AZ-104 Azure Administrator Cheat Sheet – 2026 Exam Notes

Source: Dev.to

The Microsoft Azure Administrator (AZ‑104) is the gold standard for cloud admins. It’s not just about clicking buttons in the portal; it’s about understanding governance, networking logic, and troubleshooting.

If you are preparing for this exam, this deep‑dive cheat sheet covers the critical concepts, specific SKU limits, and configuration “gotchas” you need to know.

🆔 1. Identity & Governance (Azure AD / Entra ID)

The security perimeter is no longer the firewall; it’s Identity.

Users & Groups

• Dynamic Groups – Rules are evaluated to add/remove members automatically.
  • Requires: Azure AD Premium P1 license.
  • Syntax: (user.department -eq "IT") -and (user.accountEnabled -eq true)
• Administrative Units – Restrict scope of administrative permissions (e.g., allow “Helpdesk User” to reset passwords only for users in the “Marketing” AU).
• External Identities (B2B) – Guest users invited from other tenants. They do not need a license in your tenant if your MAU (Monthly Active Users) count is low (first 50 k free).

Role‑Based Access Control (RBAC)

• Key Azure Roles: Owner (full access + manage), Contributor (manage only), Reader (view only), User Access Administrator (manage access only).
• Key Azure AD Roles: Global Administrator, User Administrator.

Policy & Compliance

• Azure Policy – Enforces rules on resources (e.g., “Allowed Locations = East US” or “Require Tag CostCenter”).
  • Effects: Deny, Audit, Append, DeployIfNotExist.
• Resource Locks
  • CanNotDelete – Resources can be read/modified but not deleted.
  • ReadOnly – Resources can only be read (prevents actions like starting/stopping a VM).

💾 2. Storage Accounts

Storage is the backbone. Know the redundancy and access tiers.

Redundancy Options (The “Durability” Question)

Access Tiers

• Hot – Frequent access. High storage cost, low access cost.
• Cool – Infrequent access (> 30 days). Lower storage cost, higher access cost.
• Archive – Rare access (> 180 days). Lowest storage cost, highest rehydration cost (hours to retrieve).

File Shares

• Azure Files – SMB protocol (Windows/Linux).
• Azure File Sync – Sync on‑prem Windows Server shares to Azure; cloud tiering keeps hot files on‑prem and moves cold files to the cloud.

💻 3. Azure Compute (VMs & App Service)

How to run workloads and keep them available.

Virtual Machines

• Availability Sets – Protect against hardware failure within one datacenter.
  • Update Domain (UD) – Reboot groups (patching).
  • Fault Domain (FD) – Rack/Power groups (hardware failure).
  • SLA: 99.95 %.
• Availability Zones – Protect against datacenter failure.
  • SLA: 99.99 %.
• Scale Sets (VMSS) – Auto‑scale based on metrics (e.g., CPU > 75 %).
  • Orchestration Mode: Uniform (identical VMs) vs. Flexible (mix of VM types).

App Service (PaaS)

• App Service Plan – Defines region, OS, and SKU (resources).
• Scaling
  • Scale Up – Change SKU (e.g., B1 → S1) for more RAM/CPU.
  • Scale Out – Increase instance count (e.g., 1 → 3 instances).
• Deployment Slots (Standard tier +). Swap “Staging” to “Production” instantly; if it fails, swap back.

Containers

• ACI (Azure Container Instances) – “Serverless containers.” Ideal for burst jobs or simple apps; no orchestration.
• AKS (Azure Kubernetes Service) – Full orchestration; you manage the worker nodes (node pools).

🌐 4. Networking

The hardest part of the exam. Master VNETs and DNS.

VNET Peering

• Connects two VNETs; traffic stays on the Microsoft backbone (private).
• Global Peering – Connects VNETs in different regions.
• Gateway Transit – Allows VNET A to use VNET B’s VPN gateway.
  • VNET A must Use Remote Gateway; VNET B must Allow Gateway Transit.

Load Balancing

DNS

• Public DNS – Azure hosts your domain (e.g., contoso.com).
• Private DNS – Resolves hostnames within a VNET.
  • Auto‑registration – Automatically creates A‑records for VMs in a linked VNET.

🛡️ 5. Monitoring & Backup

Keeping the lights on and recovering when they go off.

Azure Monitor

• Metrics – Numerical data (CPU %, Disk IO). Real‑time.
• Logs – Structured data (event logs, query logs). Stored in a Log Analytics workspace (KQL).
• Alerts – Action groups trigger notifications (email, SMS, webhook, ITSM ticket).

Network Watcher

• IP Flow Verify – “Can VM A talk to VM B?” (checks NSG rules).
• Next Hop – “Where is my traffic going?” (checks UDR/routes).
• Connection Monitor – Continuous monitoring of connectivity between endpoints.

# Recovery Services Vault

## Backup
- **Files, Folders, System State, Azure VMs**

## Soft Delete
- Retains deleted backup data for **14 days** (protection against ransomware/accidental delete).

## Site Recovery (ASR)
- Disaster‑recovery (DR) solution that replicates VMs to a secondary region.

## RTO (Recovery Time Objective)
- How long it takes to restore?

## RPO (Recovery Point Objective)
- How much data can be lost?

📝 Exam “Gotchas”

• Tags don’t inherit – Tagging a Resource Group does not automatically apply the tag to the resources inside. Use Azure Policy to enforce inheritance.
• Resource moves – You can move resources between subscriptions/resource groups, but the source and destination must be in the same Azure AD tenant.
• NSG priority – Lower number = higher priority. A rule with priority 100 overrides a rule with priority 200.
• Import/Export job – You must ship the physical hard drive to an Azure datacenter; you cannot efficiently “download” 50 TB over the internet.
• PIM (Privileged Identity Management) – Requires Azure AD Premium P2.

Good luck with your AZ‑104!