AZ-104 Cheatsheet — High-Yield Defaults, Tables, and Quick Commands
Fast reference for Microsoft Azure Administrator (AZ-104): RBAC scopes, Policy vs Locks, storage redundancy & tiers, private access patterns, load-balancing choices, VM/VMSS tips, monitoring/KQL snippets, backup/restore gotchas.
On this page
Use this as your last-mile cram sheet. Pair it with the Study Plan if you are still building coverage, the Resources page for official references, and IT Mastery to validate speed and accuracy.
Domain weights from the current study guide
| Domain | Current weight |
|---|---|
| Manage Azure identities and governance | 20–25% |
| Implement and manage storage | 15–20% |
| Deploy and manage Azure compute resources | 20–25% |
| Implement and manage virtual networking | 15–20% |
| Monitor and maintain Azure resources | 10–15% |
Use those ranges to decide where review time should go when two topics feel equally weak.
Identity, RBAC, Policy, Locks — who does what?
Scope order: Management Group → Subscription → Resource Group → Resource Inheritance: Most assignments flow down unless explicitly denied/overridden.
| Feature | What it controls | Where you assign | Typical use | Notes |
|---|---|---|---|---|
| RBAC | Who can do which actions | Any scope | Grant least-privilege access | Use built-in roles first; custom JSON as last resort |
| Policy | Compliance/config drift | Any scope | Enforce allowed regions/SKUs/tags | Effects: Deny, Audit, Append, Modify, DeployIfNotExists |
| Locks | Delete vs change protection | RG/Resource | Guardrails for prod assets | Types: CanNotDelete, ReadOnly; can break automation if overused |
| Tags | Metadata for cost/ops | Resource & RG | Owner/Env/CostCenter | Inherit via Policy (Append/Modify) |
Quick checks:
- Effective access: Resource → Access control (IAM) → Check access
- What-If / Policy compliance: Policy → Compliance; Resource → Policies tab
Storage — redundancy, tiers, networking
Redundancy (pick for SLA/region/zone needs)
| Redundancy | Scope | Zone-aware | Cross-region | Notes |
|---|---|---|---|---|
| LRS | Single datacenter | ✖ | ✖ | Cheapest; no zone resilience |
| ZRS | Multiple zones in region | ✔ | ✖ | Zone outage tolerance |
| GRS | Region pair (async) | ✖ | ✔ | Secondary read blocked (unless RA) |
| GZRS | Zones + region pair | ✔ | ✔ | Highest durability in GA regions |
| RA-GRS / RA-GZRS | Adds read access to secondary | — | ✔ | App can read from secondary endpoint |
Access tiers (Blob)
| Tier | Optimized for | Billing | Typical use |
|---|---|---|---|
| Hot | Frequent access | Higher storage, lower access | Active data |
| Cool | Infrequent (≥30 days) | Lower storage, higher access | Logs, backups |
| Archive | Rare (≥180 days) | Lowest storage, highest access; rehydrate | Compliance retention |
Private access decision
- Need private IP & no public exposure? → Private Endpoint + Private DNS zone records
- Same VNet, keep public endpoint but restrict over Microsoft backbone? → Service Endpoints
- Remember DNS: Private Endpoint → create
Arecords in Private DNS Zone; link to VNet (consider split-horizon)
CLI snippets
1# Private Endpoint + Private DNS zone for a storage account
2az network private-dns zone create -g RG -n privatelink.blob.core.windows.net
3az network private-endpoint create -g RG -n pe-stg --vnet-name VNET --subnet SUBNET \
4 --private-connection-resource-id "/subscriptions/<sub>/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/<name>" \
5 --group-id blob --connection-name pe-stg-conn
6# Link zone and add auto-registration if needed (for PaaS zones, usually manual records)
7az network private-dns link vnet create -g RG -n link-stg --virtual-network VNET \
8 --zone-name privatelink.blob.core.windows.net --registration-enabled false
Networking — quick choices
NSG vs ASG
- NSG = stateless rules at subnet/NIC.
- ASG = dynamic group of NICs used as source/destination in NSG rules → fewer rule edits.
Routes & management
- UDR for custom next hops (NVA inspection, forced tunneling).
- Bastion for VM console over HTTPS (no public IP on VM).
Load-balancing chooser
| Need | Pick | Why |
|---|---|---|
| L4/TCP-UDP inside a VNet | Load Balancer | SNAT, HA, health probes |
| L7/WAF, path-based, TLS offload | Application Gateway | App-aware, WAF, rewrite |
| Global anycast + CDN + WAF | Front Door | Global edge, caching, smart routing |
Fast DNS rule
- Service works publicly but not privately? Check Private DNS and VNet links first.
- Wrong IP returned? Treat it as a name-resolution problem before you treat it as an NSG problem.
Compute — VM/VMSS essentials
Availability & resilience
- Single VM: Availability Set (fault/update domains) or best: Zones (Z=1/2/3).
- Scale out: VMSS with Zones + autoscale rules.
Images & extensions
1# Create image from a generalized VM and publish to a gallery
2az image create -g RG -n baseImage --source VMNAME
3az sig create -g RG -r MyGallery
4az sig image-definition create -g RG -r MyGallery -i webImage --os-type linux
5az sig image-version create -g RG -r MyGallery -i webImage -e 1.0.0 --target-regions "eastus=2" "westus2=1" --managed-image "/subscriptions/<sub>/resourceGroups/RG/providers/Microsoft.Compute/images/baseImage"
6
7# Run Command (quick script)
8az vm run-command invoke -g RG -n VMNAME --command-id RunShellScript --scripts "sudo apt-get update -y"
Scale set autoscale
1az monitor autoscale create -g RG --resource "/subscriptions/<sub>/resourceGroups/RG/providers/Microsoft.Compute/virtualMachineScaleSets/vmss1" \
2 --min-count 2 --max-count 10 --count 2
3az monitor autoscale rule create -g RG --autoscale-name vmss1 \
4 --condition "Percentage CPU > 70 avg 5m" --scale out 2
5az monitor autoscale rule create -g RG --autoscale-name vmss1 \
6 --condition "Percentage CPU < 30 avg 10m" --scale in 1
Monitoring — alerts, logs, KQL
Metrics vs logs vs Activity Log
| Signal | Best first use |
|---|---|
| Metrics | Fast numeric thresholds such as CPU, latency, and request counts |
| Logs / Log Analytics | Richer investigation and correlation across time |
| Activity Log | Control-plane history such as create, delete, and policy actions |
Metric alert → Action Group
1az monitor action-group create -g RG -n ops-ag --action email Ops ops@example.com
2az monitor metrics alert create -g RG -n cpu-high --scopes "/subscriptions/<sub>/resourceGroups/RG/providers/Microsoft.Compute/virtualMachines/VMNAME" \
3 --condition "avg Percentage CPU > 80" --window-size 5m --evaluation-frequency 1m \
4 --action-group ops-ag
KQL quickies
// VM CPU > 80% in last 24h
Perf
| where ObjectName == "Processor" and CounterName == "% Processor Time" and TimeGenerated > ago(24h)
| summarize AvgCPU=avg(CounterValue) by Computer
| where AvgCPU > 80
| order by AvgCPU desc
// NSG denied flows (NSG flow logs sent to LA via NSG Flow Logs v2)
AzureDiagnostics
| where Category == "NetworkSecurityGroupFlowEvent"
| where msg_s contains "Deny"
| summarize count() by bin(TimeGenerated, 1h), srcIp_s, dstIp_s, l4Protocol_s
| order by TimeGenerated desc
// Storage 403s by account
AzureDiagnostics
| where Category == "StorageBlobLogs" or Category == "StorageRead"
| where httpStatusCode_s == "403"
| summarize Count403=count() by StorageAccount=Resource, bin(TimeGenerated, 1h)
| order by TimeGenerated desc
Backup & restore — must-knows
- Protect VMs with policy (schedule, retention). Test a restore (replace vs new).
- Azure Files needs its own backup policy (snapshot vs vault-based options where available).
- Cross-zone awareness: ensure backup vault region/zone coverage meets your RTO/RPO.
- Soft delete (storage, Key Vault) prevents accidental data loss—enable it.
CLI
1# Enable VM backup
2az backup vault create -g RG -n Vault01 -l eastus
3az backup protection enable-for-vm -g RG -v Vault01 --vm VMNAME --policy-name DefaultPolicy
4
5# Restore to a new VM
6az backup restore restore-disks --vault-name Vault01 -g RG --container-name VM;Compute;VMNAME \
7 --item-name VMNAME --rp-name "RecoveryPoint_2025-09-10T01-00-00Z" --storage-account SADEST
Common gotchas (fast fixes)
- 403 to storage from private networks → Missing Private DNS
Arecord; checkprivatelink.*zone link to VNet. - RBAC looks right but still denied → Policy or lock blocking; check Resource → Locks and Policy Compliance.
- Health probe failing on LB → Probe path/port mismatch or NSG blocking probe IPs.
- VMSS rollout stuck → App health probe failing → consider automatic vs rolling upgrade policy, check extension exit codes.
- Costs spiking → Public egress, premium SKUs, orphaned disks/snapshots; use Cost Management filters + tags.
Port & endpoint mini-table
| Service | Default Ports | Notes |
|---|---|---|
| RDP (Windows) | 3389/TCP | Prefer Bastion or JIT access |
| SSH (Linux) | 22/TCP | Prefer Bastion or JIT access |
| HTTP/HTTPS | 80/443 | Offload TLS at App Gateway/Front Door when possible |
| DNS (Private DNS) | 53/UDP/TCP | Forwarders for hybrid name resolution |
| Probe (LB/AppGW) | Custom | Ensure NSG allows health probe source ranges |
Exam patterns (pick the safest, most operable option)
- Least privilege RBAC at lowest workable scope.
- Prefer Zones over single-AZ when SKU/region supports it.
- Private Endpoint for PaaS data plane; fix DNS first when things fail.
- Metric alert for quick symptoms; pivot to KQL for root cause.
- Favor solutions that are repeatable (policy/ARM/Bicep/Terraform) over one-off clicks.
Quiz
Loading quiz…
Keep going
- Build your sequence: Study Plan →
- Work the main domains: Identities & Governance →
- Full objectives: Resources →
- Validate under time: IT Mastery →