Home / cloud-computing / Microsoft Azure Administrator / Cheat Sheet
Microsoft Azure Administrator

Microsoft Azure Administrator Cheat Sheet

AZ-104 Tests Azure Administration at Scale — Configuration and Troubleshooting, Not Theory

The exam tests whether you can manage Azure resources in production: identities, networking, storage, compute, and monitoring — under real operational constraints.

Check Your Readiness →
Among the harder certs
Avg: Approximately 62–67%
Pass: 750 / 1000
Most candidates understand Microsoft Azure Administrator concepts — and still fail. This exam tests how you apply knowledge under pressure.

AZ-104 Administration Domain Framework

AZ-104 covers five domains. Questions test implementation and troubleshooting scenarios. Networking and identity are the most heavily tested areas.

  1. 01
    Identity & Governance — Entra ID users/groups, RBAC, subscriptions, Azure Policy
  2. 02
    Storage — Storage accounts, Azure Files, Blob lifecycle, replication options
  3. 03
    Compute — VMs, availability sets/zones, VM Scale Sets, Azure Container Instances
  4. 04
    Networking — VNets, subnets, NSGs, Azure Load Balancer, VPN Gateway, DNS
  5. 05
    Monitoring — Azure Monitor, Log Analytics, Activity Log, Alerts, Backup

Wrong instinct vs correct approach

VMs in two different VNets need to communicate privately
✕ Wrong instinct

Create a VPN Gateway between the VNets

✓ Correct approach

Use VNet peering — it provides low-latency, private connectivity without the cost and complexity of a VPN Gateway; VPN Gateway is for on-premises to Azure connectivity

A web application needs to route traffic based on URL path
✕ Wrong instinct

Use Azure Load Balancer with backend pools

✓ Correct approach

Azure Load Balancer is Layer 4 and cannot inspect URLs. Use Application Gateway which provides Layer 7 path-based routing

Multiple administrators need consistent policies across subscriptions
✕ Wrong instinct

Apply Azure Policy to each subscription individually

✓ Correct approach

Use Management Groups — apply Azure Policy at the Management Group level so it cascades to all child subscriptions, ensuring consistent governance without per-subscription configuration

Know these cold

  • Availability Zones = datacenter-level HA; Availability Sets = rack/host-level HA within one datacenter
  • Application Gateway for Layer 7 (HTTP/HTTPS/WAF); Load Balancer for Layer 4 (TCP/UDP)
  • VNet peering for Azure-to-Azure low-latency; VPN Gateway for on-premises to Azure
  • GRS or GZRS for geo-redundant storage; LRS/ZRS for regional-only workloads
  • Azure Backup for data recovery; Azure Site Recovery for VM failover/DR
  • Management Groups enforce policy at scale — apply once, cascades to all subscriptions
  • RBAC assignments — wner > Contributor > Reader; always assign at lowest required scope

Can you answer these without checking your notes?

In this scenario: "VMs in two different VNets need to communicate privately" — what should you do first?
Use VNet peering — it provides low-latency, private connectivity without the cost and complexity of a VPN Gateway; VPN Gateway is for on-premises to Azure connectivity
In this scenario: "A web application needs to route traffic based on URL path" — what should you do first?
Azure Load Balancer is Layer 4 and cannot inspect URLs. Use Application Gateway which provides Layer 7 path-based routing
In this scenario: "Multiple administrators need consistent policies across subscriptions" — what should you do first?
Use Management Groups — apply Azure Policy at the Management Group level so it cascades to all child subscriptions, ensuring consistent governance without per-subscription configuration

Common Exam Mistakes — What candidates get wrong

Confusing Availability Sets with Availability Zones

Availability Sets protect against hardware failures within a single datacenter (fault domains and update domains). Availability Zones protect against datacenter-level failures. AZ provides higher availability — AS does not protect against datacenter-level outages.

Misidentifying Azure Load Balancer vs. Application Gateway

Azure Load Balancer operates at Layer 4 (TCP/UDP). Application Gateway operates at Layer 7 with SSL termination, URL-based routing, and WAF. Selecting Load Balancer for HTTP(S) routing scenarios is wrong.

Not understanding VNet peering vs. VPN Gateway

VNet peering provides low-latency, private connectivity between Azure VNets — no gateway, no encryption overhead. VPN Gateway is for on-premises to Azure connectivity. Candidates apply VPN Gateway when peering is more appropriate.

Misapplying storage replication options

LRS (3 copies in one datacenter), ZRS (copies across zones), GRS (two regions), GZRS (zone-redundant + geo-redundant). Selecting LRS for workloads requiring geo-disaster recovery is a common exam error.

Treating Azure Backup and Azure Site Recovery as equivalent

Azure Backup protects against data loss (restore from backup). Azure Site Recovery provides business continuity by replicating VMs to a secondary region for failover. These serve different recovery objectives.

AZ-104 tests real Azure administration decisions. Test whether you can manage Azure resources in production scenarios.