AZ-104 Microsoft Azure Administrator Exam Resource Guide (July 2023 Update)

AZ-104 is about to get a major update, with section score weighting changes, new topics being added, and some topics being removed. Let’s start by taking a look at some of the items that have been removed, along with some potential reasons for their removal.

On the Azure AD front, Administrative Units and device settings and device identity have been removed. Both of these are usually better suited to a Microsoft 365 exam, and device settings in particular is one that I always thought of as a bit of a weird inclusion due to it being much more desktop management oriented, rather than something that an Azure administrator really needed to know much about.

Some of the non-AAD removals include custom Azure roles, virtual machine extensions, Azure Compute Gallery, AKS, and the Import/Export service. As to why these were removed, I would still expect to see them referenced in some places in the exam, even if they aren’t a focus area any longer.

The major addition was Bicep being added alongside ARM templates. This was something that was inevitable, so it wasn’t too much of a surprise. The storage section got a restructure, with three items jumping out as new additions – storage account encryption, snapshots and soft delete for Azure Files and blob versioning.

The expectation of what an Azure Administrator should be familiar with constantly evolves, and while many admins maybe have been able to take their on-premises knowledge of virtual machines, operating systems, networking and storage across to Azure with little effort, there is now an expectation that some of those IaaS workloads are slowly but surely being moved across to PaaS offerings. Notice I’m not saying all workloads are expected to move, but some of them certainly are. If you have come from more of an IaaS background, this means you will need to focus on these areas.

This doesn’t mean that those focused on PaaS workloads don’t have to put in effort as well. Understanding networking technologies and and traditional compute models is still a major, though shrinking part of the exam, and one of the common issues I’ve seen with people who fail this exam is that it’s a lack of core networking skills that let them down. There have been some consolidations in the networking sections of the exam, but the reality is that nothing has been removed, with the assumption that an admin has a basic level of knowledge of networking concepts.

Regardless of where your skills are strongest, the important thing is to focus on your weakness with your exam preparation, rather than getting too carried away learning about the things you already work with. An example of this is that if you work mostly with SaaS via Microsoft 365, you may already have a strong enough set of skills to get through the identity questions without a challenge. Instead go through the resources listed below to make sure you aren’t missing anything before sitting for the exam.

Manage Azure identities and governance (20-25%)

Manage Azure AD users and groups

• Create users and groups
  • Creating a new user in Azure ADAdd or delete users using Azure Active Directory
  • Create a group (Azure portal)
  • Create or update a dynamic group in Azure Active Directory
  • Create a basic group and add members using Azure Active Directory
  • Bulk import group members in Azure Active Directory
• Manage user and group properties
  • Add or remove group owners
  • Add or update a user’s profile information using Azure Active Directory
  • Edit your group information using Azure Active Directory
  • Administrative units
• Manage licenses in Azure AD
  • Group-based licensing
  • Manage user accounts and licenses
• Manage external users
  • Add guest users
  • Assign role to guest user
  • Restrict guest user access
  • What is guest user access in Azure Active Directory B2B?
  • Manage guest access with Azure AD access reviews
  • Quickstart: Add guest users to your directory in the Azure portal
• Configure self-service password reset (SSPR)
  • Plan an Azure Active Directory self-service password reset
  • Licensing requirements for Azure AD self-service password reset
  • How it works: Azure AD self-service password reset

Manage access to Azure Resources

• Manage built-in Azure roles
  • What is Azure role-based access control (Azure RBAC)?
  • List Azure role definitions 
  • List Azure role assignments using the Azure portal 
  • Best practices for Azure RBAC
• Assign roles at different scopes
  • Add or remove role assignments using Azure RBAC and the Azure portal
  • Tutorial: Create a custom role for Azure resources using Azure PowerShell
  • Tutorial: Create a custom role for Azure resources using Azure CLI
• Interpret access assignments
  • List role assignments using Azure RBAC and the Azure portal
  • Understand deny assignments for Azure resources

Manage Azure subscriptions and governance

• Implement and manage Azure Policy
  • What is Azure Policy?
  • Quickstart: Create a policy assignment to identify non-compliant resources
  • Tutorial: Create and manage policies to enforce compliance
• Configure resource locks
  • Lock resources to prevent unexpected changes
• Apply and manage tags on resources
  • Use tags to organize your Azure resources
• Manage resource groups
  • Manage Azure Resource Manager resource groups by using the Azure portal
  • Manage Azure resource groups by using Azure PowerShell
• Manage subscriptions
  • Create an additional Azure subscription
  • Change your Azure subscription to a different offer
• Manage costs by using alerts, budgets, and recommendations
  • What is Azure Cost Management and Billing?
  • Quickstart: Explore and analyze costs with cost analysis
• Configure management groups
  • Create management groups for resource organization and management
  • Manage your resources with management groups

Implement and manage storage (15-20%)

Configure access to storage

• Configure Azure Storage firewalls and virtual networks
  • Configure Azure Storage firewalls and virtual networks
• Create and use shared access signature (SAS) tokens
  • Delegate access with a shared access signature
  • Grant limited access to Azure Storage resources using shared access signatures (SAS)
• Configure stored access policies
  • Define a stored access policy
• Manage access keys
  • Manage storage account access keys
• Configure identity-based access for Azure Files
  • Authorize access to blobs and queues using Azure Active Directory

Configure and manage storage accounts

• Create and configure storage accounts
  • Storage account overview
  • Create an Azure Storage account
  • Upgrade to a general-purpose v2 storage account
• Configure Azure Storage redundancy
  • Azure Storage redundancy
• Configure object replication
  • Object replication
• Configure storage account encryption
  • Azure Storage encryption for data at rest
• Manage data by using Azure Storage Explorer and AzCopy
  • Get started with Storage Explorer
  • Get startedd with AzCopy

Configure Azure Files and Azure Blob Storage

• Create and configure a file share in Azure Storage
  • Quickstart: Create and manage Azure file shares with the Azure portalCreate an Azure file share
  • Planning for an Azure File Sync deployment
  • Tutorial: Extend Windows file servers with Azure File Sync
• Create and configure a container in Blob Storage
  • Quickstart: Upload, download, and list blobs with the Azure portal
• Configure storage tiers
  • Azure Blob storage: hot, cool, and archive access tiers
• Configure snapshots and soft delete for Azure Files
  • Enable soft delete
  • Share snapshots
• Configure blob lifecycle management
  • Configure a lifecycle management policy
• Configure blob versioning
  • Enable and manage blob versioning

Deploy and manage Azure compute resources (20-25%)

Automate deployment and configuration of VMs by using Azure Resource Manager (ARM) templates or Bicep files

• Interpret an ARM template or a Bicep file
  • What is Bicep?
  • Compare JSON and Bicep
• Modify an existing ARM template
  • Extend Azure Resource Manager template functionality
  • Azure Resource Manager templates overview
  • Tutorial: Create and deploy your first Azure Resource Manager template
• Modify an existing Bicep file
  • Understand the structure and syntax of Bicep files
• Deploy resources by using an ARM template or a Bicep file
  • Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal
  • Create deployment stacks
• Export a deployment as an ARM template or compile a deployment as a Bicep file
  • Download the template for a VM
  • Build

Create and configure virtual machines

• Create a virtual machine
  • Redeploy Windows virtual machine to new Azure node
  • Common PowerShell commands for Azure Virtual Networks
  • How to open ports to a virtual machine with the Azure portal
  • Create and manage a Windows virtual machine that has multiple NICs
• Configure Azure Disk Encryption
  • Azure Disk Encryption for Linux VMs
  • Azure Disk Encryption for Windows VMs
• Move a virtual machine to another resource group, subscription, or region
  • Move a Windows VM to another Azure subscription or resource group
• Manage virtual machine sizes
  • Resize a Windows VM
• Manage virtual machine disks
  • Attach a managed data disk to a Windows VM by using the Azure portal
  • Attach a data disk to a Windows VM with PowerShell
• Deploy virtual machines to availability zones and availability sets
  • Availability options for virtual machines in Azure
  • Manage the availability of Windows virtual machines in Azure
• Deploy and configure an Azure Virtual Machine Scale Sets
  • What are virtual machine scale sets?

Provision and manage containers in the Azure portal

• Create and manage an Azure container registry
  
  • Authenticate with an Azure container registry
• Provision a container by using Azure Container Instances
  • What is Azure Container Instances?
  • Container groups
• Provision a container by using Azure Container Apps
  • Quickstart: Deploy your first container app using the Azure portal
• Manage sizing and scaling for containers, including Azure Container Instances and Azure Container Apps
  • Quickstart: Deploy a container instance in Azure using the Azure portal
  • Quickstart: Deploy a container instance in Azure using the Azure CLI

Create and configure Azure App Service

• Provision an App Service plan
  • Azure App Service plan overview
• Configure scaling for an App Service plan
  • Manage an App Service plan in Azure
• Create an App Service
  • App Service overview
  • Create an ASP.NET Core web app in Azure
• Configure certificates and TLS for an App Service
  • Security in App Service
  • Security Baseline for App Service
  • Security Recommendations for App Service
• Map an existing custom DNS name to an App Service
  • Map custom domain
• Configure backup for an App Service
  • Back up an app
• Configure networking settings for an App Service
  • Virtual Network Integration
• Configure deployment slots for an App Service
  • Deployment best practices

Configure and manage virtual networking (15-20%)

Configure and manage virtual networks in Azure

• create and configure virtual networks and subnets
  • What is Azure Virtual Network?
  • Quickstart: Create a virtual network using the Azure portal
  • Manage subnets
  • Subnet extension
• Create and configure virtual network peering
  • Virtual network peering overview
  • Azure Virtual Network frequently asked questions (FAQ) VNet Peering
  • Tutorial: Connect virtual networks with virtual network peering using the Azure portal
  • Create a virtual network peering – different deployment models, same subscription
  • Create, change, or delete a virtual network peering
• Configure private and public IP addresses
  • Create, change, or delete a public IP address
  • Add, change, or remove IP addresses for an Azure network interface
• Configure user-defined network routes
  • Virtual network traffic routing
• Troubleshoot network connectivity
  • Diagnose on-premises connectivity via VPN gateways

Configure secure access to virtual networks

• Create and configure network security groups (NSGs) and application security groups (ASGs)
  • Create, change, or delete a network security group
  • Application security groups
  • Filter network traffic
• Evaluate effective security rules in NSGs
  • Create, change, or delete a network interface
• Implement Azure Bastion
  • Create an Azure Bastion host
• Configure service endpoints for Azure platform as a service (PaaS)
  • Service endpoints
  • Service endpoint policies
• Configure private endpoints for Azure PaaS
  • Private Link

Configure name resolution and load balancing

• Configure Azure DNS
  • What is Azure DNS?
  • What is Azure Private DNS?
  • Quickstart: Create an Azure DNS zone and record using the Azure portal
  • Azure DNS FAQ
  • Name resolution for resources in Azure virtual networks
  • Use Azure DNS to provide custom domain settings for an Azure service
  • Tutorial: Host your domain in Azure DNS
  • Quickstart: Create an Azure private DNS zone using the Azure portal
• Configure an internal or public load balancer
  • Tutorial: Balance internal traffic load with a Basic load balancer in the Azure portal
  • Create an internal load balancer by using the Azure PowerShell module
  • Quickstart: Create a Load Balancer to load balance VMs using the Azure portal
  • Application Gateway configuration overview
• Troubleshoot load balancing
  • Troubleshoot Azure Load Balancer

Monitor and maintain Azure resources (10-15%)

Monitor resources in Azure

• Interpret metrics in Azure Monitor
  • Metrics in Azure Monitor
  • Quickstart: Monitor an Azure resource with Azure Monitor
• Configure log settings in Azure Monitor
  • Get started with Log Analytics in Azure Monitor
• Query and analyze logs in Azure Monitor
  • Overview of log queries in Azure Monitor
• Set up alert rules, action groups, and alert processing rules in Azure Monitor
  • Create, view, and manage metric alerts using Azure Monitor
  • Metric Alerts with Dynamic Thresholds in Azure Monitor
  • Create Metric Alerts for Logs in Azure Monitor
• Configure and interpret monitoring of virtual machines, storage accounts, and networks by using Azure Monitor Insights
  
  • Overview of VM insights
  • Azure Monitor Network Insights
  • Use Storage insights
• Use Azure Network Watcher and Connection Monitor
  • What is Azure Network Watcher?
  • Troubleshoot Virtual Network Gateway and Connections using Azure Network Watcher Azure CLI
  • Troubleshoot connections with Azure Network Watcher using the Azure portal

Implement backup and recovery

• Create a Recovery Services Vault
  • Create a Recovery Services vault
• Create an Azure Backup vault
  • Create a Backup vault
• Create and configure backup policy
  • Manage Azure VM backups with Azure Backup service
• Perform backup and restore operations by using Azure Backup
  • Back up a virtual machine in Azure
  • Restore a disk and create a recovered VM in Azure
• Configure Azure Site Recovery for Azure resources
  • About Site Recovery
  • Set up disaster recovery of on-premises VMware virtual machines or physical servers to a secondary site
• Perform failover to a secondary region by using Site Recovery
  • Set up disaster recovery to a secondary Azure region
• Configure and interpret reports and alerts for backups
  • Configure Azure Backup reports