with Bicep/ARM.

Implement & Manage Storage (15%)

Practice this topic →

Accounts, Tiers, and Redundancy

• Choose between General-purpose v2 and premium block/page blob accounts.
• Select access tiers (Hot/Cool/Archive) and lifecycle transitions.
• Contrast LRS, ZRS, GRS, GZRS and read-access variants for DR.
• Configure encryption at rest with Microsoft-managed vs customer-managed keys.
• Set up soft delete and versioning for data protection.

Blob Storage & Secure Access

• Create containers and set access levels (private/Blob/Container).
• Generate SAS: account SAS, service SAS, and user delegation SAS.
• Restrict access with Storage firewalls, private endpoints, and network rules.
• Apply immutability policies (time-based retention, legal hold).
• Upload/migrate with AzCopy and Storage Explorer.

Azure Files, NFS, and Authentication

• Deploy Azure Files SMB and configure Kerberos/NTLM auth.
• Join storage accounts to Microsoft Entra Domain Services for SMB ACLs.
• Enable NFS for Linux workloads and set POSIX permissions (ADLS Gen2).
• Implement Azure File Sync and cloud tiering on Windows Server.
• Plan quotas, snapshots, and backup for file shares.

Data Lake Storage Gen2 & ACLs

• Enable hierarchical namespace and explain benefits for big-data workloads.
• Manage POSIX-like ACLs on files and folders.
• Use role assignments + ACLs together for secure access patterns.
• Optimize performance with folder layout, partitioning, and batch ingestion.
• Troubleshoot permission denials with effective permission checks.

Protection, Backup, and Replication

• Configure Backup vault to protect Azure Files and Blobs (supported scenarios).
• Set blob versioning, point-in-time restore, and change feed.
• Plan cross-region replication and failover for GRS/GZRS accounts.
• Automate lifecycle rules for retention and cost control.
• Validate RPO/RTO with test restores and failover drills.

Monitoring, Metrics, and Troubleshooting

• Enable diagnostic settings to Log Analytics for request logs and metrics.
• Analyze latency, throttling, and 4xx/5xx errors.
• Alert on capacity thresholds and transaction anomalies.
• Use Storage insights workbooks in Azure Monitor.
• Resolve common issues (permissions, network rules, SAS expiry).

Deploy & Manage Azure Compute Resources (25%)

Practice this topic →

Virtual Machines: Images, Sizes, and Disks

• Provision Windows/Linux VMs; choose vCPU/RAM/accelerated networking SKUs.
• Use Azure Compute Gallery (SIG) for custom images and versioning.
• Select OS/data disk types (Standard/Premium SSD v2, Ultra) and performance tiers.
• Deploy ephemeral OS disks and understand use cases.
• Automate VM creation with cloud-init/Custom Script Extension.

Availability, Scale, and Resiliency

• Place VMs in availability sets vs across availability zones.
• Scale with VM Scale Sets (uniform vs flexible orchestration).
• Configure autoscale rules based on metrics/schedules.
• Design for SLA and plan maintenance (host updates, reboots).
• Plan proximity placement groups for low latency.

Access, Identity, and Secrets

• Enable Azure Bastion and just-in-time VM access via Defender for Cloud.
• Assign managed identities and retrieve secrets from Key Vault.
• Configure SSH keys vs passwords; disable password auth for Linux.
• Harden Windows with RDP restrictions and Network Level Authentication.
• Audit VM sign-in and command execution logs.

Updates, Extensions, and Configuration Management

• Onboard VMs to Azure Update Manager; schedule patch deployments.
• Install the Azure Monitor Agent and required extensions.
• Apply Desired State Configuration (DSC) concepts and VM applications.
• Use Run Command for ad-hoc remediation without RDP/SSH.
• Standardize baseline with tags, policy, and images.

Backup, Restore, and DR for Compute

• Protect VMs with Azure Backup vaults and define retention policies.
• Run test restores (file-level and full) and validate consistency.
• Replicate VMs with Azure Site Recovery; plan failover/failback.
• Set RPO/RTO targets and DR runbooks for governance.
• Estimate costs and optimize storage for backups/replicas.

Containers and App Hosting (Admin View)

• Compare VM-based hosting vs Azure App Service vs Azure Container Apps/AKS (high level).
• Deploy a container image to Container Instances with VNet integration.
• Configure managed identity and secret mounting for apps.
• Set autoscale for App Service/Container Apps based on metrics.
• Monitor app logs with Log Analytics and Container Insights.

Configure & Manage Virtual Networking (25%)

Practice this topic →

VNets, Subnets, IP Addressing, and Name Resolution

• Plan address spaces; avoid overlap and design subnetting strategy.
• Configure public, private, and reserved IPs; explain ephemeral ports.
• Set up Azure DNS public/private zones and DNS forwarding.
• Integrate with on-prem DNS via Azure DNS Private Resolver.
• Diagnose name resolution issues with NSLookup and VM network tools.

Traffic Control: NSGs, ASGs, and Routing

• Create NSG rules (priority, direction, service tags) and apply to subnets/NICs.
• Group workloads with ASGs and reference in NSG rules.
• Customize user-defined routes for NVA inspection or tunneling.
• Explain effective security rules and flow logs for visibility.
• Troubleshoot drops with NSG diagnostics and packet capture.

Connectivity: Peering, VPN, and ExpressRoute

• Peer VNets (same/different regions/subscriptions) with gateway transit.
• Deploy site-to-site VPN with policy-based vs route-based VPN.
• Contrast ExpressRoute circuits, peering types, and redundancy patterns.
• Secure hybrid links with BGP and route filters (conceptual).
• Validate connectivity with Network Watcher connection troubleshoot.

Inbound/Outbound Control: LB, App Gateway, NAT, and WAF

• Choose Basic vs Standard Load Balancer; configure health probes and rules.
• Deploy Application Gateway with WAF for L7 routing and TLS offload.
• Provide internet egress with NAT Gateway vs SNAT on LB.
• Compare Azure Firewall vs NSG for east-west/north-south control.
• Implement Private Link/Endpoints to access PaaS privately.

Bastion, Private Access, and Secure Remote Admin

• Harden admin access with Azure Bastion and disable public RDP/SSH.
• Publish management endpoints via Private Link where supported.
• Use Just-in-Time access and role-based approvals.
• Capture session logs for auditing and incident response.
• Test lateral movement protections with segmentation patterns.

Monitoring & Troubleshooting Networking

• Enable Network Watcher and diagnostic settings for key resources.
• Use Connection Monitor, IP flow verify, and next hop tools.
• Analyze NSG flow logs and insights for traffic trends.
• Interpret metrics for LB/App Gateway (health, latency, errors).
• Resolve common causes: asymmetric routing, overlapping CIDRs, DNS leaks.

Monitor & Maintain Azure Resources (15%)

Practice this topic →

Azure Monitor, Metrics, and Logs

• Architect the Monitor pipeline: data sources → Metrics/Logs → alerts → actions.
• Create metric alerts (static/dynamic thresholds) and log alerts (KQL).
• Build dashboards and workbooks for operations views.
• Understand Azure Monitor Agent vs legacy agents and data collection rules.
• Control ingestion and retention to manage costs.

Log Analytics & KQL Essentials

• Navigate tables, schemas, and solutions in a Log Analytics workspace.
• Write basic KQL: where, summarize, join, extend, render.
• Query VMInsights/ContainerInsights and Activity/Resource logs.
• Schedule queries for alerts and export to Event Hub/Storage.
• Troubleshoot agent connectivity and data gaps.

Backup, Recovery, and Business Continuity

• Protect VMs, Files, and selected PaaS with Backup; set vault redundancy.
• Run test restores and track jobs, alerts, and soft delete behavior.
• Design ASR for regional DR and perform planned/unplanned failover.
• Document runbooks and recovery steps; test regularly.
• Align recovery plans with RPO/RTO and compliance needs.

Updates, Compliance, and Security Posture

• Use Azure Update Manager for patch orchestration and reports.
• View compliance posture with Policy/Defender for Cloud recommendations.
• Remediate guest configuration drift (Guest Configuration policies).
• Investigate resource health and Service Health advisories.
• Automate fixes with Logic Apps/Automation runbooks.

Alerts, Action Groups, and Incident Workflow

• Create action groups (email/webhook/ITSM/Logic App) and reuse across alerts.
• Reduce noise with dynamic thresholds and alert processing rules.
• Integrate with ITSM tools for ticketing and escalation.
• Track alert lifecycle and ownership via tags/ITSM fields.
• Design on-call rotations and document runbooks.

Automation, Scripting, and Maintenance Windows

• Automate admin tasks with Azure CLI/PowerShell and Cloud Shell.
• Schedule tasks with Automation Accounts/runbooks and Managed Identity.
• Use REST/Graph/ARM/Bicep for idempotent maintenance operations.
• Coordinate change windows and apply resource locks temporarily.
• Log changes for audit and rollback using deployments history.

Tip: After finishing a domain, take a 20–25 question drill focused on that domain, then revisit weak objectives before moving on.