Configure Storage Account Design, Redundancy, and Encryption for AZ-104
Choose storage account settings, replication options, encryption behavior, and supporting tools for AZ-104 storage design questions.
AZ-104 treats storage-account design as an administrative decision with direct resilience and cost consequences. If you choose the wrong redundancy or account configuration, every later access or recovery decision gets harder.
What the study guide points to
Microsoft explicitly calls out creating and configuring storage accounts, configuring redundancy, configuring object replication, configuring storage-account encryption, and managing data with Azure Storage Explorer and AzCopy. That means you need both design awareness and basic operational tooling awareness.
The design questions behind the objective list
The first question is usually resilience: LRS, ZRS, GRS, GZRS, and read-access variants are not interchangeable. The second is performance and workload fit: standard versus premium, blob versus file needs, and whether the region and application pattern support the option you want. Encryption is another common exam angle. Understand when Microsoft-managed encryption is enough and when customer-managed control becomes part of the design conversation.
Common traps
Replication is not backup. Object replication is not the same thing as a restore strategy. Another common miss is choosing a higher-end redundancy option because it sounds safer even when the scenario does not justify the cost or cross-region behavior.
Lab moves worth practicing
- create storage accounts with different replication choices and compare their properties
- inspect encryption settings and understand what is enabled by default
- move data with Storage Explorer or AzCopy so the tools are not unfamiliar on exam day
Redundancy chooser
| Requirement | Strongest first fit | Why |
|---|---|---|
| Lowest cost and one-datacenter durability only | LRS | Keeps data in one datacenter |
| Survive a zone failure inside one region | ZRS | Spreads copies across zones |
| Keep an asynchronous paired-region copy | GRS | Adds cross-region replication |
| Need both zone resilience and paired-region replication | GZRS | Combines zone and region protection |
| Need to read from the secondary copy | RA-GRS or RA-GZRS | Adds read access to the secondary endpoint |
Azure CLI example: create a hardened storage account
This example shows the kind of design move AZ-104 expects you to interpret quickly.
1az storage account create \
2 --name stgexamdemo01 \
3 --resource-group app-rg \
4 --location eastus \
5 --sku Standard_ZRS \
6 --kind StorageV2 \
7 --https-only true \
8 --min-tls-version TLS1_2 \
9 --allow-blob-public-access false
What to notice:
Standard_ZRSsignals a zone-resilient design decisionStorageV2is the general-purpose modern account type most scenarios expecthttps-only, minimum TLS, and disabled public blob access show that account design includes security defaults, not just replication choice
Object replication is not the same as account redundancy
AZ-104 includes both storage-account redundancy and object replication, and they solve different problems.
| Feature | What it does | What it does not do |
|---|---|---|
| Account redundancy | Protects account-level durability and availability posture | It does not selectively replicate only the objects you care about |
| Object replication | Replicates selected blob data between accounts and containers | It does not replace backup or every form of disaster recovery |
If the question is about copying selected object data across storage accounts for application behavior, think object replication. If the question is about the account’s built-in durability model, think LRS, ZRS, GRS, or GZRS choices.
Quiz
Next, move to Storage Access, Private Connectivity, and Data Protection so the account-design decisions connect to real access patterns.