Use this glossary when AZ-104 terms start sounding similar. The exam often tests the boundary between related controls rather than the name alone.
Identity and governance
- Management group: A governance scope above subscriptions. Use it when policy or RBAC needs to span multiple subscriptions.
- Resource group: A logical container for Azure resources that share lifecycle, ownership, or access boundaries.
- Azure RBAC: The authorization system that decides which Azure actions a principal can perform at a given scope.
- Microsoft Entra role: A directory-administration role used for identity and tenant-management tasks rather than Azure resource actions.
- Azure Policy: A governance engine that audits, denies, appends, or remediates configuration choices.
- Resource lock: A control that blocks deletion or modification even when RBAC would otherwise allow it.
- Management lock scope: The level where a lock is applied, which affects inherited protection below it.
Storage
- Shared access signature (SAS): A time-bound token that delegates limited access to storage data.
- Stored access policy: A policy attached to a blob container or queue that lets you centrally manage SAS constraints.
- Private endpoint: A private IP address in your VNet for reaching an Azure PaaS service over Private Link.
- Service endpoint: A way to extend VNet identity to an Azure PaaS service while the service still keeps a public endpoint.
- Object replication: Blob replication between storage accounts for selected containers and rules.
- Azure Files identity-based access: A way to control file-share access with identity rather than only with storage keys.
- ZRS / GRS / GZRS: Redundancy choices that change zone protection and geo protection behavior.
Compute
- Bicep: Microsoft’s higher-level language for Azure Resource Manager deployments.
- Availability set: A way to distribute VMs across fault and update domains inside one datacenter setup.
- Availability zone: A physically separate zone within a region that improves resilience when supported by the workload and SKU.
- Virtual Machine Scale Set (VMSS): A managed group of identical VMs that supports scale and coordinated updates.
- App Service plan: The compute boundary that defines pricing tier, scale, and region for one or more App Services.
- Deployment slot: An App Service deployment target such as staging or production that helps reduce release risk before a swap.
- Azure Container Apps: Managed container platform for app-style container workloads without managing Kubernetes directly.
Networking and operations
- User-defined route (UDR): A custom route that changes next-hop behavior inside a virtual network.
- Application security group (ASG): A logical grouping of NICs used as source or destination targets in NSG rules.
- Effective security rules: The resulting network-allow or deny posture after Azure evaluates the applicable rules on a resource.
- Action group: The notification and automation target used by Azure Monitor alerts.
- Activity Log: The Azure control-plane event history for operations such as create, delete, policy, and administrative actions.
- Recovery Services vault: A vault type used for Azure Backup and parts of disaster recovery workflows.
- Backup vault: Another Azure Backup vault type used for some newer backup workloads.
- Connection Monitor: A Network Watcher capability that tracks reachability and network path behavior between endpoints.
- Private DNS zone: Azure DNS zone used to resolve private endpoint names inside VNets.
Commonly confused pairs
| Pair |
Fast distinction |
| Microsoft Entra role vs Azure RBAC role |
Directory administration versus Azure resource authorization |
| Service endpoint vs private endpoint |
Public service endpoint restricted by VNet identity versus private IP inside the VNet |
| Availability set vs availability zone |
In-datacenter fault separation versus cross-zone resilience |
| Activity Log vs Log Analytics resource logs |
Control-plane event history versus richer resource-level operational detail |
| Azure Backup vs Azure Site Recovery |
Restore-oriented protection versus replication and failover continuity |
| ZRS vs GRS vs GZRS |
zone redundancy only versus geo redundancy only versus both zone and geo protection |
| App Service plan vs deployment slot |
compute boundary versus safe release target |
| NSG vs ASG |
traffic filter rules versus logical grouping target for those rules |
| Recovery Services vault vs Backup vault |
older broader backup/recovery vault role versus newer backup workload vault role |
| Private DNS zone vs public DNS zone |
internal name resolution for private endpoints versus internet-facing name resolution |
If three terms blur together
| Cluster |
Fast separation |
| Entra role / Azure RBAC / Policy |
directory administration, resource authorization, or configuration governance |
| private endpoint / service endpoint / public endpoint with restrictions |
private IP path, VNet-bound public service path, or public path with filtering |
| availability set / availability zone / VMSS |
intra-datacenter resilience, cross-zone resilience, or scale plus coordinated VM management |
| metric alert / log alert / action group |
signal type, query-driven condition, or notification target |
| backup / site recovery / failover |
restore protection, replication continuity, or switchover action |
One-sentence memory hooks
- If the question is about who can do the Azure action, think Azure RBAC.
- If the question is about what configuration is allowed, think Azure Policy.
- If the question is about private access to PaaS, think Private Endpoint plus private DNS.
- If the requirement is restore later, think backup; if it is stay available, think replication or failover.
- If the question is about what the platform did, think Activity Log before deeper resource logs.
When two terms overlap, ask which layer they control: identity, governance, data access, network path, monitoring signal, or recovery. That framing usually resolves the exam question faster than memorizing names alone.