Exam AZ-104 Microsoft Azure Administrator Resource Guide (July 2022 Update)

AZ-104 has just had an overhaul, and as with most exam update it includes some changes and clarifications, but this time there are also a few items that have been added and removed.

Added

• Application security groups
• Manage licenses in Azure AD
• custom Azure AD roles
• VM insights
• ASR failover
• storage access policies
• Azure Compute Gallery

Removed

• file sync service
• Azure FIrewall
• VPN GW
• Express Route
• Virtual Wan

Let’s focus on the items that were removed were on the networking side, and how to possibly interpret them. You probably noticed that all but one were networking related, and it’s important to note that they are potentially included in some of the other networking topics, as well as being more heavily covered in AZ-700. The other item on the list of removed items is the Azure file sync service. I think it’s fair to say that this is one that is way more suitable for the Azure hybrid Exams. I know that previously the inclusion of file sync was problematic for some people because of the Windows Server exposure that the technology requires.

The exam has also been slowly but surely moving away from being almost completely IaaS focused, with PaaS based objectives expanding further than they had previously. In some ways it has expanded into areas that were originally covered across AZ-100 and AZ-101 before they scaled back and combined into AZ-103, which was the predecessor to AZ-104.

I view this as a good thing, because one of the trends I was seeing for a while with the AZ-10x exams was that the people I saw do well in those exams were people with significant on-premises infrastructure experience, but those who were focused on non-IaaS Azure capabilities were more likely to struggle during the exam. It really seemed that these exams weren’t doing a great job of catering to those working with PaaS, but that has definitely changed.

The expectation of what an Azure Administrator should be familiar with constantly evolves, and while many admins maybe have been able to take their on-premises knowledge of virtual machines, operating systems, networking and storage across to Azure with little effort, there is now an expectation that some of those IaaS workloads are slowly but surely being moved across to PaaS offerings. Notice I’m not saying all workloads are expected to move, but some of them certainly are. If you have come from more of an IaaS background, this means you will need to focus on these areas.

This doesn’t mean that those focused on PaaS workloads don’t have to put in effort as well. Understanding networking technologies and and traditional compute models is still a major, though shrinking part of the exam, and one of the common issues I’ve seen with people who fail this exam is that it’s a lack of core networking skills that let them down. There have been some consolidations in the networking sections of the exam, but the reality is that nothing has been removed, with the assumption that an admin has a basic level of knowledge of networking concepts.

Regardless of where your skills are strongest, the important thing is to focus on your weakness with your exam preparation, rather than getting too carried away learning about the things you already work with. An example of this is that if you work mostly with SaaS via Microsoft 365, you may already have a strong enough set of skills to get through the identity questions without a challenge. Instead go through the resources listed below to make sure you aren’t missing anything before sitting for the exam.

Manage Azure identities and governance (15-20%)

Manage Azure AD objects

• create users and groups
  • Creating a new user in Azure AD
  • Add or delete users using Azure Active Directory
  • Create a group (Azure portal)
  • Create or update a dynamic group in Azure Active Directory
  • Create a basic group and add members using Azure Active Directory
• Manage licenses in Azure AD
  • Group-based licensing
  • Manage user accounts and licenses
• create administrative units
  • Administrative units
• manage user and group properties
  • Add or remove group owners
  • Add or update a user’s profile information using Azure Active Directory
  • Edit your group information using Azure Active Directory
• manage device settings and device identity
  • Manage device identities using the Azure portal
  • Enable enterprise state roaming
  • What is a device identity?
  • Azure AD joined devices
  • How to: Plan your Azure AD join implementation
• perform bulk user updates
  • Bulk import group members in Azure Active Directory
• manage guest accounts
  • Add guest users
  • Assign role to guest user
  • Restrict guest user access
  • What is guest user access in Azure Active Directory B2B?
  • Manage guest access with Azure AD access reviews
  • Quickstart: Add guest users to your directory in the Azure portal
• configure self-service password reset
  • Licensing requirements for Azure AD self-service password reset
  • Plan an Azure Active Directory self-service password reset
  • How it works: Azure AD self-service password reset

Manage role-based access control (RBAC)

• Create custom role-based access control (RBAC) and Azure AD roles
  • Tutorial: Create a custom role for Azure resources using Azure PowerShell
  • Tutorial: Create a custom role for Azure resources using Azure CLI
• provide access to Azure resources by assigning roles at different scopes
  • Add or remove role assignments using Azure RBAC and the Azure portal
• interpret access assignments
  • List role assignments using Azure RBAC and the Azure portal
  • Understand deny assignments for Azure resources

Manage subscriptions and governance

• Configure and manage Azure Policy
  • What is Azure Policy?
  • Quickstart: Create a policy assignment to identify non-compliant resources
  • Tutorial: Create and manage policies to enforce compliance
• configure resource locks
  • Lock resources to prevent unexpected changes
• Apply and manage tags on resources
  • Use tags to organize your Azure resources
• manage resource groups
  • Manage Azure Resource Manager resource groups by using the Azure portal
  • Manage Azure resource groups by using Azure PowerShell
• manage subscriptions
  • Create an additional Azure subscription
  • Change your Azure subscription to a different offer
• Manage costs by using alerts, budgets, and recommendations
  • What is Azure Cost Management and Billing?
  • Quickstart: Explore and analyze costs with cost analysis
• configure management groups
  • Create management groups for resource organization and management
  • Manage your resources with management groups

Implement and manage storage (15-20%)

Secure storage

• configure network access to storage accounts
  • Configure Azure Storage firewalls and virtual networks
• create and configure storage accounts
  • Storage account overview
  • Create an Azure Storage account
  • Upgrade to a general-purpose v2 storage account
• generate shared access signature (SAS) tokens
  • Delegate access with a shared access signature
  • Grant limited access to Azure Storage resources using shared access signatures (SAS)
• Configure stored access policies
  • Define a stored access policy
• manage access keys
  • Manage storage account access keys
• configure Azure AD Authentication for a storage account
  • Authorize access to blobs and queues using Azure Active Directory

Manage data in Azure storage accounts

• Create import and export jobs
  • Use the Azure Import/Export service to export data from Azure Blob storage
  • Use the Azure Import/Export service to import data to Azure Blob Storage
• anage data by using Azure Storage Explorer and AzCopy
  • Get started with Storage Explorer
  • Get startedd with AzCopy
• implement Azure Storage redundancy
  • Azure Storage redundancy
• configure object replication
  • Object replication

Configure Azure files and Azure blob storage

• create an Azure file share
  • Quickstart: Create and manage Azure file shares with the Azure portal
  • Create an Azure file share
  • Planning for an Azure File Sync deployment
  • Tutorial: Extend Windows file servers with Azure File Sync
• configure Azure blob storage
  • Quickstart: Upload, download, and list blobs with the Azure portal
• configure storage tiers
  • Azure Blob storage: hot, cool, and archive access tiers
• Configure blob lifecycle management
  • Configure a lifecycle management policy

Deploy and manage Azure compute resources (20-25%)

Automate deployment and configuration of VMs by using Azure Resource Manager

• modify an Azure Resource Manager template
  • Extend Azure Resource Manager template functionality
  • Azure Resource Manager templates overview
  • Tutorial: Create and deploy your first Azure Resource Manager template
• deploy from a template
  • Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal
• save a deployment as an ARM template
  • Download the template for a VM
• deploy virtual machine extensions
  • Azure virtual machine extensions and features
  • Custom Script Extension for Windows
  • Use the Azure Custom Script Extension Version 2 with Linux virtual machines

Create and configure VMs

• Create a VM
  • Redeploy Windows virtual machine to new Azure node
• Manage images by using the Azure Compute Gallery
  • Store and share resources in an Azure Compute Gallery
• configure Azure Disk Encryption
  • Azure Disk Encryption for Linux VMs
  • Azure Disk Encryption for Windows VMs
• move VMs from one resource group to another
  • Move a Windows VM to another Azure subscription or resource group
• manage VM sizes
  • Resize a Windows VM
• add data disks
  • Attach a managed data disk to a Windows VM by using the Azure portal
  • Attach a data disk to a Windows VM with PowerShell
• configure VM networking
  • Common PowerShell commands for Azure Virtual Networks
  • How to open ports to a virtual machine with the Azure portal
  • Create and manage a Windows virtual machine that has multiple NICs
• configure VM high availability options
  • Availability options for virtual machines in Azure
  • Manage the availability of Windows virtual machines in Azure
• deploy and configure VM scale sets
  • What are virtual machine scale sets?

Create and configure containers

• configure sizing and scaling for Azure Container Instances
  • What is Azure Container Instances?
  • Quickstart: Deploy a container instance in Azure using the Azure portal
  • Quickstart: Deploy a container instance in Azure using the Azure CLI
• configure container groups for Azure Container Instances
  • Container groups
• configure storage for Azure Kubernetes Service (AKS)
  • Concepts – Storage in Azure Kubernetes Services
• configure scaling for AKS
  • Scale an AKS cluster
• configure network connections for AKS
  • Network concepts for applications in Azure Kubernetes Service
• upgrade an AKS cluster
  • Upgrade an AKS cluster

Create and configure Azure App Service

• create an App Service plan
  • Azure App Service plan overview
• configure scaling settings in App Service plan
  • Manage an App Service plan in Azure
• create an App Service
  • App Service overview
  • Create an ASP.NET Core web app in Azure
• Secure an App Service
  • Security in App Service
  • Security Baseline for App Service
  • Security Recommendations for App Service
• configure custom domain names
  • Map custom domain
• configure backup for an App Service
  • Back up an app
• configure networking settings
  • Virtual Network Integration
• configure deployment settings
  • Deployment best practices

Configure and manage virtual networking (20-25%)

Configure virtual networks

• create and configure virtual networks and subnets
  • What is Azure Virtual Network?
  • Quickstart: Create a virtual network using the Azure portal
  • Manage subnets
  • Subnet extension
• Create and configure virtual network peering
  • Virtual network peering overview
  • Azure Virtual Network frequently asked questions (FAQ) VNet Peering
  • Tutorial: Connect virtual networks with virtual network peering using the Azure portal
  • Create a virtual network peering – different deployment models, same subscription
  • Create, change, or delete a virtual network peering
• configure private and public IP addresses
  • Create, change, or delete a public IP address
  • Add, change, or remove IP addresses for an Azure network interface
• configure user-defined network routes
  • Virtual network traffic routing
• configure Azure DNS
  • What is Azure DNS?
  • What is Azure Private DNS?
  • Quickstart: Create an Azure DNS zone and record using the Azure portal
  • Azure DNS FAQ
  • Name resolution for resources in Azure virtual networks
  • Use Azure DNS to provide custom domain settings for an Azure service
  • Tutorial: Host your domain in Azure DNS
  • Quickstart: Create an Azure private DNS zone using the Azure portal

Configure secure access to virtual networks

• create and configure network security groups (NSGs) and application security groups (ASGs)
  • Create, change, or delete a network security group
  • Application security groups
  • Filter network traffic
• evaluate effective security rules
  • Create, change, or delete a network interface
• implement Azure Bastion
  • Create an Azure Bastion host
• configure service endpoints on subnets
  • Service endpoints
  • Service endpoint policies
• configure private endpoints
  • Private Link

Configure load balancing

• configure Azure Application Gateway
  • Application Gateway configuration overview
• configure an internal or public load balancer
  • Tutorial: Balance internal traffic load with a Basic load balancer in the Azure portal
  • Create an internal load balancer by using the Azure PowerShell module
  • Quickstart: Create a Load Balancer to load balance VMs using the Azure portal
• troubleshoot load balancing
  • Troubleshoot Azure Load Balancer

Monitor virtual networking

• monitor on-premises connectivity
  • Diagnose on-premises connectivity via VPN gateways
• Configure and use Azure Monitor for Networks
  • Azure Monitor Network Insights
• use Azure Network Watcher
  • What is Azure Network Watcher?
• troubleshoot external networking
  • Troubleshoot Virtual Network Gateway and Connections using Azure Network Watcher Azure CLI
• troubleshoot virtual network connectivity
  • Troubleshoot connections with Azure Network Watcher using the Azure portal

Monitor and maintain Azure resources (10-15%)

Monitor resources by using Azure Monitor

• configure and interpret metrics
  • Metrics in Azure Monitor
  • Quickstart: Monitor an Azure resource with Azure Monitor
• configure Azure Monitor logs
  • Get started with Log Analytics in Azure Monitor
• query and analyze logs
  • Overview of log queries in Azure Monitor
• set up alerts and actions
  • Create, view, and manage metric alerts using Azure Monitor
  • Metric Alerts with Dynamic Thresholds in Azure Monitor
  • Create Metric Alerts for Logs in Azure Monitor
• Configure monitoring of VMs, storage accounts, and networks by using VM insights
  • Overview of VM insights
• Implement backup and recovery

• create an Azure Recovery Services Vault
  • Create a Recovery Services vault
• create an Azure Backup vault
  • Create a Backup vault
• create and configure backup policy
  • Manage Azure VM backups with Azure Backup service
• perform backup and restore operations by using Azure Backup
  • Back up a virtual machine in Azure
  • Restore a disk and create a recovered VM in Azure
• Configure Azure Site Recovery for Azure resources
  • About Site Recovery
  • Set up disaster recovery of on-premises VMware virtual machines or physical servers to a secondary site
• Perform failover to a secondary region by using Azure Site Recovery
  • Set up disaster recovery to a secondary Azure region
• configure and review backup reports
  • Configure Azure Backup reports