Azure AZ-104 Cheat Sheet 2026: Domains, Services & Decision Tables

40–60Questions

120 minDuration

700/1000Pass score

$165Exam fee (USD)

1 yrValidity

MCQ + labsFormat

Azure AZ-104 Microsoft Azure Administrator cheat sheet

01 Domain weights

AZ-104 has five skill areas. Identity & governance and compute are the heaviest, but networking and storage together are almost as large — do not neglect them.

Manage Azure identities & governance20–25%

Deploy & manage Azure compute resources20–25%

Implement & manage storage15–20%

Configure & manage virtual networking15–20%

Monitor & maintain Azure resources10–15%

Read this first: AZ-104 is hands-on. Expect to know the Azure portal plus the Azure CLI and Azure PowerShell equivalents of each task — case studies and drag-and-drop items reward people who have actually built things, not just read about them.

02 Identity & governance

This is the largest and most cross-cutting area. Know who can sign in, what they are allowed to do, and how guardrails are enforced.

Microsoft Entra ID

Users · Groups · SSO · MFA

The identity provider (formerly Azure AD). Manage users and groups, enable single sign-on to apps, and require multi-factor authentication.

RBAC roles

Owner · Contributor · Reader · User Access Admin

Owner = full + assign access; Contributor = manage but not grant access; Reader = view only; User Access Administrator = manage access only.

Azure Policy vs RBAC

Allowed actions · Allowed resources

RBAC controls who can do something; Azure Policy controls what is allowed (e.g. only certain regions or SKUs) and can audit or deny.

Management groups & subscriptions

Hierarchy · Inheritance

Management group → subscription → resource group → resource. Policy and RBAC assignments inherit down the hierarchy.

Resource locks

CanNotDelete · ReadOnly

CanNotDelete blocks deletion but allows changes; ReadOnly blocks both modification and deletion. Locks override individual RBAC permissions.

Conditional Access

Signals · Decisions

If/then policies: require MFA, compliant device, or trusted location based on user, app, and risk. A Microsoft Entra ID P1/P2 feature.

03 Storage — redundancy & tiers

Redundancy	Copies	Protects against
LRS	3 copies, one datacenter	Disk/server failure within a single facility.
ZRS	3 copies across zones	A whole availability zone failing in the region.
GRS	LRS + async copy to paired region	A full regional outage (data also exists hundreds of km away).
GZRS	ZRS + async copy to paired region	Both zone and regional failure — the most durable option.

ZRS vs GRS: ZRS protects against a zone failure within one region; GRS protects against a regional failure by replicating to the paired region. If a scenario says "survive an entire region going down", you need GRS or GZRS — ZRS alone is not enough.

Blob access tiers & storage types

Choice	Use when
Hot tier	Frequently accessed data; highest storage cost, lowest access cost.
Cool tier	Infrequent access, stored at least 30 days.
Cold tier	Rarely accessed, stored at least 90 days; cheaper than Cool.
Archive tier	Long-term archive; offline, rehydration takes hours; lowest storage cost.
Azure Files vs Blob	Azure Files = managed SMB/NFS file share (lift-and-shift, mountable drive); Blob = object storage for unstructured data and apps.

04 Compute

Virtual Machines

IaaS · Full control

Full OS control. You patch, scale, and secure the guest. Use when you need a specific OS, software, or legacy app.

VM Scale Sets

Uniform · Flexible

Identical VMs that autoscale. Uniform = large identical fleets; Flexible = mixed sizes and finer control across zones.

Availability Set vs Zone

Fault/Update domains · Zones

Availability Set spreads VMs across fault & update domains in one datacenter; Availability Zones spread across physically separate datacenters in a region for higher SLA.

App Service

PaaS · Web apps

Managed hosting for web apps and APIs — no OS to manage, built-in scaling, slots, and custom domains.

ACI vs AKS

Containers

Azure Container Instances = single containers, fast/serverless, no orchestration; AKS = managed Kubernetes for orchestrated, scaled microservices.

Availability Set vs Zone: an Availability Set protects against rack-level (fault domain) and maintenance (update domain) failures inside one datacenter; an Availability Zone protects against an entire datacenter failing within the region. Zones give the higher SLA when the region supports them.

05 Virtual networking

Component	What it does	Key fact
NSG	Filters inbound/outbound traffic on subnets & NICs	Stateful — allowed return traffic is automatic.
VNet peering	Connects two VNets privately	Low latency, non-transitive (A–B and B–C does not give A–C).
VPN Gateway vs ExpressRoute	On-prem connectivity	VPN Gateway = encrypted over the public internet; ExpressRoute = private, dedicated circuit, higher bandwidth/SLA.
Load Balancer	Regional L4 (TCP/UDP) distribution	Fast, protocol-agnostic; no URL/path awareness.
Application Gateway	Regional L7 (HTTP/S) distribution	URL/path routing, SSL offload, optional WAF.
Front Door	Global L7 entry point	Global HTTP load balancing, CDN, and WAF at the edge.
Traffic Manager	DNS-based global routing	Routes by performance/priority/geographic policy across regions.

06 Monitoring & maintenance

Azure Monitor

Metrics · Logs

The umbrella platform for metrics, logs, and insights across every Azure resource.

Log Analytics + KQL

Workspace · Kusto

Collect and query log data with Kusto Query Language (KQL); the backend for most Azure Monitor queries.

Alerts & Action Groups

Conditions · Notifications

Alert rules fire on a metric/log condition; Action Groups define who/what responds (email, SMS, webhook, runbook).

Backup vs Site Recovery

Restore · Failover

Azure Backup = point-in-time restore of data; Azure Site Recovery = replicate and fail an entire workload over to another region for DR.

Network Watcher

Diagnostics

Diagnose connectivity with IP flow verify, NSG diagnostics, connection troubleshoot, and packet capture.

07 Must-know numbers & limits

RBAC role assignments: up to 4,000 per subscription (raised limit of 5,000 available); roles assign at management group, subscription, resource group, or resource scope.
NSG rule priority: 100–4096; a lower number = higher priority and is evaluated first. Rule names must be unique per NSG.
VNet peering is non-transitive: if A peers with B and B peers with C, A still cannot reach C without its own peering or a hub/gateway transit.
Public IP SKUs: Basic (legacy, no zones, open by default) vs Standard (zone-redundant, secure by default, required by Standard Load Balancer).
Storage account names: 3–24 characters, lowercase letters and numbers only, and globally unique across all of Azure.
Conditional Access & Identity Protection: require Microsoft Entra ID P1 (Conditional Access) or P2 (risk-based policies, PIM).

08 Common traps

RBAC vs Azure Policy: RBAC decides who can perform an action; Azure Policy decides what is allowed (region, SKU, tags) and can audit or deny. If the question is about permitting people, that is RBAC; if it restricts the resources themselves, that is Policy.

NSG is stateful: if you allow inbound traffic, the return traffic is automatically allowed — you do not add a matching outbound rule. Adding redundant outbound rules is a classic distractor.

VNet peering is non-transitive: spoke-to-spoke traffic does not flow through a hub automatically. You need either direct peering or a gateway/firewall in the hub configured for transit.

Load Balancer (L4) vs Application Gateway (L7): use Load Balancer for raw TCP/UDP performance; use Application Gateway when you need URL/path-based routing, SSL offload, or WAF. Picking L4 for an HTTP path-routing scenario is wrong.

09 FAQ

How hard is the AZ-104 exam?

AZ-104 is moderately hard and very hands-on. It assumes real administration experience across identity, storage, compute, networking, and monitoring, and includes case studies and drag-and-drop items where you must know portal, Azure CLI, and PowerShell equivalents. Most candidates who fail did so because they only read theory and never practised in a live subscription.

Do I need AZ-900 before AZ-104?

No. AZ-900 (Azure Fundamentals) is not a prerequisite for AZ-104 and is not required to sit the exam. It is a useful starting point if you are new to the cloud, but experienced administrators can go straight to AZ-104 once they are comfortable with core Azure services.

What is the AZ-104 passing score?

You need 700 out of 1000 to pass. The score is scaled, so it does not map to 70% of questions correct — harder questions carry more weight. Aim for a consistent 80%+ on full-length practice tests before you book.

How long does AZ-104 certification last?

The Azure Administrator Associate certification is valid for one year. You renew it for free through a short online assessment on Microsoft Learn, available in the six months before it expires, with no exam fee.

ExamCert TeamCertified cloud & security pros helping you pass faster.