AZ-104 is about to get a major update, with section score weighting changes, new topics being added, and some topics being removed. Let’s start by taking a look at some of the items that have been removed, along with some potential reasons for their removal.
On the Azure AD front, Administrative Units and device settings and device identity have been removed. Both of these are usually better suited to a Microsoft 365 exam, and device settings in particular is one that I always thought of as a bit of a weird inclusion due to it being much more desktop management oriented, rather than something that an Azure administrator really needed to know much about.
Some of the non-AAD removals include custom Azure roles, virtual machine extensions, Azure Compute Gallery, AKS, and the Import/Export service. As to why these were removed, I would still expect to see them referenced in some places in the exam, even if they aren’t a focus area any longer.
The major addition was Bicep being added alongside ARM templates. This was something that was inevitable, so it wasn’t too much of a surprise. The storage section got a restructure, with three items jumping out as new additions – storage account encryption, snapshots and soft delete for Azure Files and blob versioning.
The expectation of what an Azure Administrator should be familiar with constantly evolves, and while many admins maybe have been able to take their on-premises knowledge of virtual machines, operating systems, networking and storage across to Azure with little effort, there is now an expectation that some of those IaaS workloads are slowly but surely being moved across to PaaS offerings. Notice I’m not saying all workloads are expected to move, but some of them certainly are. If you have come from more of an IaaS background, this means you will need to focus on these areas.
This doesn’t mean that those focused on PaaS workloads don’t have to put in effort as well. Understanding networking technologies and and traditional compute models is still a major, though shrinking part of the exam, and one of the common issues I’ve seen with people who fail this exam is that it’s a lack of core networking skills that let them down. There have been some consolidations in the networking sections of the exam, but the reality is that nothing has been removed, with the assumption that an admin has a basic level of knowledge of networking concepts.
Regardless of where your skills are strongest, the important thing is to focus on your weakness with your exam preparation, rather than getting too carried away learning about the things you already work with. An example of this is that if you work mostly with SaaS via Microsoft 365, you may already have a strong enough set of skills to get through the identity questions without a challenge. Instead go through the resources listed below to make sure you aren’t missing anything before sitting for the exam.
Manage Azure identities and governance (20-25%)
Manage Azure AD users and groups
-
Create users and groups
-
Manage user and group properties
-
Manage licenses in Azure AD
-
Manage external users
-
Configure self-service password reset (SSPR)
Manage access to Azure Resources
-
Manage built-in Azure roles
-
Assign roles at different scopes
-
Interpret access assignments
Manage Azure subscriptions and governance
-
Implement and manage Azure Policy
-
Configure resource locks
-
Apply and manage tags on resources
-
Manage resource groups
-
Manage subscriptions
-
Manage costs by using alerts, budgets, and recommendations
-
Configure management groups
Implement and manage storage (15-20%)
Configure access to storage
-
Configure Azure Storage firewalls and virtual networks
-
Create and use shared access signature (SAS) tokens
-
Configure stored access policies
-
Manage access keys
-
Configure identity-based access for Azure Files
Configure and manage storage accounts
-
Create and configure storage accounts
-
Configure Azure Storage redundancy
-
Configure object replication
-
Configure storage account encryption
-
Manage data by using Azure Storage Explorer and AzCopy
Configure Azure Files and Azure Blob Storage
-
Create and configure a file share in Azure Storage
-
Create and configure a container in Blob Storage
-
Configure storage tiers
-
Configure snapshots and soft delete for Azure Files
-
Configure blob lifecycle management
-
Configure blob versioning
Deploy and manage Azure compute resources (20-25%)
Automate deployment and configuration of VMs by using Azure Resource Manager (ARM) templates or Bicep files
-
Interpret an ARM template or a Bicep file
-
Modify an existing ARM template
-
Modify an existing Bicep file
-
Deploy resources by using an ARM template or a Bicep file
-
Export a deployment as an ARM template or compile a deployment as a Bicep file
Create and configure virtual machines
-
Create a virtual machine
-
Configure Azure Disk Encryption
-
Move a virtual machine to another resource group, subscription, or region
-
Manage virtual machine sizes
-
Manage virtual machine disks
-
Deploy virtual machines to availability zones and availability sets
-
Deploy and configure an Azure Virtual Machine Scale Sets
Provision and manage containers in the Azure portal
-
Create and manage an Azure container registry
-
Provision a container by using Azure Container Instances
-
Provision a container by using Azure Container Apps
-
Manage sizing and scaling for containers, including Azure Container Instances and Azure Container Apps
Create and configure Azure App Service
-
Provision an App Service plan
-
Configure scaling for an App Service plan
-
Create an App Service
-
Configure certificates and TLS for an App Service
-
Map an existing custom DNS name to an App Service
-
Configure backup for an App Service
-
Configure networking settings for an App Service
-
Configure deployment slots for an App Service
Configure and manage virtual networking (15-20%)
Configure and manage virtual networks in Azure
-
create and configure virtual networks and subnets
-
Create and configure virtual network peering
- Virtual network peering overview
- Azure Virtual Network frequently asked questions (FAQ) VNet Peering
- Tutorial: Connect virtual networks with virtual network peering using the Azure portal
- Create a virtual network peering – different deployment models, same subscription
- Create, change, or delete a virtual network peering
-
Configure private and public IP addresses
-
Configure user-defined network routes
-
Troubleshoot network connectivity
Configure secure access to virtual networks
-
Create and configure network security groups (NSGs) and application security groups (ASGs)
-
Evaluate effective security rules in NSGs
-
Implement Azure Bastion
-
Configure service endpoints for Azure platform as a service (PaaS)
-
Configure private endpoints for Azure PaaS
Configure name resolution and load balancing
-
Configure Azure DNS
- What is Azure DNS?
- What is Azure Private DNS?
- Quickstart: Create an Azure DNS zone and record using the Azure portal
- Azure DNS FAQ
- Name resolution for resources in Azure virtual networks
- Use Azure DNS to provide custom domain settings for an Azure service
- Tutorial: Host your domain in Azure DNS
- Quickstart: Create an Azure private DNS zone using the Azure portal
-
Configure an internal or public load balancer
-
Troubleshoot load balancing
Monitor and maintain Azure resources (10-15%)
Monitor resources in Azure
-
Interpret metrics in Azure Monitor
-
Configure log settings in Azure Monitor
-
Query and analyze logs in Azure Monitor
-
Set up alert rules, action groups, and alert processing rules in Azure Monitor
-
Configure and interpret monitoring of virtual machines, storage accounts, and networks by using Azure Monitor Insights
-
Use Azure Network Watcher and Connection Monitor
Implement backup and recovery
-
Create a Recovery Services Vault
-
Create an Azure Backup vault
-
Create and configure backup policy
-
Perform backup and restore operations by using Azure Backup
-
Configure Azure Site Recovery for Azure resources
-
Perform failover to a secondary region by using Site Recovery
-
Configure and interpret reports and alerts for backups