Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
Cheat sheet

Azure AZ-104 Cheat Sheet

Practice QuestionsStudy Guide

Identity + Governance

20-25%of exam

Entra IDRBACPolicyCostGovernance Picker

Storage

15-20%of exam

Storage AccessBlob + FilesRedundancySAS vs Key

Compute

20-25%of exam

VMsContainersApp ServiceCompute Picker

Virtual Networking

15-20%of exam

VNetNSGPrivate AccessLoad Balancing

Monitor + Maintain

10-15%of exam

Azure MonitorAlertsBackupRecovery Picker

Quick Facts

Exam
AZ-104
Credential
Azure Administrator
Pass
700+
Time
100 min assessment
Level
Associate
Renewal
Annual assessment
Core
Operate Azure

Scope Stack

Management group, subscription, group, resource.

MGSubscriptionRGResource

Entra ID vs RBAC

Entra ID

  • Authentication
  • Users/groups

RBAC

  • Authorization
  • Azure resources

Login vs permissions

Governance Picker

  1. Need sign-in controlEntra ID
  2. Need resource permissionsRBAC
  3. Need deny standardsPolicy
  4. Need no deleteLock
  5. Need cost groupingTags
  6. Need spend alertBudget
  7. Need subscription hierarchyManagement groups
  8. Need recommendationsAdvisor

Entra ID

Tenant
Identity boundary
User
Person identity
Group
Access collection
Guest
External user
SSPR
Password self-service
MFA
Extra sign-in proof
Conditional Access
Signal-based rules
PIM
Just-in-time roles

Policy vs Lock

Policy

  • Evaluate rules
  • Deny/audit/remediate

Lock

  • Prevent changes
  • Delete/read-only

Standard vs protection

RBAC + Governance

Owner
Full access
Contributor
Manage, no access
Reader
View only
User Access Admin
Assign roles
Management group
Subscription hierarchy
Policy
Enforce rules
Initiative
Policy bundle
Lock
Prevent changes

Cost + Tags

Tags
Metadata labels
Budget
Spend threshold
Cost alert
Spend notification
Advisor
Optimization recommendations
Resource group
Lifecycle container
Subscription
Billing boundary
Move
Check resource support
Template export
ARM baseline

Storage Redundancy

L local, Z zones, G geo.

LRSZRSGRSGZRS

SAS vs Key

SAS

  • Scoped token
  • Time-limited

Key

  • Account secret
  • Broad access

Delegate vs master

Storage Access

Access key
Account secret
SAS
Scoped delegated access
Stored policy
Revocable SAS control
Firewall
Network allowlist
Private endpoint
Private Link IP
Service endpoint
Subnet service route
Azure Files auth
Identity-based SMB
Encryption
Data protection

Blob + Files

Blob
Object storage
Container
Blob namespace
File share
SMB/NFS storage
Hot tier
Frequent access
Cool tier
Infrequent access
Archive tier
Offline cheapest
Soft delete
Recover deleted data
Lifecycle
Automated tiering

Redundancy + Tools

LRS
One datacenter
ZRS
Zone copies
GRS
Region pair async
GZRS
Zones plus region
AzCopy
Command transfer
Storage Explorer
Desktop management
Object replication
Blob copy policy
Snapshot
Point-in-time copy

Compute Picker

  1. Need OS controlVM
  2. Need identical VM scaleVMSS
  3. Need simple containerACI
  4. Need app-scale containersContainer Apps
  5. Need managed web appApp Service
  6. Need image storageACR
  7. Need IaC deploymentBicep
  8. Need staging swapSlots

Virtual Machines

VM size
CPU/memory profile
Managed disk
Azure-managed block
Availability set
Fault/update domains
Availability zone
Datacenter isolation
VMSS
Identical VM scale
Encryption at host
Host-level encryption
Bicep
Declarative IaC
ARM template
JSON IaC

Platform Compute

ACR
Container registry
ACI
Single container run
Container Apps
Serverless containers
App Service
Managed web apps
App Service Plan
Compute hosting plan
Deployment slot
Swap staging
Custom domain
DNS mapping
TLS cert
HTTPS binding

NSG vs ASG

NSG

  • Traffic rules
  • Subnet/NIC applied

ASG

  • VM grouping
  • Rule target

Filter vs group

VNet + Routing

VNet
Private network
Subnet
Address segment
Peering
VNet-to-VNet link
UDR
Custom route
Next hop
Route target
Public IP
Internet address
NAT Gateway
Outbound SNAT
Bastion
Browser RDP/SSH

LB vs App Gateway

Load Balancer

  • Layer 4
  • TCP/UDP

App Gateway

  • Layer 7
  • HTTP routing

Transport vs web

Network Security

NSG
Subnet/NIC filtering
ASG
App security grouping
Effective rules
Merged NSG view
Private endpoint
Private service IP
Service endpoint
Service route extension
Azure DNS
Public zones
Private DNS
Private resolution
VPN Gateway
Encrypted tunnel

Load Balancing

Load Balancer
Layer 4 distribution
App Gateway
Layer 7 routing
Backend pool
Target members
Health probe
Availability check
Rule
Frontend to backend
Inbound NAT
Port forwarding
Traffic Manager
DNS-based routing
Front Door
Global web entry

Monitor Flow

Collect, query, alert, act.

MetricsLogsAlertsActions

Monitor vs Service Health

Monitor

  • Your resources
  • Metrics/logs

Service Health

  • Azure incidents
  • Provider events

Workload vs platform

Recovery Picker

  1. Need VM backupRecovery vault
  2. Need backup scheduleBackup policy
  3. Need restore fileRecovery point
  4. Need DR replicationASR
  5. Need metrics alertAlert rule
  6. Need log queryKQL

Monitoring

Azure Monitor
Metrics and logs
Metric
Numeric time series
Log Analytics
KQL workspace
Diagnostic setting
Send platform logs
Alert rule
Condition trigger
Action group
Notification target
Insights
Curated monitoring
Network Watcher
Network diagnostics

Backup + Recovery

Recovery vault
Backup/ASR container
Backup vault
Newer backup container
Backup policy
Schedule and retention
Restore point
Recoverable snapshot
ASR
Replication/failover
Failover
Switch region
Backup report
Protection visibility
Soft delete
Backup protection

Common Traps

RBAC Inheritance

Child scopes inherit Deny can override

Locks

Override RBAC actions Not data protection

Private Endpoint

Private IP access Needs DNS alignment

SAS Revocation

Stored policy helps Ad hoc expires only

VM Move

Not always supported Validate before move

Alert Routing

Rule detects Action group notifies

Last Minute

  1. 1.Pass score is 700+
  2. 2.Blueprint changed April 2026
  3. 3.Entra authenticates; RBAC authorizes
  4. 4.Policy enforces; locks protect
  5. 5.SAS is scoped access
  6. 6.Private endpoint needs DNS
  7. 7.LB is Layer 4
  8. 8.App Gateway is Layer 7
  9. 9.Monitor queries your telemetry
  10. 10.ASR handles disaster recovery

Azure AZ-104

Practice QuestionsStudy GuideCheat SheetFlashcards
2 videos5 blogs

MCA Microsoft Certified Associate Azure Administrator Study Guide: Exam AZ-104 (Sybex Study Guide)

$28.04 · Buy on Amazon

Take courses on UdemyLearning path on Pluralsight
Same family resources

Explore More Microsoft Azure Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Azure DP-700

Cheat SheetPractice QuestionsStudy GuideFlashcards
4 blogs

Azure AI-900

Cheat SheetPractice QuestionsStudy GuideFlashcards
1 video3 blogs

Azure AZ-900

Cheat SheetPractice QuestionsStudy GuideFlashcards
1 video2 blogs

Azure AI-102

Practice QuestionsStudy Guide
1 blog

Azure Data Engineering Associate (DP-203)

Practice Questions
2 blogs

Azure AZ-700

Practice Questions
1 blog

More From This Family

Videos and articles for deeper review.

VideoAZ-104 Study Plan 2026: Pass Azure Administrator ExamThis examVideoFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)This examVideoAI-900 Exam Guide 2026: FREE Azure AI Fundamentals Study PlanVideoAZ-900 Exam Guide 2026: Pass Azure Fundamentals Free (Complete Study Plan)ArticleAZ-104 Study Plan 2026: Pass Azure Administrator Exam17 min readArticleAzure vs AWS Certification 2026: Which Cloud Cert Should You Get First?19 min readArticleFREE AZ-700 Exam Guide 2026: 5 Domains, $165, Pass Score 700/100017 min readArticleFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)24 min read