Microsoft Azure Administrator (AZ-104) Exam
Azure Administrator Associate is one of the most sought-after and high-demand credentials in cloud computing. It validates your ability to configure, manage, and secure Azure resources, making it a valuable certification for IT professionals looking to advance their cloud administration skills.
Azure Administrator Responsibilities
Managing Azure identities and governance, Azure compute resources, configuring virtual networks, Azure Storage, and Monitoring and maintaining Azure resources
Exam Information
| Exam Criteria | Details |
|---|---|
| Prior Certification | Not Required |
| Exam Fee | Price based on the country or region |
| Exam Fromat | Multiple Choice, Yes(or)No, Drag & Drop, Case Studies |
| Exam Duration | 100 minutes |
| Renewal Frequency | 12 months |
| Pass Score | 700/1000 |
What you need to cover in AZ-104
Need to focus on 5 areas
- Identities and Governance (15-20%)
- Storage (15-20%)
- Compute Resources (20-25%)
- Vritual Networking (20-25%)
- Monitoring (10-15%)
Identities and Governance
Key IAM Concepts:
- Authentication β Verifies who you are (e.g., password, MFA, SSO).
- Authorization β Controls what you can do (e.g., role-based access, policy-based access).
- Users & Identities β Digital representations of people or services needing access.
- Roles & Permissions β Define what actions users can perform (e.g., admin vs. viewer).
- Access Policies β Rules that grant/deny access based on conditions (e.g., IP, device, time).
- Federation & SSO β Allows users to authenticate once and access multiple systems.
- Auditing & Logging β Tracks access and activities for security monitoring.
Microsoft Entra Product Family:
Microsoft Entra ID is part of the platform as a service (PaaS) means that you donβt have to dedicate resources to its deployment or maintenance.
| Service Name | Description |
|---|---|
| Microsoft Entra ID | cloud based identity & access management solution (formerly Azuer Active Directory). Establish Zero Trust access controls. Supports multi-tenant (or) multitenancy |
| Microsoft Entra ID Governance | Safeguarding identity lifecycle processes |
| Microsoft Entra Verified ID | Cloud based identity to issue and verify digital identity credentials based on open standard |
| Microsoft Entra External ID | Dedicated to managed external identities |
| Microsoft Entra Permissions Management | Central Platform for managing permissions across hybrids and multi-cloud environments |
| Microsoft Entra Workload ID | This service allows application and services securely access resocures |
| Microsoft Entra Internet Access | Cloud based secure web gateway solution provides secure access to the internet SAAS and Microsoft 365 Apps |
| Microsoft Entra Private Access | Cloud based solution provides secure access to private applications(anywhere) based on principles of Zero Trust |
Microsoft Entra ID Features:
| Features | Scope |
|---|---|
| Tenants | Seperated environment of data,apps,users,resources and identity services. There are two types of Tenants: Worforce Tenant and Customer Tenant. A Workforce Tenant is used internally and at least P1 subscription is required. A Customer Tenant aka Azure AD B2C is used for customer-facing apps, resources, and as a directory of customer accounts. |
| User Management | User Account is used for authentication and authorization. Each user account has addtional properties. There are two types of Users: User(internal) & External User. |
| Group Management | A group consists of users with assigned permissions. There are two types of groups: Microsoft 365 and Security. A Microsoft 365 Group is used for collaboration (access to a shared mailbox, calendar, and files). Members can only be users. A Security Group is used to grant access to resources and applications in Azure. Group members can include users, devices, or application IDs. Assigning a memeber to a group can be done manually or dynamically based on some properties of the user. |
| Device Management | Managing Devices that can access organization network and resources. Enfore device security policies and cover Bring Your Own Device (BYOD) policies |
| Application Management | Granting access to applications, application settings, applicatoin compliant policies |
| Single Sign-On | External identities, Cloud Applications (e.g SAP, Office 365) |
| Self-Service Password Reset (SSPR) | Determine who can SSPR, define required authentication methods (e.g email,phone,questions) |
| Conditional Access | Access right under condition (e.g location,device compliance) |
Entra ID use advanced AI to detect identity-based threats.
Microsoft Entra ID Licenses
Microsoft Entra ID is a licensed product. Based on the license level, there is difference features. You can check lastest version from official microsoft page
| Feature | Free | P1 | P2 | Suite |
|---|---|---|---|---|
| User and Group Management | ✅ | ✅ | ✅ | |
| On-premises directory synchronization | ✅ | ✅ | ✅ | |
| Basic Report | ✅ | ✅ | ✅ | |
| SSO & MFA | ✅ | ✅ | ✅ | |
| Advance Group Management | ✅ | ✅ | ||
| Automated user & group provisioning | ✅ | ✅ | ✅ | |
| Conditional Access | ✅ | ✅ | ||
| Risk-based Conditional Access | ✅ | ✅ | ||
| Privileged Identity Management | ✅ | ✅ |
Role-based access control: Using built-in roles in Microsoft Entra ID is free. Using custom roles require a Microsoft Entra ID P1 license or P2 for every user with a custom role assignment.
Microsoft Entra Devices:
There are three different types of devices: Registered devices, Joined devices and Hybrid Joined.
Active Directory & Entra ID:
| Feature | Active Directory (AD) | Microsoft Entra ID |
|---|---|---|
| Deployment Model | On-premises | Cloud |
| Focus | For on-premises env | Cloud and hybrid env |
| Authentication | Kerberos protocol | Various protocols (SAML, OpenID Connect) |
| Access Control | Group Policy, Access Control Lists (ACLs) | Conditional Access, Azure RBAC |
| Directory Objects | Users, Groups | Users, Groups, Applications, Devices |
Azure resource locks: prevent users in an organization to accidently deleting or modifying critical resources. Can apply locks on resource level, resource group level or subscription level. There are two types of locks: CanNotDelete & ReadOnly.CanNotDelete: If this lock is applied to any of the resources, the user can still read or modify the resource but cannot delete it. ReadOnly lock applie a user can only read the resource without causing any modifications or deletions.
Azure Service Health: notify Service outages & and planned maintenance and can setup alerts
Azure Advisor: Analyzes resource usage and recommends best practices
Storage
There are two types of Storage accounts:Standard,a.k.a General-purpose v2 Account, & Premium and 5 storage options. Storage account name must be unique.
| Data Storage | Usage |
|---|---|
| Blob Stroage | Binary Large Objects ( Blobs ) storing larage amoounts of unstrucutred data. |
| File Storage | Support SMB Protocol. Mounted as a drive on Windows, Linux and macOS. |
| Queues Storage | Storge large numbers of messages that can be accessed from anywhere via authenticated calls. Messaging between components. |
| Azure Tables | NoSQL data store fro semi-structured data. |
Storage Redundancy: When redundancy comes, you need to focus on the following things
| Key | Explain |
|---|---|
| Replicate | Copying Data stored in more than one location |
| Fault Tolerance | Ability to continue operating without interruption when one or more components fail |
| Data Durability | Long-Term safety of data or immune to data lossing |
Azure provides the following redundancy options
| Redundancy name | Explain | Usage |
|---|---|---|
| Local Redundant Storage(LRS) | Keeps 3 copies of your data in a single data center | cost-effective, non-critical data storage |
| Zone Redundant Storage(ZRS) | Store your data across 3 Azure Availability zones in same region | Protect Zone-Level Failure |
| Geo Redundant Storage(GRS) | Replicate data to another Azure region | Protect Region-level Failure |
| Geo+Zone Redundant Storage(GZRS) | Combine GRS and ZRS | Maximal proection and availability |
| RA-GRS & RA-GZRS | Read-Only access to the replicated data | When need High availability Read |
Storage Account Encryption: Azure provides encryption to your storage account. The encyption key can be managed by yourself a.k.a Customer-managed keys or managed by Azure a.k.a Microsoft-managed keys.
Storage Policy and Data Life Cycle Management:
Access Tiers
- HOT
- COOL
- COLD
- ARCHIVE
You can create policies to do automate transition fo data between tiers in order to achieve most cost-effective manner or compliance.
Compute Resources
Vritual Networking
Hugo Blox Builder utilises Hugo’s Markdown extension for highlighting code syntax. The code theme can be selected in the config/_default/params.yaml file.
Monitoring
{{< icon name="python" >}} Python
Azure Migration Services (AMS)
Azure provide solutions/tools for migration on-premides,other cloud to Azure.
| Service name | Usage |
|---|---|
| Azure Migrate | Migrate On-premises servers, databases, Web appplications |
| Azure Database Migration Service | Migrate database to Azure. Check supported Database |
| Data Box | Solution for large datasets due to size or bandwidth limitations. Check Data Box |