AZ-104 cheat sheet
A one-page reference for the Microsoft Azure Administrator exam: the format, how the domains are weighted, and the glossary terms for this exam.
Exam at a glance
Vendor
Microsoft
Level
Associate
Questions
60
Time
100 min
Mock pass mark
70%
Domains
5
Practice Qs
150
Code
AZ-104
Domain weightings
How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.
Key terms
- Microsoft Entra ID
- Microsoft Entra ID (formerly Azure Active Directory) is Azure's cloud identity and access management service. AZ-104 covers managing users and groups, licenses, external users, and self-service password reset within Entra ID.
- Azure RBAC
- Azure role-based access control (RBAC) is the authorization system that grants access to Azure resources through role assignments made up of a security principal, a role definition, and a scope. AZ-104 requires managing built-in roles and assigning them at different scopes.
- Azure Policy
- Azure Policy is a governance service that enforces organizational rules on resources, for example allowed regions or required tags, and reports on compliance. It is a core governance tool alongside resource locks and management groups.
- Management Group
- A management group is a container that organizes multiple Azure subscriptions so that governance conditions such as Azure Policy and RBAC apply across them. Management groups sit above subscriptions in the Azure resource hierarchy.
- Resource Lock
- A resource lock is a setting that prevents accidental deletion or modification of Azure resources, available as CanNotDelete or ReadOnly. Locks apply at resource, resource-group, or subscription scope and override user permissions.
- Storage Redundancy
- Storage redundancy is the Azure Storage setting that determines how many copies of your data are kept and where, with options such as LRS, ZRS, GRS, and GZRS. Choosing the right redundancy balances durability, availability, and cost.
- Shared Access Signature
- A shared access signature (SAS) is a signed URL that grants limited, time-bound access to Azure Storage resources without sharing account keys. AZ-104 covers creating SAS tokens and stored access policies to control storage access.
- Azure Blob Storage
- Azure Blob Storage is Azure's object storage service for unstructured data, organized into containers with access tiers (hot, cool, cold, archive). AZ-104 covers containers, tiers, soft delete, lifecycle management, and versioning.
- Bicep
- Bicep is a domain-specific language for deploying Azure resources declaratively, a more concise alternative to Azure Resource Manager (ARM) JSON templates. AZ-104 requires interpreting and modifying Bicep files and ARM templates to automate deployments.
- Virtual Machine Scale Set
- A Virtual Machine Scale Set is an Azure compute resource that lets you deploy and manage a group of identical, load-balanced VMs that can automatically scale in and out. It underpins elastic, highly available compute in AZ-104.
- Network Security Group
- A network security group (NSG) is a set of inbound and outbound security rules that allow or deny traffic to Azure resources by source, destination, port, and protocol. AZ-104 covers NSGs, application security groups, and evaluating effective security rules.
- Virtual Network Peering
- Virtual network peering is a connection that links two Azure virtual networks so resources communicate privately as if on one network. AZ-104 covers configuring peering along with public IPs, user-defined routes, and connectivity troubleshooting.
- Azure Monitor
- Azure Monitor is the platform service that collects and analyzes metrics and logs from Azure resources, supporting log queries, alert rules, action groups, and Insights. AZ-104 covers using it to monitor and maintain resources.