Azure AZ-104 Cheat Sheet: Admin Traps

March 28, 2026

Azure AZ-104 cheat sheet for Azure admin traps, services, monitoring, and final review.

On this page

Use this as your last-mile cram sheet. AZ-104 rewards administrators who can pick the right Azure scope, the right control-plane tool, the right private-access pattern, and the fastest operational signal without overbuilding the fix.

RBAC: Role-based access control for Azure resource actions at management-group, subscription, resource-group, or resource scope.

SAS: Shared Access Signature, which delegates time-limited access to storage data.

Private Endpoint: Private IP path from a VNet to a PaaS service.

Fast lane picker

If the question is really about…	Focus first on…	Strongest first move
permissions or admin scope	RBAC, inheritance, least privilege	choose the lowest workable scope
compliance or configuration control	Policy, tags, locks	decide whether the clue is about allowed state or accidental change
storage behavior	redundancy, access tier, SAS, private access, recovery	separate durability from access path
compute operations	VM, VMSS, image, extension, App Service, ACR	decide whether the clue is about instance ops or deployment pattern
networking	VNet, NSG, ASG, UDR, Bastion, private DNS, load balancing	classify the boundary that owns the traffic
monitoring and recovery	metrics, logs, Activity Log, alerts, backup	choose the fastest useful evidence path first

AZ-104 operator order

    flowchart TD
	  A["Read the operational symptom or requirement"] --> B["Name the Azure boundary or resource family"]
	  B --> C["Pick the right control-plane tool or service"]
	  C --> D["Prefer the lowest-risk, repeatable fix"]
	  D --> E["Verify through telemetry or control-plane evidence"]

AZ-104 answer sequence

Use this when the stem is about admin scope, control-plane choice, networking, storage, or recovery.

    flowchart TD
	  S["Scenario"] --> B["Name the Azure boundary"]
	  B --> T["Pick the right admin tool or service"]
	  T --> R["Choose the lowest-risk repeatable fix"]
	  R --> V["Verify with control-plane evidence or telemetry"]

What to notice:

AZ-104 is mostly about operational fit, not about the fanciest service
the right answer usually uses the simplest Azure-native control that fits the stated scope
private DNS, RBAC scope, and monitoring signal choice cause a lot of avoidable misses

Identity, RBAC, Policy, and locks

Control	What it answers	Best use	Common trap
RBAC	who can do what	least-privilege access at the right scope	granting broad subscription roles when RG scope is enough
Policy	what configurations are allowed or required	enforce tags, regions, SKUs, guardrails	treating Policy as access control
lock	whether deletion or modification is blocked	protect critical prod resources	breaking automation with unnecessary locks
tag	operational or cost metadata	ownership, env, cost center	assuming tags enforce anything by themselves

Pair	Keep this distinction clear
RBAC vs Policy	permissions vs allowed configuration
Policy vs lock	compliance rule vs delete/change guardrail
management group vs subscription vs resource group	governance at scale vs billing boundary vs lifecycle boundary

Storage chooser

Requirement	Strongest first fit	Why
cheapest local durability	LRS	single-datacenter scope
in-region zone resilience	ZRS	protects against zone failure
cross-region resilience	GRS or GZRS	asynchronous copy to paired region
readable secondary endpoint	RA-GRS or RA-GZRS	secondary read access
frequent blob access	Hot tier	lower access cost
infrequent blob access	Cool tier	lower storage cost
rare long-term retention	Archive	cheapest storage, slower retrieval

Access need	Strongest first fit
temporary delegated storage access	SAS
private IP access to PaaS data plane	Private Endpoint plus Private DNS
public endpoint limited to VNet path	service endpoint
recover deleted secrets or blobs	soft delete and retention-aware recovery path

Networking chooser

Requirement	Strongest first fit	Why
subnet or NIC traffic filtering	NSG	core allow/deny rules
dynamic grouping of NICs in rules	ASG	easier NSG rule maintenance
custom route next hop	UDR	steer through NVA or custom path
secure admin access without VM public IP	Bastion	browser-based management path
L4 private or regional balancing	Load Balancer	TCP/UDP balancing
L7 routing with WAF and TLS offload	Application Gateway	app-aware ingress
global edge routing and WAF/CDN behavior	Front Door	global entry and edge acceleration

Private access clue	First thing to verify
service broke right after Private Endpoint cutover	Private DNS zone records and VNet links
public path works, private path does not	name resolution before NSG blame
health probe failing	probe path/port and NSG rules

Compute and deployment chooser

Requirement	Strongest first fit	Why
ordinary VM admin and OS control	Virtual Machines	direct instance control
elastic fleet of identical VMs	VM Scale Sets	scaling and instance coordination
repeatable platform deployment	ARM or Bicep	infrastructure as code
simple web app platform	App Service	managed app hosting
container image storage	ACR	Azure-native image registry
quick script on an existing VM	Run Command / extension path	operational fix without full redeploy

Pair	Keep this distinction clear
VM vs VMSS	one instance vs scalable coordinated fleet
ARM/Bicep vs portal clicks	repeatable deployment vs one-off admin action
App Service vs VM	managed app platform vs OS-managed instance

Monitoring and signal chooser

Need	Strongest first signal or tool	Why
fast threshold alerting	metrics and metric alerts	quickest symptom visibility
rich investigation and correlation	Log Analytics / KQL	deeper event analysis
control-plane history	Activity Log	create, delete, policy, and admin actions
notification or automation target	Action Group	who gets told or what gets triggered
performance and platform insight	Azure Monitor and Insights	broader operational view

    flowchart LR
	  R["Azure resource"] --> M["Metrics"]
	  R --> L["Logs / Log Analytics"]
	  R --> A["Activity Log"]
	  M --> AG["Alert / Action Group"]
	  L --> AG

Backup and recovery chooser

Requirement	Strongest first fit	Why
protect VM workload	Recovery Services vault / backup policy	standard VM backup path
restore deleted or changed storage data	soft delete, snapshots, versioning, backup depending workload	match recovery path to storage type
low RPO/RTO expectation	tested backup and restore path, possibly zone/region-aware design	backup alone is not enough if time target is strict
prove recoverability	perform restore test	untested backups are weak operational evidence

Common AZ-104 traps

RBAC looks correct but a Policy or lock is the real blocker
private endpoint design fails because DNS was not updated cleanly
health probes fail because the probe path or rule is wrong, not because the backend is “down”
using a broad role where a narrower RG or resource scope would work
treating backup enablement as proof of recovery without restore testing

Last 15-minute review

Review this	Because it fixes…
RBAC vs Policy vs locks	governance-control confusion
management group -> subscription -> resource group -> resource	scope mistakes
storage redundancy and blob tiers	durability and cost confusion
Private Endpoint plus Private DNS	private-access misses
NSG/ASG/UDR/Bastion and LB/App Gateway/Front Door	networking distractors
metrics vs logs vs Activity Log	wrong-signal mistakes
backup policy vs tested restore	recovery overconfidence

What strong answers usually do

choose the lowest workable scope and least-privilege access model
fix private-access designs at the DNS and path boundary first
pick the simplest Azure-native operational tool that fits the requirement
verify through metrics, logs, or control-plane evidence before taking a bigger action

Quiz

Loading quiz…

Keep going

Build your sequence: Study Plan →
Work the main domains: Identities & Governance →
Full objectives: Resources →
Validate under time: matched Azure practice on MasteryExamPrep.com

Revised on Sunday, May 10, 2026

Sample Questions

Glossary