11.2 Hands-On Lab Checklist and Command Review

Hands-on work that survives exam pressure

AZ-104 is an administrator exam, so the final lab checklist should look like work an Azure administrator actually performs. Build, change, validate, and troubleshoot resources. Do not reduce lab practice to clicking through resource creation once. A good checklist forces you to answer three questions: what setting solves the requirement, what side effect does it create, and what evidence proves it worked.

Microsoft says role-based exams can include multiple-choice, build list, case studies, drag/drop, hot area, labs, mark and review, and other UI interactions shown in the exam sandbox. Labs may be present, and Microsoft can remove them at any time. That means hands-on practice is still essential, but you should not assume your exam will contain a specific lab count or a published lab catalog.

Identity and governance checklist

Create users and groups in Microsoft Entra ID, invite an external user, and assign access through a group instead of a direct user assignment. Practice assigning Reader, Contributor, User Access Administrator, Storage Blob Data Contributor, and Virtual Machine Contributor at different scopes. Then remove a role and confirm that the principal loses the action. For governance, apply tags, create a budget, configure a cost alert, review Advisor recommendations, assign a policy, create an exemption only when the scenario supports it, and test a resource lock.

Useful command review:

az role assignment create --assignee <principalId> --role "Reader" --scope <scope>
az policy assignment create --name require-tag --policy <policyDefinitionId> --scope <scope>
az group update --name rg-prod --set tags.Environment=Prod tags.Owner=Ops

The command itself is not enough. Know the scope format, the difference between control-plane RBAC and data-plane roles, and the lock behavior. RBAC grants permissions, but a lock can still block management actions. Policy evaluates compliance and can deny or modify deployments depending on the effect.

Storage checklist

Create a storage account with the correct redundancy for the scenario. Configure a Blob container, upload data with AzCopy, set access tiers, enable soft delete and versioning, create a lifecycle rule, and generate a SAS with minimal permissions and a short expiry. Configure Azure Files and identity-based access if the scenario requires SMB access controlled through identity. Practice storage firewall rules, selected networks, trusted Microsoft services, service endpoints, and private endpoints.

az storage account create --name <name> --resource-group <rg> --location <region> --sku Standard_LRS
az storage container create --name logs --account-name <account> --auth-mode login
azcopy copy ./logs "https://<account>.blob.core.windows.net/logs?<sas>" --recursive

Storage questions often hide the real issue in the access path. A SAS can grant permission, but it does not automatically bypass a storage firewall. An account key can be powerful, but a requirement for least privilege may point toward a SAS, stored access policy, managed identity, or Azure RBAC data role.

Compute checklist

Deploy a VM from the portal and from a template. Change VM size, attach a data disk, enable encryption at host when required, configure availability zones or availability sets, and test Bastion access. Create a VM Scale Set and observe scaling behavior. For platform compute, create an App Service plan, deploy a web app, configure TLS and custom DNS, create a deployment slot, swap slots, and configure backup. For containers, push an image to Azure Container Registry and run it through Azure Container Instances or Azure Container Apps.

az deployment group create --resource-group <rg> --template-file main.bicep --parameters main.bicepparam
az vm resize --resource-group <rg> --name vm1 --size Standard_D4s_v5
az acr build --registry <acrName> --image web:v1 .

Template review is a high-value final exercise. Read parameters, variables, resource dependencies, copy loops, outputs, and scope. If the task says modify the template, know whether the change belongs in the resource body, a parameter, a module, or the deployment command.

Networking and monitoring checklist

Create a VNet, subnets, NSGs, ASGs, route tables, public IPs, load balancers, private endpoints, and DNS zones. Peer VNets and test whether traffic flows as expected. Use effective security rules and effective routes before guessing. For monitoring, create diagnostic settings, send logs to a Log Analytics workspace, write a simple KQL query, configure metric and log alerts, attach an action group, and suppress noise with an alert processing rule when appropriate.

az network nic list-effective-nsg --resource-group <rg> --name <nic>
az network nic show-effective-route-table --resource-group <rg> --name <nic>
az monitor metrics list --resource <resourceId> --metric "Percentage CPU"

Close every lab with cleanup and reflection. Delete test resources, confirm backup vault retention decisions before deletion, and record one command or portal path you had to look up. The goal is not to memorize every parameter. The goal is to recognize the command family, the required scope, and the evidence that proves the administrator decision was correct.