AZ-104: Azure Administrator — Exam Overview

What Is This Exam?

AZ-104 certifies you as an Azure Administrator — the person who deploys, manages, and monitors Azure resources day-to-day. This is a practitioner exam, not an architect exam. You are tested on how to operate Azure, not what pattern to choose.

Think like an IT admin with Azure hands, not like a cloud architect.

Exam At a Glance

Question Types

Understanding the format is half the battle.

1. Multiple Choice (most common)

Pick one of four. Read all options before answering — Microsoft loves to make two answers "almost right." The wrong options are usually right in a different context.

2. Multiple Select

"Select all that apply" or "select two." No penalty for wrong answers — never leave blanks.

3. Drag and Drop / Order

Match concepts to categories or arrange steps. Common for replication type comparisons, backup tiers, or deployment sequences.

4. Hot Area

Click the correct region of a screenshot or diagram. Usually tests which portal blade or button to use.

5. Case Studies

A scenario followed by several related questions. Read the scenario once carefully before answering. All questions in a case study share the same context — earlier answers don't lock in your choices.

6. Live Lab Tasks (hardest section)

You get a real Azure environment and must complete hands-on tasks:

• Example: "Create a storage account named stprod001 in West US with Zone-Redundant Storage."
• Tasks are pass/fail per task. Partial work doesn't score.
• This section is at the end of the exam and cannot be skipped once started.
• Allocate at least 30 minutes for labs.

⚠️ You cannot return to earlier multiple-choice sections once you start the lab section.

Domain Weights

Compute is the highest-weight domain. Networking is the trickiest. Identities has the most common conceptual trap.

Scoring

Microsoft uses scaled scoring — harder questions are worth more points. You need 700/1000, which is roughly 70%, but because of scaling, targeting 80%+ correct is the realistic safety margin.

There is no penalty for wrong answers — always guess if unsure.

How to Approach the Exam

1. Read the question stem twice. Identify: what resource, what action, what constraint.
2. Eliminate two obviously wrong answers first. You'll usually be choosing between two plausible options — this doubles your focus.
3. Watch for scope qualifiers. Many wrong answers are correct in a different scope (e.g., works for VMs but not App Service, works at subscription but not resource group).
4. "Cheapest / least administrative effort" is usually correct. Microsoft favors the simplest solution that meets the stated requirement.
5. Flag and move. Don't spend more than 2 minutes on any single question during pass 1.
6. Save 30 minutes for live labs. They require real portal navigation and CLI commands.

Domain Quick Map

Domain 1: Identities & Governance
 └─ Entra ID, users/groups, RBAC, Management Groups, Policy, Locks

Domain 2: Storage
 └─ Storage accounts, replication (LRS/GRS/ZRS), tiers, SAS, lifecycle, File Sync

Domain 3: Compute
 └─ VMs, VMSS, availability sets/zones, App Service, ACI, ARM/Bicep, Bastion

Domain 4: Networking
 └─ VNet/NSG/ASG, VNet Peering, VPN/ER, DNS, Load Balancer, App Gateway, Firewall, UDR

Domain 5: Monitor & Maintain
 └─ Azure Monitor, Log Analytics, Alerts, Backup, Site Recovery, Update Manager

3-Month Study Plan

Rule of thumb: If you can't complete a lab task in the portal in under 5 minutes, you need more repetition. Live lab tasks in the real exam have no guide — just memory.

Key Resources

Start your Azure free account today. Reading alone will not pass the live lab section. You need hands-on repetition.

Before Your Exam Day

• Ensure your government ID name exactly matches your Pearson VUE account name
• Test your environment (webcam, mic, desk space) if taking online — do the system check 24 hours before
• Arrive (or open the online check-in) 15 minutes early
• No notes, no second monitors, no phones
• Water is allowed in a clear container at most testing centers

Domain 1: Manage Azure Identities and Governance

Exam weight: 15–20%

This domain tests whether you can manage who has access to what in Azure and enforce organization-wide rules on resources. It contains the single most common exam trap: Entra ID roles vs Azure RBAC roles — they are completely separate systems.

1.1 Microsoft Entra ID (formerly Azure AD)

Entra ID is Azure's cloud-based identity directory. Every Azure subscription is associated with exactly one Entra ID tenant. The tenant is the trust boundary for all identities.

Tenant vs Subscription

A subscription belongs to exactly one tenant. A tenant can own many subscriptions.

User Types

Group Types

Group Membership

Exam trap: Dynamic groups require Entra ID P1 license. Any question that says "automatically add users based on attributes with no manual effort" implies dynamic groups and P1 licensing.

Managed Identities

A managed identity is a service principal automatically managed by Azure — no credentials to store or rotate.

Exam trap: If a question asks "the VM is recreated and must retain its existing role assignments," the answer is user-assigned managed identity because system-assigned gets a new Object ID on recreation.

1.2 Azure RBAC

Azure Role-Based Access Control governs what Azure actions a principal can perform on Azure resources. It is completely separate from Entra ID roles.

RBAC Answers Three Questions

1. Who? — Security principal (user, group, service principal, managed identity)
2. What? — Role definition (a named set of permitted Actions)
3. Where? — Scope

Scope Hierarchy

Root Management Group (tenant root)
 └─ Management Group
     └─ Subscription
         └─ Resource Group
             └─ Resource

• RBAC assignments are inherited downward.
• Assignments are additive — a user gets the union of all role assignments at all scopes.
• There is no implicit deny — only explicit role assignments or deny assignments block access.

Key Built-in Roles

Exam trap: A Contributor cannot assign roles. If a question asks who can grant the Contributor role to another user, the answer is Owner or User Access Administrator — not Contributor.

Exam trap: A Contributor cannot create or delete resource locks. Managing locks requires Microsoft.Authorization/locks/*, which Contributor explicitly excludes.

Deny Assignments

• Cannot be created manually by users.
• Created by Azure Blueprints and Managed Applications.
• Take precedence over role assignments — they block even Owners.

Custom Roles

• Define Actions, NotActions, DataActions, NotDataActions.
• Scope is set per-subscription or per-management-group.
• The NotActions field removes actions from what Actions allows — it is not a deny, just a subtraction.

1.3 Entra Roles vs Azure RBAC Roles — The #1 Exam Trap

These are two completely separate systems that just happen to live in the same Azure portal.

Global Admin can elevate to Azure: In Entra settings, a Global Administrator can grant themselves the User Access Administrator Azure RBAC role on all subscriptions (one-time toggle). This is not automatic — it must be explicitly done.

Exam scenario: "A user is the Global Administrator in Entra ID. They try to create a VM. It fails." → Reason: Global Admin has no Azure RBAC permissions unless explicitly granted. They need at minimum Contributor on the target scope.

1.4 Management Groups

Hierarchy

Root Management Group (auto-created, represents the tenant)
 ├─ Management Group: Corp
 │   ├─ Subscription: Prod
 │   └─ Subscription: Dev
 └─ Management Group: External
     └─ Subscription: Partner

• Up to 6 levels of nesting (not counting root).
• A subscription can be in only one management group at a time.
• RBAC and Policy assignments inherit to all child subscriptions and resources.
• Moving a subscription between management groups transfers the inherited assignments.

Moving Resources Between Subscriptions

• Most resources can be moved with az resource move.
• Restrictions: target subscription must be in the same Entra tenant.
• Resource IDs change after a move — update automation scripts and monitoring rules.
• Some resources cannot be moved: Azure AD Domain Services, ExpressRoute circuits with VNet links.

1.5 Azure Policy

Azure Policy enforces organizational standards on resources independently of RBAC. A user with Contributor can be blocked by a Policy.

Effect Types — Must Know All

Exam trap — DeployIfNotExists: It runs after resource creation for new resources, but for existing non-compliant resources you must manually trigger a Remediation Task. It does not retroactively fix existing resources automatically.

Exam trap — Append vs Modify: Use Append to add new properties (like tags). Use Modify to change or remove existing properties. In practice, Modify is replacing Append for tag scenarios.

Initiatives (Policy Sets)

An initiative (policy set) bundles multiple policies into one assignable unit. Example: the "Enable Microsoft Defender for Cloud" initiative bundles 20+ individual policies.

Policy vs RBAC — How They Interact

1. Request arrives → RBAC is evaluated first.
2. If RBAC allows it → Policy is evaluated.
3. If Policy says Deny → request is rejected, even for Owners.

1.6 Resource Locks

Locks prevent accidental deletion or modification. Applied at resource, resource group, or subscription — inherited downward.

ReadOnly Gotchas

ReadOnly sounds simple but it blocks any ARM write action on the management plane, including:

• Listing storage account access keys (listKeys is classified as a write)
• Starting or stopping a VM (start/deallocate are write operations)
• Scaling an App Service plan

Exam trap: A ReadOnly lock on a storage account prevents listing access keys, even for an Owner. This is one of the most common exam questions.

Who Can Manage Locks

Requires Microsoft.Authorization/locks/* — included in Owner and User Access Administrator only. Contributor cannot create or delete locks.

Section Takeaways

Confusing Points — Clarified

Q: Does assigning Owner at a Management Group make the user Owner of all subscriptions under it? A: Yes. RBAC inherits downward through the full hierarchy — management group → subscription → resource group → resource.

Q: Can Azure Policy block a Global Administrator from creating a resource? A: From an Azure resource perspective, yes — if the Policy has a Deny effect. The Global Admin has no special bypass for Azure Policy. (They could remove the policy assignment if they also have the right Azure RBAC, but that's a different action.)

Q: What's the difference between NotActions and a Deny assignment? A: NotActions in a custom role is subtraction from Actions — it removes permissions from the allow list. A Deny assignment is an explicit block that overrides all role assignments, even Owner.

Q: Can a Contributor delete a resource that has a CanNotDelete lock? A: No. The lock blocks deletion regardless of RBAC role. The Contributor also cannot remove the lock (requires Owner/UAA). Both vectors are blocked.

Lab 01: RBAC, Policies, and Resource Locks

Estimated time: 45–60 minutes Difficulty: ⭐⭐☆☆☆ Environment: Azure free account — portal + Azure CLI

Prerequisites

• Azure free account with an active subscription
• Azure CLI ≥ 2.50 (az --version)
• Logged in: az login

Set your default subscription:

az account set --subscription "<your-subscription-id>"
az account show --query "{name:name, id:id}" -o table

Lab Objectives

By the end you will have:

1. Created two Entra ID users and a security group
2. Assigned scoped RBAC roles (Contributor to group, Reader to user)
3. Verified access boundaries — what Contributor can and cannot do
4. Created a Deny policy blocking a specific resource type
5. Applied a CanNotDelete lock and confirmed Contributor cannot remove it

Step 1: Create the Lab Resource Group

az group create \
  --name rg-az104-lab01 \
  --location eastus

echo "Resource group created."

All resources in this lab are scoped to this RG. This contains blast radius.

Step 2: Create Two Entra ID Users

Requires User Administrator or Global Administrator in Entra ID. On a personal free Azure account you typically have Global Admin.

# Discover your tenant's default domain
DOMAIN=$(az rest \
  --method GET \
  --url "https://graph.microsoft.com/v1.0/organization" \
  --query "value[0].verifiedDomains[?isDefault].name | [0]" \
  --output tsv)

echo "Tenant domain: $DOMAIN"

# Create Alice (will get Contributor via group)
az ad user create \
  --display-name "Alice Storage" \
  --user-principal-name "alice@$DOMAIN" \
  --password "P@ssw0rd!Azure104" \
  --force-change-password-next-sign-in false

# Create Bob (will get Reader directly)
az ad user create \
  --display-name "Bob ReadOnly" \
  --user-principal-name "bob@$DOMAIN" \
  --password "P@ssw0rd!Azure104" \
  --force-change-password-next-sign-in false

# Capture Object IDs — required for all subsequent operations
ALICE_ID=$(az ad user show --id "alice@$DOMAIN" --query id --output tsv)
BOB_ID=$(az ad user show --id "bob@$DOMAIN" --query id --output tsv)

echo "Alice OID: $ALICE_ID"
echo "Bob OID:   $BOB_ID"

⚠️ Tricky spot: --assignee in az role assignment create accepts UPN, Object ID, or display name — but in federated tenants (AAD Connect, ADFS), UPN-based lookup can fail silently or resolve to the wrong user. Always use Object ID in production and exam automation scripts.

Step 3: Create a Security Group and Add Alice

# Create the group
GROUP_ID=$(az ad group create \
  --display-name "Storage-Admins" \
  --mail-nickname "Storage-Admins" \
  --query id --output tsv)

echo "Group OID: $GROUP_ID"

# Add Alice to the group
az ad group member add \
  --group "Storage-Admins" \
  --member-id $ALICE_ID

# Verify
az ad group member list --group "Storage-Admins" --query "[].displayName" -o tsv

Step 4: Assign RBAC Roles

RG_ID=$(az group show --name rg-az104-lab01 --query id --output tsv)

# Contributor to the Storage-Admins group (scoped to RG)
az role assignment create \
  --assignee-object-id $GROUP_ID \
  --assignee-principal-type Group \
  --role "Contributor" \
  --scope $RG_ID

# Reader to Bob directly (scoped to RG)
az role assignment create \
  --assignee-object-id $BOB_ID \
  --assignee-principal-type User \
  --role "Reader" \
  --scope $RG_ID

# Verify both assignments
az role assignment list \
  --resource-group rg-az104-lab01 \
  --query "[].{Principal:principalName, Role:roleDefinitionName, Scope:scope}" \
  -o table

Why use --assignee-principal-type? It skips an extra Graph API lookup and prevents errors in tenants with strict Graph API permissions. Always use it when you have the Object ID.

Step 5: Test What Contributor Can and Cannot Do

Create a storage account as Alice's action (you're still the admin here, but simulate the outcome):

# Create a storage account — a Contributor CAN do this
SA_NAME="staz104$(openssl rand -hex 4)"
az storage account create \
  --name $SA_NAME \
  --resource-group rg-az104-lab01 \
  --location eastus \
  --sku Standard_LRS

echo "Storage account: $SA_NAME"

Now test what Contributor cannot do — try to create a role assignment:

# This SHOULD fail if run as Alice (Contributor)
# Running as admin here to demonstrate the concept
az role assignment create \
  --assignee-object-id $BOB_ID \
  --assignee-principal-type User \
  --role "Reader" \
  --scope $RG_ID
# → AuthorizationFailed: Contributor does not have Microsoft.Authorization/roleAssignments/write

Takeaway: Contributor sees and manages resources, but role management is reserved for Owner and User Access Administrator. The exam will test this boundary multiple times.

Step 6: Create a Custom Deny Policy

Create a policy that denies creation of public IP addresses in this resource group — simulating a "no public internet exposure" governance rule.

SUB_ID=$(az account show --query id --output tsv)

# Define the policy
az policy definition create \
  --name "deny-public-ip" \
  --display-name "Deny Public IP Creation" \
  --description "Blocks creation of Public IP resources" \
  --rules '{
    "if": {
      "field": "type",
      "equals": "Microsoft.Network/publicIPAddresses"
    },
    "then": {
      "effect": "deny"
    }
  }' \
  --mode All \
  --subscription $SUB_ID

# Assign the policy to the resource group
az policy assignment create \
  --name "deny-public-ip-rg" \
  --display-name "Deny Public IP in Lab RG" \
  --policy "deny-public-ip" \
  --scope $RG_ID

Test the policy — this should fail:

# Wait 2-3 minutes for policy to propagate, then test
az network public-ip create \
  --name pip-blocked \
  --resource-group rg-az104-lab01 \
  --location eastus \
  --sku Standard
# Expected error: RequestDisallowedByPolicy
# Error code: PolicyViolation

⚠️ Tricky spot: Policy assignments have a 5–10 minute propagation delay in real Azure tenants. If the creation succeeds immediately, wait a few minutes and retry. In the exam's live lab environment the propagation is faster.

⚠️ Tricky spot: If you have an existing public IP resource already in the RG (created before the policy), the policy does NOT delete it — Deny effect only blocks future creation/modification. To report existing non-compliance, use Audit effect or check compliance under the policy assignment.

Step 7: Apply a Resource Lock

# Apply CanNotDelete lock on the resource group
az lock create \
  --name "protect-lab01" \
  --resource-group rg-az104-lab01 \
  --lock-type CanNotDelete \
  --notes "Exam lab protection lock"

# Verify
az lock list --resource-group rg-az104-lab01 -o table

Test the lock — try to delete the RG (will fail):

az group delete --name rg-az104-lab01 --yes
# Expected: ScopeLocked — cannot delete a resource group with a CanNotDelete lock

Now test that Contributor CANNOT remove the lock:

Even though Alice has Contributor on the RG, she cannot delete the lock:

# As Alice (Contributor), this would fail:
az lock delete \
  --name "protect-lab01" \
  --resource-group rg-az104-lab01
# Expected: AuthorizationFailed — Contributor lacks Microsoft.Authorization/locks/delete

Only Owner or User Access Admin can delete the lock:

# As admin (Owner), this succeeds:
az lock delete \
  --name "protect-lab01" \
  --resource-group rg-az104-lab01

Step 8: Clean Up

Cleanup order matters — remove assignments and policies before deleting the RG.

# 1. Remove policy assignment (policy blocks cleanup otherwise)
az policy assignment delete \
  --name "deny-public-ip-rg" \
  --scope $RG_ID

# 2. Delete the resource group (no lock now, so this works)
az group delete --name rg-az104-lab01 --yes --no-wait

# 3. Remove Entra ID users and group
az ad user delete --id $ALICE_ID
az ad user delete --id $BOB_ID
az ad group delete --group "Storage-Admins"

# 4. Remove the policy definition (optional — clean namespace)
az policy definition delete --name "deny-public-ip" --subscription $SUB_ID

Lab Tricky Spots Summary

Lab Takeaways

1. Assign RBAC to groups, not individuals — scales better; adding a new admin just means adding to the group.
2. Object IDs over UPNs in CLI scripts — federated tenants make UPN lookups unreliable.
3. Policy lag is real in production — always account for 5–10 minutes propagation.
4. Lock management ≠ resource management — Contributor can create resources but cannot protect or unprotect them with locks.
5. Cleanup has an order — remove policy assignments first, locks second, then resources, then the RG.

Domain 1: Practice Q&A — Identities & Governance

Answer each question before expanding the solution. Aim for under 2 minutes per question.

Q1

Your organization requires that all Azure resources have a CostCenter tag. You want to automatically add the tag (value: Unassigned) to any resource deployed without it — without blocking the deployment.

Which Azure Policy effect should you use?

• A. Deny
• B. Audit
• C. Append
• D. DeployIfNotExists

Q2

A user has the Contributor role assigned at the subscription level. They attempt to delete a resource lock on a resource group. The operation fails with a 403 error. What is the reason?

• A. The lock was created by a Policy, which cannot be deleted via RBAC
• B. The Contributor role does not include Microsoft.Authorization/locks/*
• C. Subscription-level RBAC does not inherit to resource groups
• D. The user must have the Global Administrator role in Entra ID to delete locks

Q3

A VM is regularly deleted and recreated as part of a blue-green deployment pipeline. The VM needs to access Azure Key Vault using a managed identity, and its Key Vault access policy must remain intact across recreations.

Which identity type should you configure?

• A. System-assigned managed identity
• B. User-assigned managed identity
• C. Service principal with a client certificate
• D. Service principal with a client secret

Q4

Your company has three Azure subscriptions: Dev, Staging, and Production. You must enforce a policy preventing creation of any VM with more than 4 vCPUs in all three subscriptions with minimum administrative effort.

What is the most efficient approach?

• A. Create a policy assignment in each of the three subscriptions
• B. Move all subscriptions into a management group and assign the policy once to the management group
• C. Create a custom RBAC role that prevents VM creation and assign it to all subscriptions
• D. Use Azure Blueprints to create one blueprint per subscription

Q5

A developer has the Contributor role on a resource group. They need to grant a new contractor the Reader role on the same resource group. What is the minimum additional permission required?

• A. Owner at the subscription level
• B. User Access Administrator at the resource group level
• C. Security Administrator in Entra ID
• D. The Contributor role is sufficient — they can assign any role within their scope

Q6

A ReadOnly lock is applied to a storage account. A user with the Owner RBAC role attempts to list the storage account's access keys. The operation fails. Why?

• A. Owners cannot list access keys — they need the Storage Account Key Operator Service Role
• B. Listing access keys is classified as a write operation, which ReadOnly locks block
• C. Access keys are managed by Entra ID, not by Azure RBAC
• D. The ReadOnly lock was applied at a higher scope and cascades down

Q7

Which of the following statements about the relationship between Azure Policy and Azure RBAC is TRUE?

• A. A Deny Policy is overridden by an Owner RBAC role assignment
• B. RBAC controls what a principal can attempt; Policy controls whether the attempt succeeds
• C. Azure Policy and Azure RBAC are the same underlying system with different UIs
• D. You must be a Global Administrator in Entra ID to create Policy assignments

Q8

You have an Entra ID user with the User Administrator role. This user has no Azure RBAC assignments. They attempt to create a new virtual machine in a subscription. What happens?

• A. They succeed — User Administrator is a high-privilege Entra role
• B. They fail — Entra ID roles do not grant any Azure resource permissions
• C. They succeed — Entra roles automatically grant Contributor to all subscriptions
• D. They fail — they need to be a Subscription Owner, which requires Global Admin approval

Q9 — Scenario

Your organization is acquiring a company. You need to give their IT team read-only access to all resources in your three production subscriptions with minimum effort. You also want any new production subscriptions created in the future to automatically have this access.

Which combination of steps achieves this?

• A. Assign Reader role to the IT team group in each of the three subscriptions; manually repeat for future subscriptions
• B. Create a management group containing all production subscriptions; assign the Reader role to the IT team group at the management group scope
• C. Add the IT team users as Guest users and assign them Subscription Reader in Entra ID
• D. Create an Azure Blueprint that assigns the Reader role and assign it to each subscription

Q10 — Tricky

You assign a Deny policy at the subscription level that blocks creation of public IP addresses. A user with Owner role on a resource group tries to create a VM with a public IP. What is the result?

• A. The VM and public IP are both created — Owner overrides Policy
• B. Both the VM and public IP creation fail
• C. The public IP creation is blocked, but the VM is created without a public IP
• D. The VM creation fails; the public IP creation succeeds

Domain 2: Implement and Manage Storage

Exam weight: 15–20%

Storage tests your ability to provision and operate Azure's data services. The trickiest parts are replication type trade-offs, SAS token mechanics, and access tier transitions — all of which appear repeatedly in exam questions and live lab tasks.

2.1 Storage Account Types

All Azure storage services (Blob, Files, Queues, Tables) live inside a storage account. The account type determines which services and performance tiers are available.

Exam tip: For any new deployment, use GPv2. The exam will sometimes offer "Blob Storage account" as an option — it's a legacy type that you should not choose unless the question specifically requires it.

2.2 Redundancy (Replication)

This is the highest-frequency storage topic in the exam. Know every acronym, what it protects against, and whether reads can be made from the secondary.

Secondary Endpoint Format

For RA-GRS/RA-GZRS, the secondary read endpoint is:

https://<account>-secondary.blob.core.windows.net

Exam trap: GRS replicates data to a secondary region but you cannot read from the secondary by default. Only RA-GRS (and RA-GZRS) enable reads from the secondary. Questions that say "users in a secondary region must be able to read data even during a primary region outage" → RA-GRS or RA-GZRS.

Exam trap: You can only failover a GRS account to the secondary region if Microsoft declares the primary unavailable — or you manually initiate customer-managed failover. After failover, replication is broken; you must re-enable it.

2.3 Access Tiers

Access tiers apply to Blob storage and control the cost balance between storage cost and access cost.

Archive Rehydration

Blobs in Archive tier are offline — you cannot read them directly. You must rehydrate first:

• Priority: Standard — up to 15 hours
• Priority: High — under 1 hour (higher cost)

Rehydration options:

1. Change the blob tier to Hot or Cool (Set Blob Tier)
2. Copy the blob to a Hot/Cool destination

Exam trap: Archive blobs cannot be read without rehydration. Questions about "immediate read access" → answer must not use Archive tier.

Lifecycle Management Policies

Automate tier transitions and deletions based on rules:

{
  "rules": [{
    "name": "move-to-cool",
    "type": "Lifecycle",
    "definition": {
      "filters": { "blobTypes": ["blockBlob"], "prefixMatch": ["logs/"] },
      "actions": {
        "baseBlob": {
          "tierToCool": { "daysAfterModificationGreaterThan": 30 },
          "tierToArchive": { "daysAfterModificationGreaterThan": 90 },
          "delete": { "daysAfterModificationGreaterThan": 365 }
        }
      }
    }
  }]
}

2.4 Blob Types

Exam tip: VM unmanaged disks = Page blobs. You cannot change blob type after creation.

2.5 Access Control Options

Three ways to authorize access to storage — each with different trade-offs:

1. Access Keys (Account Keys)

• Two keys per account (Key1, Key2) — rotate without downtime.
• Full access to everything in the account — no scoping possible.
• Should be stored in Azure Key Vault, not in code.
• Listing keys is blocked by a ReadOnly lock.

2. Shared Access Signatures (SAS)

A SAS is a URI that grants scoped, time-limited access.

Exam tip: User delegation SAS is the most secure type — it uses Entra identity, not the account key, so rotating keys doesn't affect it. It's scoped to Blob or Data Lake only.

Stored Access Policy

A Stored Access Policy (SAP) is defined on a container (not the account). SAS tokens can reference a SAP by name, which allows you to revoke the SAS without rotating the key — just delete or modify the SAP.

Exam trap: You can only revoke a standalone SAS (not linked to a SAP) by rotating the signing key. If a question says "revoke specific SAS without affecting other SAS tokens" → the answer involves a Stored Access Policy.

3. Managed Identity + Role Assignment

Assign a storage data role to the managed identity:

• Storage Blob Data Reader — read blobs
• Storage Blob Data Contributor — read/write/delete blobs
• Storage Blob Data Owner — full control including POSIX ACLs

Exam tip: For service-to-storage auth, managed identity + RBAC data role is the recommended approach. It eliminates credentials entirely.

2.6 Azure Files

Azure Files provides SMB and NFS file shares in the cloud — a lift-and-shift replacement for on-prem file servers.

Exam trap: Port 445 (SMB) is blocked by many ISPs and corporate firewalls. If users can't mount a file share from home, the fix is to use Azure VPN or Azure File Sync to cache files locally, not to change the port.

Azure File Sync

Extends Azure Files to on-premises servers:

• Install the Azure File Sync agent on Windows Server.
• Enables cloud tiering: frequently accessed files stay local; cold files are tiered to Azure (appear as stubs).
• Multiple servers can sync to the same share — replacing DFS.

2.7 Storage Security

Encryption

• At rest: All data is encrypted by default using Microsoft-managed keys (256-bit AES).
• Customer-managed keys (CMK): Bring your own key stored in Azure Key Vault — you control rotation and revocation.
• In transit: HTTPS is enforced by default (Secure transfer required is on).

Versioning and Soft Delete

Immutability (WORM)

WORM (Write Once Read Many) policies prevent deletion or modification for a set period:

• Time-based retention: Data cannot be modified or deleted for a defined interval.
• Legal hold: Data locked until the hold is explicitly removed.

Used for compliance scenarios (financial records, healthcare). Even storage account admins cannot delete data under an active WORM lock.

Section Takeaways

Confusing Points — Clarified

Q: If GRS replicates to a second region, why can't I read from it? A: Replication is asynchronous and the secondary is a failover target, not a read replica. Microsoft wants to avoid you building apps that depend on eventual consistency without realizing it. You must opt into RA-GRS explicitly to get read access to the secondary.

Q: What happens to SAS tokens if I rotate the account key? A: Any SAS signed with that key immediately becomes invalid. This is why SAP-linked SAS tokens are better — you can invalidate just the policy without rotating the key.

Q: Can I change a blob's access tier at any time? A: Yes, but early deletion fees apply if you move out of Cool (before 30 days), Cold (before 90 days), or Archive (before 180 days).

Q: What's the difference between Storage Blob Data Contributor and Contributor? A: Contributor is an Azure RBAC management-plane role — it can manage the storage account (create containers, change settings) but cannot read/write blob data without also having a data plane role. Storage Blob Data Contributor grants data-plane access (read/write blob content). Both are often needed together.

Lab 02: Storage Account, SAS Tokens, and Lifecycle Policies

Estimated time: 45–60 minutes Difficulty: ⭐⭐☆☆☆ Environment: Azure free account — portal + Azure CLI

Prerequisites

• Azure CLI ≥ 2.50 with az login complete
• az storage extension available (bundled with core CLI)

az account show --query "{name:name, id:id}" -o table

Lab Objectives

1. Create a GPv2 storage account with specific redundancy and access tier
2. Upload blobs and change access tiers manually
3. Configure a lifecycle management policy for automatic tiering
4. Generate a Service SAS token with limited permissions
5. Create a Stored Access Policy and link a SAS to it
6. Revoke the SAP-linked SAS without touching the account key
7. Mount an Azure File share on macOS/Linux (bonus)

Step 1: Create the Storage Account

RG="rg-az104-lab02"
LOCATION="eastus"
# Storage account names: 3-24 chars, lowercase letters and numbers only
SA="staz104lab$(openssl rand -hex 3)"

az group create --name $RG --location $LOCATION

az storage account create \
  --name $SA \
  --resource-group $RG \
  --location $LOCATION \
  --sku Standard_GRS \
  --kind StorageV2 \
  --access-tier Hot \
  --https-only true \
  --min-tls-version TLS1_2

echo "Storage account: $SA"

# Verify
az storage account show \
  --name $SA \
  --resource-group $RG \
  --query "{sku:sku.name, tier:accessTier, kind:kind, tls:minimumTlsVersion}" \
  -o table

Why --https-only true and --min-tls-version TLS1_2? These are exam-common hardening settings and required for most compliance frameworks. Both are defaults in new accounts but worth knowing how to set explicitly.

Step 2: Create a Container and Upload Blobs

# Get the account key for subsequent operations
ACCT_KEY=$(az storage account keys list \
  --account-name $SA \
  --resource-group $RG \
  --query "[0].value" -o tsv)

# Create a container (private access — no anonymous reads)
az storage container create \
  --name "logs" \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --public-access off

# Create some test files and upload
echo "Log entry $(date)" > log1.txt
echo "Log entry $(date)" > log2.txt
echo "Archive data" > archive.txt

az storage blob upload \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --name "2024/jan/log1.txt" \
  --file log1.txt \
  --tier Hot

az storage blob upload \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --name "2024/jan/log2.txt" \
  --file log2.txt \
  --tier Hot

az storage blob upload \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --name "2023/archive.txt" \
  --file archive.txt \
  --tier Hot

# List blobs and verify tiers
az storage blob list \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --query "[].{name:name, tier:properties.blobTier}" \
  -o table

Step 3: Manually Change a Blob's Access Tier

Change the archive blob to Cool tier:

az storage blob set-tier \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --name "2023/archive.txt" \
  --tier Cool

# Verify
az storage blob show \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --name "2023/archive.txt" \
  --query "properties.blobTier" -o tsv

⚠️ Tricky spot: Setting a blob to Archive makes it offline immediately. If you set it to Archive by mistake, you must rehydrate before you can read it — this takes up to 15 hours on Standard priority.

Step 4: Configure a Lifecycle Management Policy

Create a policy that:

• Moves blobs in the logs/ container to Cool after 30 days
• Moves them to Archive after 90 days
• Deletes them after 365 days

cat > lifecycle-policy.json << 'EOF'
{
  "rules": [
    {
      "name": "log-lifecycle",
      "enabled": true,
      "type": "Lifecycle",
      "definition": {
        "filters": {
          "blobTypes": ["blockBlob"],
          "prefixMatch": ["logs/2024/"]
        },
        "actions": {
          "baseBlob": {
            "tierToCool": {
              "daysAfterModificationGreaterThan": 30
            },
            "tierToArchive": {
              "daysAfterModificationGreaterThan": 90
            },
            "delete": {
              "daysAfterModificationGreaterThan": 365
            }
          }
        }
      }
    }
  ]
}
EOF

az storage account management-policy create \
  --account-name $SA \
  --resource-group $RG \
  --policy @lifecycle-policy.json

# Verify the policy was applied
az storage account management-policy show \
  --account-name $SA \
  --resource-group $RG \
  --query "policy.rules[].{name:name, prefix:definition.filters.prefixMatch}" \
  -o table

Lifecycle policies run once per day. You won't see tier changes instantly in the lab — but you will be tested on the JSON structure and the daysAfterModificationGreaterThan logic in the exam.

Step 5: Create a Service SAS Token

Generate a SAS token scoped to the logs container with read-only permission, expiring in 1 hour:

# SAS expiry: 1 hour from now
EXPIRY=$(date -u -v+1H "+%Y-%m-%dT%H:%MZ" 2>/dev/null || date -u -d "+1 hour" "+%Y-%m-%dT%H:%MZ")

SAS_TOKEN=$(az storage container generate-sas \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --name "logs" \
  --permissions "rl" \
  --expiry $EXPIRY \
  --https-only \
  --output tsv)

echo "SAS Token: $SAS_TOKEN"

# Construct the full URL for a specific blob
BLOB_URL="https://$SA.blob.core.windows.net/logs/2024/jan/log1.txt?$SAS_TOKEN"
echo "Full URL: $BLOB_URL"

# Test read access using the SAS
curl -s "$BLOB_URL"

Test that write is denied:

# Try to upload with a read-only SAS — should fail with 403
az storage blob upload \
  --account-name $SA \
  --sas-token $SAS_TOKEN \
  --container-name "logs" \
  --name "unauthorized-write.txt" \
  --file log1.txt
# Expected: AuthorizationPermissionMismatch

⚠️ Tricky spot: SAS permissions are a string of letters (r=read, w=write, d=delete, l=list, a=add, c=create). They are not validated for logic conflicts — you can accidentally give too many permissions if you're not careful.

Step 6: Create a Stored Access Policy and Revoke It

A Stored Access Policy (SAP) lets you revoke SAS tokens by modifying the policy — without rotating the account key.

# Create a Stored Access Policy on the container
az storage container policy create \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --name "read-policy" \
  --permissions "rl" \
  --expiry $EXPIRY

# Create a SAS that references this policy
SAP_SAS=$(az storage container generate-sas \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --name "logs" \
  --policy-name "read-policy" \
  --https-only \
  --output tsv)

echo "SAP-linked SAS: $SAP_SAS"

# Test read access works
curl -s "https://$SA.blob.core.windows.net/logs/2024/jan/log1.txt?$SAP_SAS"

Revoke by deleting the Stored Access Policy:

# Delete the SAP — this immediately invalidates all SAS tokens linked to it
az storage container policy delete \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --name "read-policy"

# Test: the SAP-linked SAS should now return 403
curl -I "https://$SA.blob.core.windows.net/logs/2024/jan/log1.txt?$SAP_SAS"
# Expected: 403 Forbidden — AuthorizationPermissionMismatch or similar

This is the key exam distinction: SAP-linked SAS → revoke by deleting the SAP. Standalone SAS → can only invalidate by rotating the account key (affects ALL SAS signed with that key).

Step 7: Enable Soft Delete (Bonus)

# Enable blob soft delete with 7-day retention
az storage account blob-service-properties update \
  --account-name $SA \
  --resource-group $RG \
  --enable-delete-retention true \
  --delete-retention-days 7

# Delete a blob
az storage blob delete \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --name "2024/jan/log1.txt"

# List deleted blobs (only visible with --include d)
az storage blob list \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --include d \
  --query "[?deleted==\`true\`].{name:name, deleted:deleted}" \
  -o table

# Undelete (restore)
az storage blob undelete \
  --account-name $SA \
  --account-key $ACCT_KEY \
  --container-name "logs" \
  --name "2024/jan/log1.txt"

Step 8: Clean Up

az group delete --name $RG --yes --no-wait
rm -f log1.txt log2.txt archive.txt lifecycle-policy.json

Lab Tricky Spots Summary

Lab Takeaways

1. Account key = total access — always prefer SAS or Managed Identity over keys in production.
2. SAP-linked SAS is the only revocable SAS without rotating the account key.
3. Archive tier makes blobs offline — model your data before archiving.
4. Lifecycle policies are declarative — write the policy, let Azure execute it daily.
5. Soft delete + versioning provide a safety net but add storage costs — enable for production, disable for temporary lab accounts.

Domain 2: Practice Q&A — Storage

Answer each question before expanding the solution. Aim for under 2 minutes per question.

Q1

Your company stores compliance records in Azure Blob Storage. After 90 days, the blobs must be moved to Archive tier. After 3 years, they must be deleted. No manual intervention is acceptable.

Which feature should you configure?

• A. Azure Backup policies
• B. Blob lifecycle management policies
• C. Blob versioning with retention rules
• D. A logic app that runs daily and checks blob modification dates

Q2

A storage account uses GRS replication. A regional outage affects the primary region. Users report they cannot read data. The secondary region is healthy.

Which action allows reads from the secondary region immediately without initiating a failover?

• A. Change the replication to RA-GRS
• B. Manually initiate a failover to the secondary region
• C. Create a read replica in the secondary region
• D. This is not possible with GRS — failover is required

Q3

You generate a Service SAS token for a container with read/list permissions, valid for 24 hours. After 2 hours, a security incident requires you to immediately revoke the SAS without affecting other SAS tokens that grant access to other containers.

What is the fastest way to revoke only this SAS?

• A. Delete the storage container
• B. Rotate the storage account key used to sign the SAS
• C. Delete the Stored Access Policy associated with this SAS
• D. You cannot revoke a standalone SAS — wait for it to expire

Q4

A developer wants to access blob data in a storage account from an Azure VM. You want to follow the principle of least privilege and avoid storing any credentials in the VM or its code.

Which approach should you use?

• A. Store the storage account access key in an environment variable on the VM
• B. Assign a system-assigned managed identity to the VM and grant it the Storage Blob Data Reader role on the storage account
• C. Generate a long-lived SAS token with read permissions and store it in the VM's configuration
• D. Create a service principal with a client secret and store the secret in Azure Key Vault

Q5

A storage account has a ReadOnly lock applied. An administrator with the Owner RBAC role attempts to list the storage account's access keys. The operation fails. What is the correct explanation?

• A. Owner does not have permission to list keys — they need the Key Vault Secrets Officer role
• B. The listKeys operation is classified as a write action on the management plane, which ReadOnly locks block
• C. Access keys can only be listed by users with the Storage Account Contributor role
• D. The ReadOnly lock prevents all operations, including reads, when applied to storage accounts

Q6

You need to store VM disk VHD files in Azure Blob Storage. Which blob type must you use?

• A. Block blob
• B. Append blob
• C. Page blob
• D. Any blob type — the storage account handles the type automatically

Q7

You need to store log files that are written to constantly for 30 days, then accessed rarely for the next 60 days, then never accessed again. Cost optimization is the primary goal. Minimum access time must be under 1 hour for any log within its first 90 days.

Which configuration best meets these requirements?

• A. Hot tier for first 30 days, then Archive for days 30–90, then delete after 90 days
• B. Hot tier for first 30 days, then Cool tier for days 30–90, then delete after 90 days
• C. Hot tier for first 30 days, then Cold tier for days 30–90, then delete after 90 days
• D. Hot tier for entire 90 days, then delete

Q8

A company needs to prevent any modification or deletion of financial records stored in Azure Blob Storage for exactly 7 years due to regulatory requirements. Even storage administrators must not be able to delete the data.

Which feature should you configure?

• A. Blob soft delete with 7-year retention
• B. Azure Backup with long-term retention policy
• C. Time-based WORM retention policy (immutability policy)
• D. ReadOnly resource lock on the container

Domain 3: Deploy and Manage Azure Compute Resources

Exam weight: 20–25% — the highest-weight domain

Compute tests your ability to deploy and operate Azure's virtual machines, scale sets, App Service, and understand ARM templates. The live lab tasks most frequently involve compute operations — deploying VMs, configuring availability, and scaling.

3.1 Virtual Machines

VM Size Families

You don't need to memorize every VM size, but you need to know the families:

Exam tip: If a question says "cost-effective for workloads with variable CPU that don't run at 100% constantly," the answer is B-series (burstable).

VM Disks

Managed disk SKUs:

Exam trap: The temporary disk is lost when a VM is stopped (deallocated), resized, or the underlying host is patched. Never store anything important on the temp disk. The D: drive (Windows) or /dev/sdb (Linux) is typically the temp disk.

VM Extensions

Extensions run post-deployment scripts or install agents. Common ones:

• Custom Script Extension — run a shell/PowerShell script after deployment
• Azure Monitor Agent — collect metrics and logs
• Azure AD / SSH login — passwordless login with Entra credentials

3.2 VM Availability

This is the most confusing part of Domain 3. Three mechanisms, very different guarantees.

Availability Sets

Groups VMs across Fault Domains (FDs) and Update Domains (UDs) within a single datacenter.

Guarantee: 99.95% SLA. Does NOT protect against datacenter-level failure (fire, flood, power outage for the entire DC).

Exam trap: Availability sets are configured at VM creation — you cannot add a running VM to an availability set. A VM in an availability set cannot use Ultra Disk or Premium SSD v2.

Availability Zones

Physically separate datacenters within a region, each with independent power, cooling, and networking.

• 3 zones per region (where available).
• VMs in different zones are protected against datacenter-level failures.
• SLA: 99.99% (higher than availability sets).

Exam trap: Availability zones and availability sets are mutually exclusive for a given VM — choose one or the other.

Virtual Machine Scale Sets (VMSS)

Automatically deploy and manage a group of identical VMs, scaling in/out based on demand.

Exam trap: VMSS with Uniform orchestration requires all VMs to use the same image and size. Flexible orchestration allows heterogeneous VMs and is the recommended mode for new deployments.

Comparison

3.3 Azure Bastion

Azure Bastion provides browser-based SSH/RDP access to VMs without a public IP on the VM.

• Deployed into a dedicated subnet named exactly AzureBastionSubnet with a minimum /26 CIDR.
• Requires a Standard SKU Public IP.
• No VPN, no public IP on the VM, no NSG changes needed on the VM subnet.

Exam trap: The subnet must be named exactly AzureBastionSubnet — any other name causes deployment to fail.

Bastion SKUs:

3.4 ARM Templates

ARM templates are JSON files that declare Azure resources. They enable Infrastructure as Code (IaC) for repeatable deployments.

Template Structure

{
  "$schema": "...",
  "contentVersion": "1.0.0.0",
  "parameters": {         // User inputs at deploy time
    "vmName": {
      "type": "string",
      "defaultValue": "myVM"
    }
  },
  "variables": {          // Computed values reused within the template
    "nicName": "[concat(parameters('vmName'), '-nic')]"
  },
  "resources": [          // The actual resources to deploy
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2023-03-01",
      "name": "[parameters('vmName')]",
      "location": "[resourceGroup().location]",
      "properties": { ... }
    }
  ],
  "outputs": {            // Values returned after deployment
    "vmId": {
      "type": "string",
      "value": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
    }
  }
}

Key ARM Functions (exam-tested)

Deployment Commands

# Deploy to a resource group
az deployment group create \
  --resource-group rg-prod \
  --template-file azuredeploy.json \
  --parameters @azuredeploy.parameters.json

# What-if (preview changes without deploying)
az deployment group what-if \
  --resource-group rg-prod \
  --template-file azuredeploy.json

# Validate (syntax check only)
az deployment group validate \
  --resource-group rg-prod \
  --template-file azuredeploy.json

3.5 Bicep

Bicep is Azure's domain-specific language for IaC — it compiles to ARM JSON. It's simpler syntax, better IntelliSense, and the recommended approach for new deployments.

param location string = resourceGroup().location
param vmName string = 'myVM'

resource vm 'Microsoft.Compute/virtualMachines@2023-03-01' = {
  name: vmName
  location: location
  properties: {
    // ...
  }
}

Key commands:

az bicep build --file main.bicep          # Compile to ARM JSON
az deployment group create \
  --resource-group rg-prod \
  --template-file main.bicep             # Deploy Bicep directly (CLI handles compilation)

Exam tip: The exam may show both ARM JSON and Bicep snippets. Know what each section does (parameters, variables, resources, outputs) and how to reference parameter values with [parameters('name')] (ARM) or just paramName (Bicep).

3.6 Azure App Service

App Service is a fully managed PaaS for web apps, REST APIs, and mobile backends.

App Service Plans

The plan defines the compute resources for all apps hosted on it.

Exam trap: Deployment slots (blue/green) require Standard tier or above. Free and Basic plans do not support slots.

Exam trap: Auto-scaling requires Standard tier or above. Basic only supports manual scaling.

Deployment Methods

Deployment Slots

A staging slot is a separate running instance of your app — deploy to staging, test, then swap to production. Swap is near-instant with no downtime.

# Create a staging slot
az webapp deployment slot create \
  --name myapp \
  --resource-group rg-prod \
  --slot staging

# Swap staging → production
az webapp deployment slot swap \
  --name myapp \
  --resource-group rg-prod \
  --slot staging \
  --target-slot production

3.7 Azure Container Instances (ACI)

ACI runs containers without managing VMs — the simplest way to run a container in Azure.

• No cluster management, no orchestration
• Billed per second of CPU/memory used
• Supports Linux and Windows containers
• Can mount Azure File shares as volumes
• Suitable for: CI/CD jobs, batch tasks, simple stateless APIs

Exam tip: The exam often presents a scenario with a short-lived container workload (data processing job, nightly batch) and asks which compute service to use. ACI is the answer for simple container tasks; AKS for long-running containerized apps at scale.

Section Takeaways

Confusing Points — Clarified

Q: Can I move a VM from one availability set to another? A: No. Availability set membership is set at VM creation and cannot be changed. You'd need to delete and recreate the VM.

Q: What's the difference between stopping (deallocated) and stopping (stopped/not deallocated)? A: A deallocated VM releases the underlying hardware — you are not billed for compute. The public IP (if dynamic) is released. A stopped (not deallocated) VM keeps the hardware reserved — you still pay. In the portal, clicking "Stop" deallocates by default.

Q: Does a VMSS automatically scale in (remove instances) as well as out? A: Yes, if you configure autoscale rules for both scale-out and scale-in. By default, you can set a minimum instance count so it never scales in below that threshold.

Q: When I swap a deployment slot, does the connection string also swap? A: By default, yes — all settings swap. But settings marked as slot settings (sticky) stay with their slot and don't swap. Use sticky settings for things like connection strings pointing to each environment's specific database.

Lab 03: Virtual Machines, VMSS, and ARM Templates

Estimated time: 60–75 minutes Difficulty: ⭐⭐⭐☆☆ Environment: Azure free account — portal + Azure CLI

Prerequisites

• Azure CLI ≥ 2.50 with az login
• A subscription with available quota for B-series VMs

az account show --query "{name:name, id:id}" -o table

Lab Objectives

1. Deploy a VM using an ARM template with parameters
2. Add a data disk and verify it
3. Configure a VM Scale Set with autoscale
4. Deploy an App Service with a staging slot and perform a slot swap
5. Create an Azure Bastion host and test browser-based SSH

Step 1: Create the Resource Group

RG="rg-az104-lab03"
LOCATION="eastus"
az group create --name $RG --location $LOCATION

Step 2: Deploy a VM via ARM Template

Create the ARM template file:

cat > vm-template.json << 'EOF'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vmName": {
      "type": "string",
      "defaultValue": "vm-lab03",
      "metadata": { "description": "Name of the virtual machine" }
    },
    "adminUsername": {
      "type": "string",
      "defaultValue": "azureuser"
    },
    "adminPassword": {
      "type": "securestring"
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]"
    }
  },
  "variables": {
    "vnetName": "vnet-lab03",
    "subnetName": "default",
    "nicName": "[concat(parameters('vmName'), '-nic')]",
    "osDiskName": "[concat(parameters('vmName'), '-osdisk')]"
  },
  "resources": [
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2023-05-01",
      "name": "[variables('vnetName')]",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": { "addressPrefixes": ["10.0.0.0/16"] },
        "subnets": [{
          "name": "[variables('subnetName')]",
          "properties": { "addressPrefix": "10.0.1.0/24" }
        }]
      }
    },
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2023-05-01",
      "name": "[variables('nicName')]",
      "location": "[parameters('location')]",
      "dependsOn": ["[variables('vnetName')]"],
      "properties": {
        "ipConfigurations": [{
          "name": "ipconfig1",
          "properties": {
            "privateIPAllocationMethod": "Dynamic",
            "subnet": {
              "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnetName'))]"
            }
          }
        }]
      }
    },
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2023-03-01",
      "name": "[parameters('vmName')]",
      "location": "[parameters('location')]",
      "dependsOn": ["[variables('nicName')]"],
      "properties": {
        "hardwareProfile": { "vmSize": "Standard_B2s" },
        "storageProfile": {
          "imageReference": {
            "publisher": "Canonical",
            "offer": "0001-com-ubuntu-server-jammy",
            "sku": "22_04-lts-gen2",
            "version": "latest"
          },
          "osDisk": {
            "name": "[variables('osDiskName')]",
            "createOption": "FromImage",
            "managedDisk": { "storageAccountType": "Standard_SSD_LRS" }
          }
        },
        "osProfile": {
          "computerName": "[parameters('vmName')]",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]"
        },
        "networkProfile": {
          "networkInterfaces": [{
            "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"
          }]
        }
      }
    }
  ],
  "outputs": {
    "vmId": {
      "type": "string",
      "value": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
    },
    "privateIp": {
      "type": "string",
      "value": "[reference(variables('nicName')).ipConfigurations[0].properties.privateIPAddress]"
    }
  }
}
EOF

Run what-if first (preview changes without deploying):

az deployment group what-if \
  --resource-group $RG \
  --template-file vm-template.json \
  --parameters adminPassword="P@ssw0rd!Azure104"

Review the output — it shows every resource that will be created, modified, or deleted.

Deploy the template:

az deployment group create \
  --resource-group $RG \
  --template-file vm-template.json \
  --parameters adminPassword="P@ssw0rd!Azure104" \
  --query "properties.outputs" \
  -o table

⚠️ Tricky spot: The ARM template uses "dependsOn" to control deployment order. The NIC depends on the VNet (needs the subnet ID), and the VM depends on the NIC. If you omit dependsOn, resources may try to deploy in parallel before their dependencies exist.

Step 3: Add a Data Disk to the VM

# Create a managed disk
az disk create \
  --resource-group $RG \
  --name "vm-lab03-datadisk01" \
  --size-gb 32 \
  --sku Standard_SSD_LRS \
  --location $LOCATION

# Attach the disk to the VM
az vm disk attach \
  --resource-group $RG \
  --vm-name "vm-lab03" \
  --name "vm-lab03-datadisk01"

# Verify the disk is attached
az vm show \
  --resource-group $RG \
  --name "vm-lab03" \
  --query "storageProfile.dataDisks[].{name:name, lun:lun, sizeGb:diskSizeGb}" \
  -o table

⚠️ Tricky spot: Attaching a disk does NOT format or mount it inside the OS. You still need to SSH in and run fdisk + mkfs + mount to use the disk. In the exam, "attach" and "format/mount" are separate concepts.

Step 4: Configure a VM Scale Set with Autoscale

# Create a VMSS in Flexible orchestration mode
az vmss create \
  --resource-group $RG \
  --name "vmss-lab03" \
  --image Ubuntu2204 \
  --admin-username azureuser \
  --admin-password "P@ssw0rd!Azure104" \
  --instance-count 2 \
  --vm-sku Standard_B2s \
  --orchestration-mode Flexible \
  --platform-fault-domain-count 1 \
  --location $LOCATION

# Add autoscale profile
VMSS_ID=$(az vmss show \
  --resource-group $RG \
  --name "vmss-lab03" \
  --query id -o tsv)

az monitor autoscale create \
  --resource $VMSS_ID \
  --resource-group $RG \
  --name "autoscale-lab03" \
  --min-count 2 \
  --max-count 5 \
  --count 2

# Add scale-out rule: scale out when CPU > 70% for 5 minutes
az monitor autoscale rule create \
  --resource-group $RG \
  --autoscale-name "autoscale-lab03" \
  --condition "Percentage CPU > 70 avg 5m" \
  --scale out 1

# Add scale-in rule: scale in when CPU < 30% for 5 minutes
az monitor autoscale rule create \
  --resource-group $RG \
  --autoscale-name "autoscale-lab03" \
  --condition "Percentage CPU < 30 avg 5m" \
  --scale in 1

# Verify
az monitor autoscale show \
  --resource-group $RG \
  --name "autoscale-lab03" \
  --query "{min:profiles[0].capacity.minimum, max:profiles[0].capacity.maximum, default:profiles[0].capacity.default}" \
  -o table

⚠️ Tricky spot: --min-count and --max-count define the bounds for autoscale, not actual instance counts. The current instance count is --count. Autoscale will never go below min or above max.

Step 5: Deploy an App Service with Deployment Slots

# Create App Service Plan (Standard required for slots)
az appservice plan create \
  --name "plan-lab03" \
  --resource-group $RG \
  --sku S1 \
  --is-linux

# Create the web app
APP_NAME="webapp-lab03-$(openssl rand -hex 3)"
az webapp create \
  --resource-group $RG \
  --plan "plan-lab03" \
  --name $APP_NAME \
  --runtime "NODE:20-lts"

echo "App URL: https://$APP_NAME.azurewebsites.net"

# Create a staging deployment slot
az webapp deployment slot create \
  --name $APP_NAME \
  --resource-group $RG \
  --slot staging

echo "Staging URL: https://$APP_NAME-staging.azurewebsites.net"

# Deploy a simple HTML app to staging
mkdir -p /tmp/webapp && cat > /tmp/webapp/index.html << 'HTMLEOF'
<!DOCTYPE html>
<html><body><h1>STAGING SLOT — Build v2</h1></body></html>
HTMLEOF

cd /tmp && zip -j webapp.zip webapp/index.html

az webapp deployment source config-zip \
  --resource-group $RG \
  --name $APP_NAME \
  --slot staging \
  --src /tmp/webapp.zip

# Test staging before swap
curl -s "https://$APP_NAME-staging.azurewebsites.net" | grep "STAGING"

Perform the slot swap:

az webapp deployment slot swap \
  --resource-group $RG \
  --name $APP_NAME \
  --slot staging \
  --target-slot production

# Verify production now shows the staging content
curl -s "https://$APP_NAME.azurewebsites.net" | grep "STAGING"

⚠️ Tricky spot: Slot swap is near-instant but app settings (unless marked sticky) swap too. If your production slot uses a different database connection string than staging, you must mark that setting as a slot setting (sticky) or the swap will point production at the staging database.

Step 6: Azure Bastion (Bonus — Portal Steps)

Bastion requires a Standard Public IP and a dedicated subnet — easier to do via portal for this lab:

1. In the portal, open the VNet vnet-lab03 → Subnets → + Gateway Subnet — NO, for Bastion you add: + Subnet → Name it exactly AzureBastionSubnet → Address range /26 (minimum)
2. Search for Bastion in the portal → Create → Select vnet-lab03 and the AzureBastionSubnet
3. Create a new Standard Public IP for Bastion
4. After deployment (takes ~5 min), go to vm-lab03 → Connect → Bastion → enter credentials → browser-based SSH opens

⚠️ Tricky spot: The subnet name must be AzureBastionSubnet — spelled exactly, case-sensitive. Any deviation causes deployment validation to fail immediately.

Step 7: Clean Up

az group delete --name $RG --yes --no-wait
rm -f vm-template.json /tmp/webapp.zip
rm -rf /tmp/webapp

Lab Tricky Spots Summary

Lab Takeaways

1. what-if before deploying is a critical exam skill — it previews changes without risk.
2. ARM outputs ("outputs" section) let you capture resource properties (IPs, IDs) for post-deployment use.
3. Data disks are Azure resources but also need OS-level setup — attaching in Azure and mounting in the OS are separate steps.
4. Autoscale rules come in pairs — scale-out trigger and scale-in trigger. One without the other creates an unbalanced system.
5. Deployment slots are the cleanest zero-downtime deployment strategy for App Service.

Domain 3: Practice Q&A — Compute

Answer each question before expanding the solution. Aim for under 2 minutes per question.

Q1

You have a web application running on two VMs. You need to protect against planned Azure maintenance (platform updates) while also protecting against hardware failures on the same rack. Single-datacenter tolerance is acceptable — multi-region is not required.

Which availability option should you configure?

• A. Availability zones
• B. Availability set
• C. VM Scale Set with manual scaling
• D. Azure Site Recovery

Q2

A VM is stopped (deallocated) and restarted. After the restart, a developer reports that data written to the D: drive is gone. What is the explanation?

• A. The D: drive was formatted as part of the OS restart process
• B. The D: drive is the temporary disk — it does not persist across deallocations
• C. A CanNotDelete lock prevented the data from being saved
• D. The disk was Standard HDD and was automatically upgraded on restart

Q3

You deploy an App Service web app and need to use deployment slots to test a new version before promoting to production. Which App Service plan is the minimum required?

• A. Free (F1)
• B. Basic (B1)
• C. Standard (S1)
• D. Premium (P1v3)

Q4

You need to deploy infrastructure using a repeatable, version-controlled approach. You write an ARM template. Before deploying to production, you want to preview the exact changes the template will make without actually deploying anything.

Which command should you run?

• A. az deployment group validate
• B. az deployment group create --dry-run
• C. az deployment group what-if
• D. az deployment group preview

Q5

You have an Azure VM Scale Set configured with an autoscale rule: scale out by 1 instance when CPU > 75% for 5 minutes. No scale-in rule is configured. What is the behavior over time?

• A. The scale set scales out and then automatically scales in when CPU drops
• B. The scale set scales out but never scales in — instances accumulate until the maximum is reached
• C. The scale set oscillates between min and max instances based on a default cooldown period
• D. The autoscale configuration is invalid without a scale-in rule and is ignored

Q6

You deploy Azure Bastion in a VNet. The deployment fails with a validation error. Which is the most likely reason?

• A. The VNet does not have a public IP address
• B. The subnet is named bastion-subnet instead of AzureBastionSubnet
• C. The VNet uses a /24 address space, which is too small for Bastion
• D. Bastion requires an NSG on the target VMs' subnet to allow port 3389

Q7

You have a VM Scale Set (VMSS) running in Uniform orchestration mode. You need to update the OS image used by all instances. What happens to existing instances when you change the image and apply the update?

• A. Existing instances are immediately deleted and recreated with the new image
• B. The update is staged across Update Domains — instances are updated in rolling batches without all going down simultaneously
• C. Only new instances created after the change use the new image; existing instances keep the old image
• D. The image update fails — Uniform VMSS does not support image updates

Q8 — Scenario

Your company runs a batch processing application that processes financial data overnight. The processing takes 2–3 hours and then the app shuts down until the next night. The team wants to containerize the app and run it in Azure. Cost optimization is the top priority — paying for idle capacity is unacceptable.

Which compute service is most appropriate?

• A. Azure Kubernetes Service (AKS)
• B. Azure Virtual Machine Scale Set
• C. Azure Container Instances (ACI)
• D. Azure App Service with autoscale to zero

Domain 4: Implement and Manage Virtual Networking

Exam weight: 15–20%

Networking is the trickiest domain in AZ-104. The concepts are interconnected — getting one wrong (e.g., NSG vs UDR) cascades into wrong answers on multiple questions. Master the flow of traffic through Azure's network stack.

4.1 Virtual Networks (VNets)

A VNet is Azure's isolated network environment — the foundation of all Azure networking.

Key Rules

• VNet address space uses CIDR notation (e.g., 10.0.0.0/16).
• A VNet lives in one region and one subscription.
• Subnets partition the VNet. Each subnet must fall within the VNet's address space.
• Azure reserves 5 IPs in every subnet: .0 (network), .1 (default gateway), .2 and .3 (Azure DNS), .255 (broadcast).
• For a /28 subnet (16 addresses), you only get 11 usable host IPs.

Subnet Planning

4.2 Network Security Groups (NSGs)

An NSG is a stateful packet filter — the primary traffic control mechanism in Azure.

How Rules Work

Default (always-present) Rules

Inbound defaults:

Outbound defaults:

Exam trap: NSGs are stateful — if you allow inbound traffic on port 80, the return traffic is automatically allowed without a matching outbound rule.

NSG Attachment Points

An NSG can be associated with:

1. A subnet — applies to all resources in the subnet
2. A NIC — applies only to that specific VM's network interface

When associated to both, both NSGs are evaluated. For inbound: subnet NSG first, then NIC NSG. For outbound: NIC NSG first, then subnet NSG.

Exam trap: If a VM can't reach a destination, check both the subnet NSG and the NIC NSG. Both must allow the traffic.

Application Security Groups (ASGs)

ASGs are logical groupings of VMs that can be used as source/destination in NSG rules. Instead of IP-based rules, use ASG-based rules:

NSG Rule: Allow AppServers → DBServers on port 1433

This lets you add new app servers to the AppServers ASG without touching the NSG rules.

4.3 VNet Peering

VNet Peering connects two VNets — traffic flows over Microsoft's backbone network (private, low latency, not internet).

Key Characteristics

• Non-transitive by default. If VNet A is peered with B, and B is peered with C, then A cannot reach C directly. You need an explicit A↔C peering, or a transit hub with forwarding enabled.
• Peering is directional — you create two peering connections (A→B and B→A). The portal/CLI creates both automatically.
• Global peering: Peering across regions is supported.
• Address spaces cannot overlap.

Peering Settings

Exam trap: For a hub-spoke topology where spokes share the hub's VPN Gateway: enable allowGatewayTransit on the hub peering, and useRemoteGateways on the spoke peering. If these are reversed, transit doesn't work.

4.4 VPN Gateway

A VPN Gateway connects your Azure VNet to on-premises networks or other VNets over encrypted IPsec/IKE tunnels.

Connection Types

VPN Gateway SKUs

Exam trap: VPN Gateway requires a dedicated GatewaySubnet (named exactly GatewaySubnet, /27 minimum recommended).

Route-Based vs Policy-Based VPN

Exam tip: When in doubt, choose route-based. Policy-based is only needed for compatibility with very old VPN devices.

4.5 ExpressRoute

ExpressRoute provides a private, dedicated connection from on-premises to Azure — not over the internet.

Exam tip: "Consistent low latency" or "dedicated private connection" = ExpressRoute. "Fast to set up" or "cost-effective" = VPN Gateway.

ExpressRoute Peering Types

4.6 Azure DNS

Public DNS Zones

Host DNS records for internet-facing domains. Authoritative name servers are on Azure's global anycast network.

# Create a public DNS zone
az network dns zone create \
  --resource-group rg-net \
  --name contoso.com

# Add an A record
az network dns record-set a add-record \
  --resource-group rg-net \
  --zone-name contoso.com \
  --record-set-name "www" \
  --ipv4-address "203.0.113.1"

Private DNS Zones

Resolve private hostnames within VNets. VMs get automatic DNS records when auto-registration is enabled.

# Create a private DNS zone
az network private-dns zone create \
  --resource-group rg-net \
  --name "internal.contoso.com"

# Link it to a VNet (with auto-registration)
az network private-dns link vnet create \
  --resource-group rg-net \
  --zone-name "internal.contoso.com" \
  --name "link-to-prod-vnet" \
  --virtual-network "/subscriptions/.../virtualNetworks/prod-vnet" \
  --registration-enabled true

Exam trap: Azure DNS (public) does not support DNSSEC signing (as of AZ-104 curriculum). Private DNS zones must be linked to a VNet to be resolvable from within that VNet.

4.7 Load Balancer

Azure Load Balancer operates at Layer 4 (TCP/UDP) — it doesn't inspect HTTP content.

SKU Comparison

Exam trap: Standard Load Balancer + NSG. With Standard LB, you must have an NSG on the backend subnet or NIC explicitly allowing the traffic. Without it, backend VMs are unreachable even if the LB is configured correctly. Basic LB doesn't require this.

Load Balancer Rules

• Load balancing rules: Distribute traffic across backend pool
• NAT rules: Map a specific port on the LB to a specific VM port (e.g., LB:50001 → VM1:22)
• Health probes: LB periodically checks backend VM health; removes unhealthy instances

4.8 Application Gateway

Application Gateway is a Layer 7 (HTTP/HTTPS) load balancer with WAF capabilities.

URL-Based Routing Example

/images/* → Backend Pool: image-servers
/api/*    → Backend Pool: api-servers
/*        → Backend Pool: web-servers

Exam tip: If a question involves routing different URL paths to different backends, WAF, or SSL termination → Application Gateway. If it's just TCP load balancing → Azure Load Balancer.

4.9 Route Tables (User-Defined Routes)

Route tables override Azure's default routing and direct traffic to a specific next hop.

Next Hop Types

Common Pattern: Force Traffic Through Azure Firewall

Route: 0.0.0.0/0 → Next hop: VirtualAppliance → 10.0.1.4 (Firewall IP)

This forces all outbound traffic through the firewall for inspection.

Exam trap: UDR overrides BGP routes from VPN/ExpressRoute. If you have a route learned via BGP for 10.1.0.0/24 but also a UDR for 10.1.0.0/24, the UDR wins (more specific or explicitly defined routes take precedence).

NSG vs UDR — When to Use Which

They solve different problems. NSG is a filter; UDR is a redirect. They can be used together.

4.10 Private Endpoints vs Service Endpoints

Both provide private connectivity to Azure PaaS services — but they work differently.

Exam trap: Service endpoints don't give the PaaS service a private IP — traffic still goes to the public endpoint, just optimized routing. Only Private Endpoints give the service a private IP in your VNet and make it fully accessible over VPN/ExpressRoute.

Section Takeaways

Confusing Points — Clarified

Q: Can I have both an NSG and a UDR on the same subnet? A: Yes. NSG filters traffic (allow/deny). UDR redirects traffic to a next hop. They operate independently and together — UDR first redirects, then NSG evaluates.

Q: What's the difference between a Load Balancer health probe and an NSG? A: An NSG is a security filter. A health probe is how the Load Balancer determines if a backend VM is healthy enough to receive traffic. A VM can be "healthy" per the probe but still have an NSG blocking traffic — these are independent.

Q: If VNet A peers with VNet B and VNet B peers with VNet C, can VNet A communicate with VNet C? A: Not by default — peering is non-transitive. Either create a direct A↔C peering or configure VNet B as a transit hub with Azure Firewall or NVA and enable forwarded traffic.

Q: Does VNet peering work across Azure regions? A: Yes — this is called global VNet peering. The SLA and characteristics are the same as regional peering.

Lab 04: VNet, NSG, VNet Peering, and Load Balancer

Estimated time: 60–90 minutes Difficulty: ⭐⭐⭐⭐☆ Environment: Azure free account — Azure CLI

Prerequisites

az account show --query "{name:name, id:id}" -o table

Lab Objectives

1. Create two VNets and peer them
2. Verify non-transitive peering behavior
3. Configure NSG rules and test traffic filtering
4. Deploy a Standard Load Balancer with two backend VMs
5. Create a User-Defined Route to direct traffic through a next hop
6. Test that UDR overrides default routing

Step 1: Create Resource Group and Two VNets

RG="rg-az104-lab04"
LOCATION="eastus"
az group create --name $RG --location $LOCATION

# VNet A — production
az network vnet create \
  --resource-group $RG \
  --name "vnet-prod" \
  --address-prefix "10.1.0.0/16" \
  --subnet-name "snet-web" \
  --subnet-prefix "10.1.1.0/24"

# VNet B — shared services
az network vnet create \
  --resource-group $RG \
  --name "vnet-shared" \
  --address-prefix "10.2.0.0/16" \
  --subnet-name "snet-services" \
  --subnet-prefix "10.2.1.0/24"

# VNet C — isolated (to test non-transitivity)
az network vnet create \
  --resource-group $RG \
  --name "vnet-isolated" \
  --address-prefix "10.3.0.0/16" \
  --subnet-name "snet-isolated" \
  --subnet-prefix "10.3.1.0/24"

Step 2: Configure VNet Peering (A↔B and B↔C, but NOT A↔C)

# Peer vnet-prod ↔ vnet-shared (bidirectional)
az network vnet peering create \
  --resource-group $RG \
  --name "prod-to-shared" \
  --vnet-name "vnet-prod" \
  --remote-vnet "vnet-shared" \
  --allow-vnet-access true \
  --allow-forwarded-traffic true

az network vnet peering create \
  --resource-group $RG \
  --name "shared-to-prod" \
  --vnet-name "vnet-shared" \
  --remote-vnet "vnet-prod" \
  --allow-vnet-access true \
  --allow-forwarded-traffic true

# Peer vnet-shared ↔ vnet-isolated (bidirectional)
az network vnet peering create \
  --resource-group $RG \
  --name "shared-to-isolated" \
  --vnet-name "vnet-shared" \
  --remote-vnet "vnet-isolated" \
  --allow-vnet-access true

az network vnet peering create \
  --resource-group $RG \
  --name "isolated-to-shared" \
  --vnet-name "vnet-isolated" \
  --remote-vnet "vnet-shared" \
  --allow-vnet-access true

# Verify peering state
az network vnet peering list \
  --resource-group $RG \
  --vnet-name "vnet-shared" \
  --query "[].{name:name, state:peeringState, remoteVnet:remoteVirtualNetwork.id}" \
  -o table

VNet-prod can reach VNet-shared, and VNet-shared can reach VNet-isolated — but VNet-prod CANNOT reach VNet-isolated directly. This is non-transitivity. To allow A↔C, you must create an explicit A↔C peering.

Step 3: Create an NSG and Apply Rules

# Create NSG
az network nsg create \
  --resource-group $RG \
  --name "nsg-web"

# Allow HTTP (port 80) inbound from internet
az network nsg rule create \
  --resource-group $RG \
  --nsg-name "nsg-web" \
  --name "Allow-HTTP" \
  --priority 100 \
  --direction Inbound \
  --source-address-prefixes Internet \
  --source-port-ranges "*" \
  --destination-address-prefixes "*" \
  --destination-port-ranges 80 \
  --protocol Tcp \
  --access Allow

# Allow SSH (port 22) from specific IP only
MY_IP=$(curl -s https://ifconfig.me)
az network nsg rule create \
  --resource-group $RG \
  --nsg-name "nsg-web" \
  --name "Allow-SSH-MyIP" \
  --priority 110 \
  --direction Inbound \
  --source-address-prefixes $MY_IP \
  --source-port-ranges "*" \
  --destination-address-prefixes "*" \
  --destination-port-ranges 22 \
  --protocol Tcp \
  --access Allow

# Explicitly deny all other inbound (redundant with default, but good practice for visibility)
az network nsg rule create \
  --resource-group $RG \
  --nsg-name "nsg-web" \
  --name "Deny-All-Inbound" \
  --priority 4000 \
  --direction Inbound \
  --source-address-prefixes "*" \
  --source-port-ranges "*" \
  --destination-address-prefixes "*" \
  --destination-port-ranges "*" \
  --protocol "*" \
  --access Deny

# Associate NSG with the web subnet
az network vnet subnet update \
  --resource-group $RG \
  --vnet-name "vnet-prod" \
  --name "snet-web" \
  --network-security-group "nsg-web"

# View effective rules
az network nsg show \
  --resource-group $RG \
  --name "nsg-web" \
  --query "securityRules[].{name:name, priority:priority, direction:direction, access:access, port:destinationPortRange}" \
  -o table

⚠️ Tricky spot: NSG rules are evaluated by priority — lowest number first. If you have Allow-HTTP at priority 100 and Deny-All at priority 90, HTTP will be denied because 90 < 100. Always ensure Allow rules have lower priority numbers than Deny rules for the same port.

Step 4: Deploy a Standard Load Balancer

# Create a public IP for the LB
az network public-ip create \
  --resource-group $RG \
  --name "pip-lb" \
  --sku Standard \
  --allocation-method Static \
  --location $LOCATION

LB_PIP=$(az network public-ip show \
  --resource-group $RG \
  --name "pip-lb" \
  --query ipAddress -o tsv)
echo "LB Public IP: $LB_PIP"

# Create the Standard Load Balancer
az network lb create \
  --resource-group $RG \
  --name "lb-web" \
  --sku Standard \
  --public-ip-address "pip-lb" \
  --frontend-ip-name "fe-config" \
  --backend-pool-name "be-pool"

# Create health probe (HTTP on port 80)
az network lb probe create \
  --resource-group $RG \
  --lb-name "lb-web" \
  --name "http-probe" \
  --protocol Http \
  --port 80 \
  --path "/"

# Create load balancing rule
az network lb rule create \
  --resource-group $RG \
  --lb-name "lb-web" \
  --name "http-rule" \
  --protocol Tcp \
  --frontend-port 80 \
  --backend-port 80 \
  --frontend-ip-name "fe-config" \
  --backend-pool-name "be-pool" \
  --probe-name "http-probe"

Create two backend VMs and add them to the pool:

for i in 1 2; do
  # NIC for each VM
  az network nic create \
    --resource-group $RG \
    --name "nic-web$i" \
    --vnet-name "vnet-prod" \
    --subnet "snet-web" \
    --lb-name "lb-web" \
    --lb-address-pool "be-pool"

  # VM
  az vm create \
    --resource-group $RG \
    --name "vm-web$i" \
    --nics "nic-web$i" \
    --image Ubuntu2204 \
    --admin-username azureuser \
    --admin-password "P@ssw0rd!Azure104" \
    --size Standard_B1s \
    --no-wait
done

echo "VMs deploying in background..."

⚠️ Critical tricky spot — Standard LB + NSG: Standard Load Balancer requires an NSG on the backend subnet that explicitly allows the load-balanced traffic. Without it, backend VMs are unreachable even with a perfectly configured LB. The nsg-web we created in Step 3 (Allow port 80) satisfies this requirement. Basic LB doesn't have this requirement.

Step 5: Create a User-Defined Route

Simulate forcing all outbound internet traffic through a "firewall" appliance (using a placeholder IP):

# Create a route table
az network route-table create \
  --resource-group $RG \
  --name "rt-web" \
  --location $LOCATION \
  --disable-bgp-route-propagation false

# Add a route: all internet traffic → virtual appliance (firewall)
# In a real scenario, this would be Azure Firewall's private IP
az network route-table route create \
  --resource-group $RG \
  --route-table-name "rt-web" \
  --name "force-internet-to-fw" \
  --address-prefix "0.0.0.0/0" \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address "10.1.99.4"  # placeholder NVA IP

# Add a specific route: traffic to Azure Monitor bypass the firewall
az network route-table route create \
  --resource-group $RG \
  --route-table-name "rt-web" \
  --name "azure-monitor-direct" \
  --address-prefix "AzureMonitor" \
  --next-hop-type Internet

# Associate the route table with the web subnet
az network vnet subnet update \
  --resource-group $RG \
  --vnet-name "vnet-prod" \
  --name "snet-web" \
  --route-table "rt-web"

# Verify effective routes on a VM's NIC
az network nic show-effective-route-table \
  --resource-group $RG \
  --name "nic-web1" \
  -o table

⚠️ Tricky spot: With --disable-bgp-route-propagation false, routes learned from a VPN/ExpressRoute gateway are added to the route table. With it set to true, BGP routes are suppressed and only your UDRs apply. The UDR always wins over a BGP route for the same prefix.

Step 6: Clean Up

az group delete --name $RG --yes --no-wait

Lab Tricky Spots Summary

Lab Takeaways

1. VNet peering is non-transitive — always draw your topology before peering to identify missing direct links.
2. Standard LB mandates NSG — the most common reason for "LB is configured but VMs are unreachable" in the exam.
3. Effective routes view (az network nic show-effective-route-table) is the fastest way to diagnose routing issues.
4. Effective NSG view (az network nic show-effective-nsg) combines subnet + NIC NSG rules — use it to debug access issues.
5. UDR overrides BGP — be careful when adding 0.0.0.0/0 routes if you have VPN connectivity you want to keep working.

Domain 4: Practice Q&A — Virtual Networking

Answer each question before expanding the solution. Aim for under 2 minutes per question.

Q1

You have three VNets: A, B, and C. VNet A is peered with VNet B. VNet B is peered with VNet C. A VM in VNet A tries to communicate with a VM in VNet C. The communication fails. What is the reason?

• A. Cross-VNet peering is not supported across more than one hop
• B. VNet peering is non-transitive — there is no direct peering between A and C
• C. VMs in different VNets can only communicate through a VPN Gateway
• D. The NSG on VNet C is blocking inbound traffic from VNet A's address space

Q2

A subnet has an NSG associated with it and its VMs have NSGs associated with their NICs. Inbound traffic on port 443 is allowed in the subnet NSG but denied in the NIC NSG. What is the outcome?

• A. Traffic is allowed — subnet NSG is evaluated first and overrides NIC NSG
• B. Traffic is denied — both NSGs must allow traffic for inbound connections
• C. Traffic is allowed — NIC NSG takes precedence on inbound traffic
• D. The configuration is invalid — NSGs cannot be applied to both subnet and NIC simultaneously

Q3

Your organization wants to connect its on-premises datacenter to Azure. The requirements are:

• Consistent sub-5ms latency
• 10 Gbps bandwidth
• Private connection — traffic must not traverse the public internet

Which solution meets all three requirements?

• A. Site-to-Site VPN Gateway (VpnGw3 SKU)
• B. Point-to-Site VPN
• C. Azure ExpressRoute
• D. VNet peering with BGP routing

Q4

You have a Standard Azure Load Balancer with two VMs in the backend pool. The LB is correctly configured with a health probe and load balancing rule on port 80. Users report the VMs are unreachable through the LB public IP. What is the most likely cause?

• A. The health probe is checking the wrong port
• B. The backend VMs do not have NSGs allowing inbound traffic on port 80 from the Load Balancer
• C. Standard SKU public IPs cannot be used with Standard Load Balancers
• D. The Load Balancer SKU must match the VM SKU

Q5

You add a User-Defined Route (UDR) to a subnet with:

• Destination: 0.0.0.0/0
• Next hop type: VirtualAppliance
• Next hop IP: 10.0.99.4 (Azure Firewall private IP)

A VPN Gateway is also connected to this VNet and advertises a route for 10.1.0.0/16 via BGP. What happens to traffic destined for 10.1.5.200?

• A. Traffic follows the BGP route to the VPN Gateway
• B. Traffic follows the UDR to the Azure Firewall because UDR overrides BGP
• C. Traffic is dropped — conflicting routes cause a routing loop
• D. Both routes are used in a round-robin fashion

Q6

You need to allow VMs in a spoke VNet to use the hub VNet's VPN Gateway to connect to on-premises resources. What must you configure?

• A. Enable allowGatewayTransit on the spoke-to-hub peering
• B. Enable allowGatewayTransit on the hub-to-spoke peering, and useRemoteGateways on the spoke-to-hub peering
• C. Enable useRemoteGateways on both peering connections
• D. Create a VPN Gateway in each spoke VNet

Q7

You are designing private connectivity for an Azure SQL Database. You want the database to have a private IP address in your VNet and be inaccessible from the public internet, including from within Azure's public network.

Which solution should you use?

• A. Service endpoint for Microsoft.Sql
• B. Private endpoint for the SQL server
• C. VNet-integrated App Service connecting to Azure SQL
• D. Azure SQL Managed Instance

Q8

You configure an NSG inbound rule with priority 200, Allow, port 80. You also have the default DenyAllInBound rule at priority 65500. A VM's NIC has no separate NSG. Traffic on port 443 from the internet arrives at the VM. What happens?

• A. Traffic is allowed because the default AllowVnetInBound covers it
• B. Traffic is denied — the explicit Allow rule only covers port 80, and the default deny covers all other ports
• C. Traffic is allowed because there is no explicit deny rule for port 443
• D. Traffic is allowed because the NIC has no separate NSG

Domain 5: Monitor and Maintain Azure Resources

Exam weight: 10–15%

This domain is about knowing that things are working, responding when they're not, backing up data, and planning for disaster recovery. It's more conceptual than the networking domain, but you'll see scenario questions comparing the tools.

5.1 Azure Monitor

Azure Monitor is the central hub for all monitoring in Azure. It collects metrics and logs from almost every Azure resource automatically.

Two Core Data Types

Exam trap: Metrics are stored by default for 93 days in Azure Monitor automatically — no workspace needed. Logs require a Log Analytics workspace and must be explicitly routed there via Diagnostic Settings.

Diagnostic Settings

Diagnostic settings control where resource telemetry flows. Every resource that supports monitoring lets you configure:

• Platform Metrics → Log Analytics workspace (for querying metrics with KQL)
• Resource Logs (e.g., Activity Logs, resource-specific logs) → Log Analytics workspace, Storage Account, Event Hub, or Partner solution

# Enable diagnostic settings: send activity log to a workspace
az monitor diagnostic-settings create \
  --name "diag-vm-logs" \
  --resource "/subscriptions/.../resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/myvm" \
  --workspace "/subscriptions/.../resourceGroups/rg/providers/Microsoft.OperationalInsights/workspaces/my-workspace" \
  --logs '[{"category": "Administrative", "enabled": true}]' \
  --metrics '[{"category": "AllMetrics", "enabled": true}]'

5.2 Log Analytics

Log Analytics is the query engine for Azure Monitor logs. Queries use KQL (Kusto Query Language).

Creating a Workspace

az monitor log-analytics workspace create \
  --resource-group rg-monitor \
  --workspace-name "law-prod" \
  --location eastus \
  --retention-time 90

Essential KQL Patterns

// Count errors in the last hour
AzureActivity
| where TimeGenerated > ago(1h)
| where ActivityStatusValue == "Failed"
| summarize count() by OperationNameValue

// Top 10 VMs by CPU
Perf
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| where TimeGenerated > ago(30m)
| summarize avg(CounterValue) by Computer
| top 10 by avg_CounterValue desc

// Storage account write errors
StorageBlobLogs
| where StatusCode >= 400
| project TimeGenerated, OperationName, StatusCode, Uri

Key KQL Operators (exam-relevant)

5.3 Alerts

Alerts notify you (or trigger automated actions) when specific conditions are met.

Alert Rule Components

Alert Signal Types

Exam tip: "Notify me when someone deletes a resource group" = Activity log alert. "Notify me when CPU exceeds 90%" = Metric alert. "Notify me when more than 5 failed logins appear in logs" = Log query alert.

Action Groups

Action groups define what happens when an alert fires:

# Create an action group
az monitor action-group create \
  --resource-group rg-monitor \
  --name "ag-ops-team" \
  --short-name "ops" \
  --action email oncall oncall@contoso.com

# Create a metric alert
az monitor metrics alert create \
  --name "alert-high-cpu" \
  --resource-group rg-monitor \
  --scopes "/subscriptions/.../resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/myvm" \
  --condition "avg Percentage CPU > 90" \
  --window-size 5m \
  --evaluation-frequency 1m \
  --action "/subscriptions/.../resourceGroups/rg-monitor/providers/microsoft.insights/actionGroups/ag-ops-team" \
  --severity 2

5.4 Azure Backup

Azure Backup is Microsoft's managed backup service. It protects VMs, SQL databases, Azure Files, blobs, and more.

Recovery Services Vault

The Recovery Services Vault is the central container for backup data and backup policies. It's required for VM backup and Azure Site Recovery.

Exam trap: There is also a Backup vault (newer) — used specifically for Azure Disk backup, Azure Database for PostgreSQL, and Azure Blob backup. Recovery Services Vault is used for VM backup and ASR.

VM Backup

• Backup is crash-consistent by default; for VMs running SQL or VSS-aware apps, it can be application-consistent.
• Backup policy defines frequency (daily) and retention (daily, weekly, monthly, yearly).
• Soft delete: Deleted backup data is retained for 14 additional days (default; configurable). This prevents accidental data loss.

# Enable backup on a VM (vault must exist)
az backup protection enable-for-vm \
  --vault-name "rsv-prod" \
  --resource-group rg-backup \
  --vm "/subscriptions/.../resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/myvm" \
  --policy-name "DefaultPolicy"

# List backup items
az backup item list \
  --vault-name "rsv-prod" \
  --resource-group rg-backup \
  --backup-management-type AzureIaasVM \
  -o table

# Trigger an on-demand backup
az backup protection backup-now \
  --vault-name "rsv-prod" \
  --resource-group rg-backup \
  --item-name "vm;iaasvmcontainer;rg;myvm" \
  --container-name "iaasvmcontainer;iaasvmcontainerv2;rg;myvm" \
  --backup-management-type AzureIaasVM \
  --retain-until "31-12-2025"

Restore Options

5.5 Azure Site Recovery (ASR)

Azure Site Recovery provides disaster recovery (DR) — it replicates VMs continuously to a secondary region. In the event of a regional outage, you can fail over to the replicated VMs.

Key Concepts

ASR RPO

ASR replicates continuously and maintains recovery points. Default RPO is 15 minutes (crash-consistent) or up to 4 hours (app-consistent, configurable).

Exam trap: Backup and ASR serve different purposes:

• Azure Backup = protect against accidental deletion, data corruption, ransomware
• ASR = protect against regional outage, datacenter failure (DR scenario)

5.6 Azure Update Manager

Azure Update Manager (formerly Update Management Center) manages OS updates across Azure VMs and Arc-connected on-premises servers.

• Provides a unified view of update compliance across all machines
• Supports scheduled assessment and scheduled patching
• Maintenance windows control when updates are applied
• Works without a Log Analytics agent (uses Azure VM extension)

5.7 Azure Advisor

Azure Advisor analyzes your Azure usage and provides personalized recommendations across five categories:

Exam tip: Advisor is read-only and advisory — it doesn't make changes. It surfaces recommendations; you act on them.

Section Takeaways

Confusing Points — Clarified

Q: What's the difference between Backup vault and Recovery Services vault? A: Recovery Services vault is the original (VM backup, SQL backup, ASR). Backup vault is newer and used for a specific set of newer workloads (Azure Disk backup, Blobs, PostgreSQL). For the AZ-104 exam, Recovery Services vault is what you configure for VM backup and ASR.

Q: Can I query metrics data with KQL? A: Yes, but you need to first route platform metrics to a Log Analytics workspace via Diagnostic Settings. Once there, you query the Perf table (VM metrics) or the AzureMetrics table. By default, metrics are only in the Metrics Store (queryable via Metrics Explorer, not Log Analytics).

Q: What's the difference between Test Failover and Failover in ASR? A: Test Failover spins up the replicated VM in an isolated virtual network — production is not affected, replication continues. Failover is the real event — production shifts to the DR site. Always test before a real event.

Q: Does Azure Backup require internet connectivity from the VM? A: Azure Backup uses the Azure Backup extension inside the VM and sends backup data to the Recovery Services Vault. By default, this requires internet access (or service endpoints/private endpoints for the vault). You can configure private endpoints for the vault to eliminate internet traffic.

Lab 05: Azure Monitor, Alerts, Backup, and Log Analytics

Estimated time: 50–65 minutes Difficulty: ⭐⭐⭐☆☆ Environment: Azure free account — Azure CLI + portal

Prerequisites

az account show --query "{name:name, id:id}" -o table

Lab Objectives

1. Create a Log Analytics workspace
2. Enable diagnostic settings on a VM to stream logs and metrics
3. Write and run KQL queries
4. Create a metric alert with an email action group
5. Configure VM backup in a Recovery Services vault
6. Perform a file-level restore from a backup

Step 1: Create Resource Group and Supporting Resources

RG="rg-az104-lab05"
LOCATION="eastus"
az group create --name $RG --location $LOCATION

# Create Log Analytics Workspace
az monitor log-analytics workspace create \
  --resource-group $RG \
  --workspace-name "law-lab05" \
  --location $LOCATION \
  --retention-time 30

LAW_ID=$(az monitor log-analytics workspace show \
  --resource-group $RG \
  --workspace-name "law-lab05" \
  --query id -o tsv)
echo "Log Analytics Workspace ID: $LAW_ID"

Step 2: Deploy a VM to Monitor

az vm create \
  --resource-group $RG \
  --name "vm-monitor" \
  --image Ubuntu2204 \
  --admin-username azureuser \
  --admin-password "P@ssw0rd!Azure104" \
  --size Standard_B2s \
  --location $LOCATION

VM_ID=$(az vm show \
  --resource-group $RG \
  --name "vm-monitor" \
  --query id -o tsv)
echo "VM ID: $VM_ID"

Step 3: Enable Diagnostic Settings

Route VM metrics and logs to the Log Analytics workspace:

az monitor diagnostic-settings create \
  --name "diag-vm-to-law" \
  --resource "$VM_ID" \
  --workspace "$LAW_ID" \
  --metrics '[{"category": "AllMetrics", "enabled": true, "retentionPolicy": {"enabled": false, "days": 0}}]'

Install the Azure Monitor Agent (AMA) on the VM to collect OS-level performance counters:

az vm extension set \
  --resource-group $RG \
  --vm-name "vm-monitor" \
  --name AzureMonitorLinuxAgent \
  --publisher Microsoft.Azure.Monitor \
  --version 1.0 \
  --enable-auto-upgrade true

⚠️ Tricky spot: Diagnostic Settings alone send Azure platform metrics (host-level CPU, network). To get OS-level metrics (memory, disk free space, custom app counters), you also need the Azure Monitor Agent installed inside the VM. These are separate data streams.

Step 4: Create an Action Group for Alerts

# Create an action group with email notification
az monitor action-group create \
  --resource-group $RG \
  --name "ag-lab05" \
  --short-name "lab05" \
  --action email "lab-admin" "your-email@example.com"

AG_ID=$(az monitor action-group show \
  --resource-group $RG \
  --name "ag-lab05" \
  --query id -o tsv)
echo "Action Group ID: $AG_ID"

Step 5: Create Metric Alerts

# Alert: CPU > 85% for 5 minutes
az monitor metrics alert create \
  --name "alert-high-cpu" \
  --resource-group $RG \
  --scopes "$VM_ID" \
  --condition "avg Percentage CPU > 85" \
  --window-size 5m \
  --evaluation-frequency 1m \
  --action "$AG_ID" \
  --severity 2 \
  --description "CPU exceeded 85% for 5 minutes"

# Alert: Available memory < 500 MB
az monitor metrics alert create \
  --name "alert-low-memory" \
  --resource-group $RG \
  --scopes "$VM_ID" \
  --condition "avg Available Memory Bytes < 524288000" \
  --window-size 5m \
  --evaluation-frequency 1m \
  --action "$AG_ID" \
  --severity 3 \
  --description "Available memory below 500 MB"

# Verify alerts
az monitor metrics alert list \
  --resource-group $RG \
  --query "[].{name:name, severity:severity, condition:criteria.allOf[0].metricName}" \
  -o table

⚠️ Tricky spot: Alert --window-size is the evaluation window (how long the condition must be true). --evaluation-frequency is how often Azure checks. window-size >= evaluation-frequency is required. If frequency is 1m and window is 5m, Azure checks every 1 minute whether the 5-minute average exceeded the threshold.

Step 6: Create an Activity Log Alert

Activity log alerts fire on Azure management operations:

SUBSCRIPTION_ID=$(az account show --query id -o tsv)

# Alert when any VM in the subscription is deleted
az monitor activity-log alert create \
  --name "alert-vm-deleted" \
  --resource-group $RG \
  --scope "/subscriptions/$SUBSCRIPTION_ID" \
  --condition "category=Administrative and operationName=Microsoft.Compute/virtualMachines/delete and status=Succeeded" \
  --action-group "$AG_ID" \
  --description "Alert when a VM is deleted anywhere in the subscription"

⚠️ Tricky spot: Activity log alerts use scope at the subscription level (or RG level) — not the individual resource. Metric alerts scope to individual resources or resource groups.

Step 7: Query Logs with KQL

Wait 10–15 minutes for some activity data to flow into the workspace, then:

# Get the workspace name and resource group for portal KQL
echo "Open portal → Log Analytics Workspaces → law-lab05 → Logs"

Run these KQL queries in the Log Analytics workspace portal UI:

// Query 1: Recent Azure activity in this resource group
AzureActivity
| where TimeGenerated > ago(1h)
| where ResourceGroup == "rg-az104-lab05"
| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller
| order by TimeGenerated desc

// Query 2: Count operations by type
AzureActivity
| where TimeGenerated > ago(24h)
| summarize count() by OperationNameValue
| order by count_ desc
| top 10 by count_

// Query 3: VM heartbeat check
Heartbeat
| where TimeGenerated > ago(30m)
| summarize LastHeartbeat = max(TimeGenerated) by Computer

⚠️ Tricky spot: Data may take 5–10 minutes to appear in Log Analytics after enabling diagnostic settings. If queries return empty results, wait and retry.

Step 8: Configure VM Backup

# Create a Recovery Services Vault
az backup vault create \
  --resource-group $RG \
  --name "rsv-lab05" \
  --location $LOCATION

# View available backup policies
az backup policy list \
  --resource-group $RG \
  --vault-name "rsv-lab05" \
  --query "[].name" \
  -o tsv

# Enable backup for the VM using DefaultPolicy
az backup protection enable-for-vm \
  --resource-group $RG \
  --vault-name "rsv-lab05" \
  --vm "vm-monitor" \
  --policy-name "DefaultPolicy"

# Trigger an immediate backup (don't wait for scheduled)
az backup protection backup-now \
  --resource-group $RG \
  --vault-name "rsv-lab05" \
  --container-name "IaasVMContainer;iaasvmcontainerv2;rg-az104-lab05;vm-monitor" \
  --item-name "VM;iaasvmcontainerv2;rg-az104-lab05;vm-monitor" \
  --backup-management-type AzureIaasVM \
  --retain-until "01-01-2026"

Wait for the backup job to complete:

# Monitor backup job status
az backup job list \
  --resource-group $RG \
  --vault-name "rsv-lab05" \
  --query "[0].{jobId:name, status:properties.status, operation:properties.operation}" \
  -o table

Step 9: List Recovery Points

# List available recovery points (run after backup completes)
az backup recoverypoint list \
  --resource-group $RG \
  --vault-name "rsv-lab05" \
  --container-name "IaasVMContainer;iaasvmcontainerv2;rg-az104-lab05;vm-monitor" \
  --item-name "VM;iaasvmcontainerv2;rg-az104-lab05;vm-monitor" \
  --backup-management-type AzureIaasVM \
  --query "[].{name:name, time:properties.recoveryPointTime, type:properties.recoveryPointType}" \
  -o table

⚠️ Tricky spot: Container name and item name use semicolon-separated compound identifiers. The format is: IaasVMContainer;iaasvmcontainerv2;<resource-group>;<vm-name>. Getting these wrong is the #1 reason backup CLI commands fail. You can get the exact values with az backup item list.

Step 10: Clean Up

# Disable backup protection first (required before deleting vault)
az backup protection disable \
  --resource-group $RG \
  --vault-name "rsv-lab05" \
  --container-name "IaasVMContainer;iaasvmcontainerv2;rg-az104-lab05;vm-monitor" \
  --item-name "VM;iaasvmcontainerv2;rg-az104-lab05;vm-monitor" \
  --backup-management-type AzureIaasVM \
  --delete-backup-data true \
  --yes

# Then delete resource group
az group delete --name $RG --yes --no-wait

⚠️ Tricky spot: You cannot delete a Recovery Services vault if it has active backup items or ASR replication. Always disable protection (with --delete-backup-data true) before deleting the vault.

Lab Tricky Spots Summary

Lab Takeaways

1. Azure Monitor has two data types — metrics (automatic, 93 days) and logs (require workspace, 30 days default). Know which one you're querying.
2. Three alert types — metric (threshold on numeric value), log query (KQL result), activity log (Azure management operation). Match the right alert type to the scenario.
3. Recovery Services vault is required for VM backup and ASR. The vault must be in the same region as the VM.
4. Backup soft delete means deleted backup data persists for 14 days. You cannot delete the vault until all backup data is purged.
5. Test your DR — ASR test failover and backup restore drills should be scheduled regularly, not just done once.

Domain 5: Practice Q&A — Monitor and Maintain

Answer each question before expanding the solution. Aim for under 2 minutes per question.

Q1

A VM's CPU percentage data is available in Azure Monitor's Metrics Explorer and shows data for the last 60 days. A security engineer wants to query this same metric data using KQL alongside log data. What must be done first?

• A. Nothing — CPU metric data is automatically available in Log Analytics
• B. Enable Diagnostic Settings on the VM to route platform metrics to a Log Analytics workspace
• C. Install the Azure Monitor Agent on the VM
• D. Create a custom metric namespace in Azure Monitor

Q2

Your team needs to receive an email when any resource in a specific resource group is deleted. Which alert type should you create?

• A. Metric alert scoped to the resource group
• B. Log query alert on the AzureMetrics table
• C. Activity log alert scoped to the resource group
• D. Resource health alert for the resource group

Q3

You configure an Azure Backup policy for a VM with:

• Daily backups retained for 7 days
• Weekly backups retained for 4 weeks

A junior admin accidentally runs az backup protection disable --delete-backup-data true on the protected VM. What happens to the existing backup data?

• A. All backup data is immediately and permanently deleted
• B. Backup data is moved to soft-delete state and retained for 14 days before permanent deletion
• C. The backup policy prevents deletion — admin must have Backup Contributor role
• D. The vault retains the data according to the original retention policy (7 days daily, 4 weeks weekly)

Q4

You deploy a Standard Load Balancer with a backend pool of VMs. You want to alert your team if the Load Balancer's data path availability drops below 90% for more than 10 minutes. Which alert type is appropriate?

• A. Activity log alert
• B. Metric alert
• C. Log query alert
• D. Service health alert

Q5

You use Azure Site Recovery to replicate a VM from East US to West US. During a DR drill, you perform a test failover. What is true about the test failover?

• A. The production VM in East US is shut down and traffic shifts to West US
• B. Replication is paused during the test failover
• C. A new VM is started in West US in an isolated virtual network — production is not affected
• D. The test failover permanently fails over the VM — you must fail back manually to restore production

Q6

A company has an RTO of 1 hour and an RPO of 15 minutes for a critical Azure VM. Which solution meets BOTH requirements?

• A. Azure Backup with daily backup policy
• B. Azure Site Recovery replicating to a secondary region
• C. Geo-redundant Storage for VM disks
• D. Availability Zones with Standard Load Balancer

Q7

Azure Advisor shows a recommendation to "Enable soft delete for your Recovery Services vault." Your vault already has soft delete enabled. Why might Advisor still show this recommendation?

• A. Advisor recommendations are cached and may lag up to 24 hours
• B. Advisor requires a Log Analytics workspace linked to the vault to detect the setting
• C. Soft delete was recently disabled and re-enabled — Advisor needs a manual refresh
• D. Advisor recommendations cannot be dismissed and always appear even when resolved

AZ-104 Mock Exam

40 questions — 150 minutes allowed

Simulate real exam conditions: no notes, no hints. Record your answers, then check explanations at the end.

Score guide: 32–40 = pass-ready | 26–31 = review weak domains | < 26 = more study needed

Instructions

• Answer all 40 questions without peeking at explanations
• Note your confidence level (certain / unsure / guessing) next to each answer
• Expand explanations after finishing all questions

Domain 1 — Identities & Governance (~7 questions)

Q1

Your organization uses Microsoft Entra ID. A contractor needs access to a specific Azure virtual machine for 30 days. You must follow the principle of least privilege. Which approach is most appropriate?

• A. Add the contractor to the Global Administrator Entra role
• B. Create a user account and assign the Virtual Machine Contributor RBAC role scoped to the VM's resource group
• C. Create a user account and assign the Owner RBAC role at the subscription scope
• D. Share the subscription admin credentials

Q2

You assign a Deny policy that prevents creation of public IP addresses in a resource group. A Contributor tries to deploy a VM with a public IP. What happens?

• A. The deployment succeeds because RBAC Contributor overrides Azure Policy
• B. The deployment fails with RequestDisallowedByPolicy
• C. The deployment succeeds but the public IP is automatically removed after creation
• D. The policy only applies to existing resources, not new deployments

Q3

A user needs to be able to assign Azure RBAC roles to other users in a resource group, but must NOT be able to modify or delete resources. Which built-in role satisfies this?

• A. Contributor
• B. Owner
• C. User Access Administrator
• D. Role Based Access Control Administrator

Q4

You apply a ReadOnly lock to an Azure storage account. A user with the Owner role tries to list the storage account access keys. What is the result?

• A. The keys are listed successfully — Owner overrides locks
• B. The operation fails — ReadOnly locks prevent listKeys operations
• C. The keys are listed but not displayed to the user
• D. The lock must be removed by a Global Administrator first

Q5

You need to apply the same Azure Policy across all subscriptions in your organization, including subscriptions added in the future. What is the most scalable approach?

• A. Assign the policy to each subscription individually
• B. Use a script to assign the policy to new subscriptions when they're created
• C. Assign the policy at the Management Group scope
• D. Assign the policy at the tenant root subscription

Q6

You create a user-assigned managed identity and attach it to a VM. The VM is deleted and recreated. What happens to the managed identity?

• A. The managed identity is deleted with the VM
• B. The managed identity persists independently and can be attached to the new VM
• C. The managed identity must be recreated but retains its role assignments
• D. The managed identity is automatically transferred to the new VM

Q7

A Global Administrator assigns themselves the Contributor role on a subscription via Entra ID Privileged Identity Management. A colleague with only User Access Administrator on the subscription tries to remove this assignment. Will they succeed?

• A. Yes — User Access Administrator can remove any role assignment in scope
• B. No — only a Global Administrator can remove assignments made by another Global Administrator
• C. No — PIM-activated assignments can only be removed by the PIM service
• D. Yes — Contributor is a lower role than User Access Administrator, so UAA can remove it

Domain 2 — Storage (~8 questions)

Q8

You have a GPv2 storage account with blobs in the Hot tier. You want to automatically move blobs to Cool tier after 30 days and Archive after 90 days. What should you configure?

• A. Storage account replication policy
• B. Lifecycle management policy
• C. Soft delete retention policy
• D. Access tier policy in Diagnostic Settings

Q9

A user generates a Shared Access Signature (SAS) token with a 24-hour expiry directly from the storage account key. Two hours later, the security team realizes the SAS has been leaked. How should you revoke the SAS?

• A. Delete the SAS token from the storage account portal
• B. Rotate the storage account access key that was used to sign the SAS
• C. Enable soft delete on the storage account
• D. Change the storage account replication type to LRS

Q10

Your company stores compliance records in Azure Blob Storage. Regulations require that no one — not even storage administrators — can delete or modify records for 7 years. What feature should you configure?

• A. Soft delete with 7-year retention
• B. Resource lock (CanNotDelete) on the container
• C. WORM (Write Once, Read Many) immutability policy with time-based retention
• D. Storage account firewall to block all write operations

Q11

You have a storage account with GRS replication. The primary region fails. You want to read data from the secondary region immediately while failover is pending. What must be true?

• A. The storage account must use RA-GRS (Read-Access Geo-Redundant Storage)
• B. Any GRS storage account allows secondary read during primary failure
• C. The storage account must have geo-failover pre-configured
• D. You must contact Azure support to enable secondary access

Q12

A developer needs to access a specific blob in an Azure storage container without exposing the storage account key. The access should be valid for exactly 2 hours with read-only permissions. Which solution is most secure?

• A. Account SAS with read permission, 2-hour expiry, signed with account key
• B. User delegation SAS signed with Entra ID credentials, 2-hour expiry, read permission
• C. Service SAS for the specific blob, 2-hour expiry, signed with account key
• D. Share the container's anonymous access URL

Q13

An Azure blob is moved to the Archive tier. A developer immediately tries to read the blob. What happens?

• A. The read succeeds after a 1-second delay
• B. The blob is automatically rehydrated within 1 minute and then readable
• C. The read fails — Archive blobs are offline and must be rehydrated first (1–15 hours)
• D. Reading an archived blob is not possible — it must be deleted and re-uploaded

Q14

Which Azure Files protocol requires the client to use port 445 (outbound) to the storage account?

• A. NFS 4.1
• B. REST API
• C. SMB 3.x
• D. iSCSI

Q15

A blob storage container has public anonymous access disabled. A developer generates a Service SAS with Read permission on the container. Another developer uses that SAS to try to upload (write) a new blob. What happens?

• A. The upload succeeds because the SAS provides access to the container
• B. The upload fails — the SAS only grants Read permission; Write is denied with 403
• C. The upload fails because public access is disabled
• D. The upload succeeds but the blob is marked as read-only

Domain 3 — Compute (~10 questions)

Q16

You need to deploy 50 identical VMs that automatically scale based on CPU load. The VMs run a stateless web application. Which service is most appropriate?

• A. 50 individual VMs with Azure Autoscale
• B. Azure Virtual Machine Scale Set (VMSS)
• C. Azure Container Instances (ACI) with 50 containers
• D. Azure Kubernetes Service (AKS)

Q17

You deploy a VM in an Availability Set. A few months later, you want to move the VM to an Availability Zone for higher SLA. What must you do?

• A. Change the availability configuration in the VM settings
• B. Stop the VM and reassign it to an availability zone
• C. You cannot change availability configuration after VM creation — recreate the VM
• D. Detach the VM from the availability set, then assign it to a zone

Q18

An ARM template includes this expression:

"location": "[resourceGroup().location]"

What does this expression evaluate to?

• A. The location of the Azure subscription
• B. The location where the template is being deployed (the deployment command's --location)
• C. The Azure region of the resource group where the template is being deployed
• D. The default location configured in the user's Azure CLI profile

Q19

You deploy an App Service web app on a Basic (B1) plan. The app traffic doubles and you need to scale out to 3 instances. What must you do?

• A. Enable autoscale on the Basic plan
• B. Scale the instance count manually from 1 to 3 on the Basic plan
• C. Upgrade the App Service plan to Standard or above, then enable autoscale
• D. Create two additional App Service plans and configure traffic splitting

Q20

A VM that runs SQL Server needs the highest possible disk IOPS with low latency. You don't need zone redundancy. Which managed disk SKU should you choose?

• A. Standard HDD
• B. Standard SSD
• C. Premium SSD v2
• D. Ultra Disk

Q21

You are deploying Azure Bastion and encounter a deployment validation error. The VNet has a subnet named AzureBastion with a /26 prefix. What is causing the error?

• A. The subnet prefix is too small — Bastion requires a /25
• B. The subnet must be named exactly AzureBastionSubnet — the name AzureBastion is invalid
• C. Bastion requires an NSG on the dedicated subnet
• D. The VNet must have at least 3 subnets for Bastion to deploy

Q22

A development team wants to run a containerized data pipeline job. The job runs for 2–3 hours nightly and then terminates. They want zero idle cost when the job isn't running. Which compute option best fits?

• A. Azure Kubernetes Service with one node pool (1 node)
• B. Azure App Service on a Basic plan
• C. Azure Container Instances (ACI)
• D. Azure VM with Docker installed

Q23

You deploy an ARM template with what-if and see a resource listed as ~ Modify. What does this indicate?

• A. The resource will be deleted and recreated with a new configuration
• B. The resource will be updated in place with new property values
• C. The resource has conflicting configurations that must be resolved before deployment
• D. The resource is outside the template scope and will not be affected

Q24

You configure a VMSS autoscale rule: scale in by 2 instances when CPU < 20% for 10 minutes. The current instance count is 4 (minimum is 2). After 10 minutes of < 20% CPU, how many instances remain?

• A. 2 — scale in by 2, hitting the minimum
• B. 3 — scale in by 1 (can't go below minimum, so only removes 1)
• C. 4 — scale-in rules only fire once per hour
• D. 2 — scale in removes all instances below the average threshold

Q25

Which statement about system-assigned vs user-assigned managed identities is correct?

• A. System-assigned identities can be shared across multiple VMs
• B. User-assigned identities are deleted when the associated VM is deleted
• C. User-assigned identities have a lifecycle independent of the resource they're attached to
• D. System-assigned identities can be assigned custom RBAC roles but user-assigned cannot

Domain 4 — Networking (~9 questions)

Q26

Two VMs in the same VNet (different subnets) cannot communicate. Which is the most likely cause?

• A. VMs in different subnets cannot communicate by default
• B. A Network Security Group rule is blocking the traffic
• C. The subnets are in different availability zones
• D. VNet routing requires VPN Gateway for intra-VNet traffic

Q27

You need to allow traffic on port 443 from a specific application server group to a database group, regardless of IP addresses, so that you don't have to update NSG rules when IPs change. What should you use?

• A. Service Tags
• B. Application Security Groups (ASGs)
• C. Custom route tables
• D. Private Link Service

Q28

You create a VNet-to-VNet connection between VNet-East (East US) and VNet-West (West US) using VPN Gateway. What type of VPN should you use?

• A. Policy-based VPN
• B. Route-based VPN
• C. ExpressRoute circuit
• D. Global VNet peering

Q29

You configure a Standard Load Balancer with a health probe on HTTP port 80. Backend VMs run a web app on port 80 but also have an NSG on their NIC blocking all inbound traffic (default deny only). Users cannot reach the application. What change fixes this?

• A. Change the health probe from HTTP to TCP
• B. Add an NSG rule allowing inbound from the AzureLoadBalancer service tag on port 80
• C. Upgrade the LB SKU to Premium
• D. Associate the NSG with the subnet instead of the NIC

Q30

Your organization has a hub VNet with a VPN Gateway and multiple spoke VNets. Spoke A needs to communicate with on-premises resources via the hub's VPN Gateway. You've configured peering from Hub to Spoke A. What additional settings must be configured?

• A. Enable useRemoteGateways on the Hub-to-SpokeA peering
• B. Enable allowGatewayTransit on the Hub-to-SpokeA peering AND useRemoteGateways on the SpokeA-to-Hub peering
• C. Create a VPN Gateway in Spoke A as well
• D. Enable global peering on both peering connections

Q31

You create a Private Endpoint for an Azure SQL server in your VNet. A VM in the VNet tries to connect to contoso.database.windows.net and reaches the public IP. What is likely misconfigured?

• A. The Private Endpoint is in the wrong subnet
• B. DNS is not resolving to the private IP — the DNS zone for the private endpoint is not linked to the VNet
• C. The NSG on the VM's subnet is blocking SQL traffic
• D. Private Endpoints only work for Blob storage, not SQL

Q32

You have a subnet with a route table containing:

• Route 1: 0.0.0.0/0 → next hop VirtualAppliance → 10.0.0.4
• Route 2: 10.1.0.0/16 → next hop VirtualNetwork

Traffic to 10.1.5.10 takes which path?

• A. Through the VirtualAppliance at 10.0.0.4 (route 1 applies because 0.0.0.0/0 is the catch-all)
• B. Directly within the VNet (route 2 applies because 10.1.0.0/16 is more specific)
• C. Dropped — conflicting routes cause traffic to be black-holed
• D. Split 50/50 between both routes (Azure load-balances equal routes)

Q33

You need to allow on-premises users to access an Azure Storage account privately — using its private IP — over an existing ExpressRoute circuit. Which feature enables this?

• A. Service Endpoint for Storage
• B. Private Endpoint for the Storage account
• C. ExpressRoute Microsoft Peering
• D. Storage account network firewall rule for ExpressRoute

Q34

An NSG has these inbound rules:

• Priority 100: Allow TCP 80 from Internet
• Priority 200: Deny All from Internet
• Priority 65500: DenyAllInBound (default)

Traffic on TCP port 80 from the internet — what happens?

• A. Allowed — rule 100 (Allow TCP 80) is evaluated first and matches
• B. Denied — rule 200 (Deny All) also matches and overrides rule 100
• C. Denied — the default deny rule at 65500 applies to all internet traffic
• D. Allowed only if the VM also has an NSG on its NIC

Domain 5 — Monitor & Maintain (~6 questions)

Q35

You want to receive an email notification when a VM in a production resource group is deleted by any user. Which alert type and scope should you configure?

• A. Metric alert scoped to the VM
• B. Activity log alert scoped to the resource group
• C. Log query alert using AzureMetrics table
• D. Resource health alert scoped to the subscription

Q36

A Log Analytics query returns an empty result set immediately after you enable Diagnostic Settings on a new VM. What is the most likely explanation?

• A. The VM must be restarted to begin sending logs
• B. Data ingestion has a delay of 5–10 minutes after enabling Diagnostic Settings
• C. The KQL query syntax is incorrect
• D. Log Analytics workspaces only accept data from VMs in the same region

Q37

Your organization's RTO is 30 minutes and RPO is 1 hour for a critical VM. Which service should you use?

• A. Azure Backup with hourly backup policy
• B. Azure Site Recovery with continuous replication
• C. Azure Backup with daily backup + geo-redundant vault
• D. Availability Zones with Standard Load Balancer

Q38

A KQL query in Log Analytics:

AzureActivity
| where TimeGenerated > ago(24h)
| summarize count() by OperationNameValue
| order by count_ desc
| top 5 by count_

What does this query return?

• A. All Azure activity in the last 24 hours
• B. The 5 most frequent Azure management operations in the last 24 hours
• C. The 5 most recent Azure management operations
• D. A summary of all operation types with counts, sorted alphabetically

Q39

You delete a backup item from a Recovery Services vault. 10 days later, you realize you need the data. Is recovery possible?

• A. No — backup data is permanently deleted immediately when the item is removed
• B. Yes — soft delete retains deleted backup data for 14 days by default
• C. Yes — only if you had geo-redundant vault replication enabled
• D. No — Recovery Services vaults do not support soft delete for VM backups

Q40

Azure Advisor identifies that a VM is running at < 5% average CPU over the past 14 days. What type of recommendation does Advisor provide for this VM?

• A. Security recommendation — disable unused VM extensions
• B. Cost recommendation — right-size or shut down the underutilized VM
• C. Operational Excellence recommendation — enable diagnostic settings
• D. Performance recommendation — increase VM CPU allocation

Score Yourself

Passing Score Analysis

Weak Area Guidance