Study Guide · AZ-104

AZ-104 Cheat Sheet

360 entries · 15 chapters · 5 domains

Identity and Governance

Entra Users and Groups

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A user's member-or-guest type is fixed by origin, not by a setting

A member user is native to your tenant (created in the cloud or synced from on-premises Active Directory by Entra Connect); a guest user is invited from another directory through B2B collaboration and signs in with their own home credentials. The type is decided by how the account entered the directory and is not something you toggle on the user. You widen or narrow a user's actual access by assigning roles, not by changing the type.

1 question tests this
Invite external collaborators as B2B guests so you never manage their password

When an outside partner needs access, invite them as a B2B guest rather than creating a member account. The guest authenticates against their own home tenant or identity provider, so you issue no credential and reset no password, and you scope them with roles and group membership. A guest's UPN takes the form alice_contoso.com#EXT#@yourtenant.onmicrosoft.com, and by default guests have restricted directory permissions.

Trap Creating a member account for an external partner: it forces you to manage a credential and grants the broad default member permissions a partner shouldn't have.

Guest users get restricted directory permissions by default

By default a guest can manage their own profile and read only limited directory data; they cannot enumerate the full list of users or groups the way a member can. Members, by contrast, can read most directory information and by default register applications, create groups, and invite other guests. You can tighten these defaults for all members or all guests in the directory's user settings.

Security groups gate access; Microsoft 365 groups enable collaboration

Pick a security group to manage access to resources, roles, and applications: its members can be users, devices, service principals, and even other groups (nesting). Pick a Microsoft 365 group when the need is a shared workspace (mailbox, calendar, SharePoint), but note its members can be users only. The decisive test is the requirement: resource or role access points to a security group, a team workspace points to a Microsoft 365 group.

Trap Choosing a Microsoft 365 group to control access to a resource: that group type is for collaboration, and only a security group can be used for group-based licensing.

1 question tests this
Only a security group can hold non-user members

A security group's membership can include users, devices, service principals, and nested groups, which is why it is the vehicle for assigning resource access and roles. A Microsoft 365 group accepts users only: no devices or service principals. When a scenario needs a group of devices (for example to target Intune policy through dynamic device membership), the group must be a security group.

Trap Trying to add devices to a Microsoft 365 group: that type takes users only, so a device group must be a security group.

2 questions test this
Assigned vs dynamic membership decides who maintains the member list

Assigned membership means an administrator or group owner adds each member by hand; dynamic membership uses an attribute rule to add and remove members automatically as their attributes change. Choose Assigned for a fixed, hand-picked roster and dynamic when membership should track an attribute such as department. Dynamic keeps the roster accurate without manual upkeep but trades away the ability to pin or exclude an individual outside the rule.

A group owner can edit members only when membership is Assigned

Group ownership lets you manage a group's properties and its membership, but the membership part applies only to Assigned groups. A dynamic group's members are governed entirely by its rule, so even the owner cannot add or remove a member directly: you change membership by changing user attributes or the rule itself. Editing a dynamic membership rule additionally requires the Groups Administrator, Intune Administrator, or User Administrator role.

Trap Assuming a group owner can add a member to any group: for a dynamic group the rule controls membership and the owner cannot override it.

1 question tests this
A dynamic group targets users OR devices, never both

When you create a dynamic membership group you choose Dynamic User or Dynamic Device, and a single group cannot do both. A device rule may reference only device attributes: you cannot build a device group from the device owners' attributes. If a requirement mixes users and devices, you need two separate dynamic groups.

Trap Building one dynamic group whose rule mixes user and device attributes: Entra ID requires the membership target to be users only or devices only.

2 questions test this
Dynamic membership requires Microsoft Entra ID P1

Attribute-rule (dynamic) group membership is a premium feature: it requires Microsoft Entra ID P1 for every user in scope of the rule. Assigned membership works on the free tier. In a scenario set in a trial or free tenant, automatic department-based membership is unavailable, so the answer falls back to an Assigned group plus manual upkeep, or acquiring P1.

Trap Proposing dynamic membership in a free/trial tenant: dynamic groups need Entra ID P1 and aren't available on the free tier.

3 questions test this
Set a user's Usage location before assigning any license

A license cannot be assigned to a user until that user has a Usage location set, because Microsoft licenses are subject to regional availability. If a direct license assignment fails for a freshly created user, the missing Usage location attribute is the usual cause. Set it on the user profile, then assign the license.

Use group-based licensing to keep licenses in step with membership

Group-based licensing attaches one or more product licenses to a security group; Entra ID then licenses every member automatically and removes the license when a member leaves the group. Pair it with a dynamic group and licensing tracks org structure with zero scripting. It works on security groups only, and you must hold at least one license for every unique member of a licensed group.

Group-based licensing requires Entra ID P1 for each benefiting user

Group-based licensing itself is a premium capability: you need Microsoft Entra ID P1 (or a qualifying Microsoft 365 / Office 365 plan such as Business Premium or Office 365 E3) for every user who benefits from it. This is separate from the product licenses being assigned: the P1 entitlement pays for the automation, while the product licenses cover the services the members consume.

License assignment moved out of the Azure portal on September 1, 2024

Since September 1, 2024 the Microsoft Entra admin center and the Azure portal no longer expose license assignment in their UI; assignment for both users and groups is done in the Microsoft 365 admin center. The change is UI-only: Microsoft Graph and PowerShell still assign licenses programmatically. If a question says the license-assignment option is missing from the Azure portal, that is expected, not a bug.

Trap Looking for the license-assignment blade in the Entra/Azure portal: it was removed in September 2024; assign licenses in the Microsoft 365 admin center or via Graph/PowerShell.

SSPR needs at least one registered method; the policy requires one or two to reset

Self-service password reset lets users reset or unlock their own password with no help-desk call, but each user must first register authentication methods: choices include Microsoft Authenticator, OATH tokens, SMS, voice call, email OTP, and security questions. The administrator policy sets how many registered methods a reset requires, a value of one or two. A user who has registered fewer than the required number cannot use SSPR and must contact an administrator.

7 questions test this
Administrator accounts are forced onto a stronger two-method SSPR policy

Even if the tenant SSPR policy requires only one method for ordinary users, accounts holding an Azure administrator role are subject to a stronger two-gate password reset policy and cannot use the relaxed single-method setting. This is automatic and not configurable down: Microsoft enforces it because admin accounts are higher-value targets.

Trap Assuming a one-method SSPR policy applies to administrators: admin-role accounts are always held to the stronger two-method reset policy.

5 questions test this
SSPR is free, but password writeback to on-premises AD requires P1

Self-service password reset is available on Microsoft Entra ID Free for cloud-managed users. SSPR password writeback, which pushes a cloud-initiated reset back down to on-premises Active Directory for a federated, pass-through-auth, or password-hash-synced user, requires Microsoft Entra ID P1. Without writeback, a hybrid user whose password is mastered on-premises is told to contact their administrator instead of resetting.

Trap Expecting plain SSPR to reset a synced on-premises user's password: that needs SSPR password writeback, which requires Entra ID P1.

4 questions test this
Reset, change, and writeback are three different password operations

A password reset recovers a forgotten password (the SSPR scenario, where the user proves identity with registered methods); a password change updates a password the user already knows and is signed in with; password writeback is the hybrid mechanism that carries either operation back to on-premises AD. It is not a separate end-user action. Conflating reset with writeback is the usual source of confusion in hybrid scenarios.

Personal Microsoft accounts used as guests cannot use Entra SSPR

A guest who signs in with a personal Microsoft account (Outlook.com, Hotmail) cannot use your tenant's Entra SSPR; they recover through their own Microsoft account instead. B2B guests from a partner Microsoft Entra tenant or self-service sign-up users, by contrast, can reset using the email they registered, subject to the partner tenant's own SSPR policy. So SSPR support for a guest depends on what kind of account backs them.

Trap Expecting your tenant's SSPR policy to reset a personal-Microsoft-account guest's password: those accounts recover through their own Microsoft account, not your tenant.

Bulk user creation uses a fixed CSV template with four required fields

Bulk user creation in the Microsoft Entra admin center downloads a CSV template whose only required values are Name, User principal name, Initial password, and Block sign in (Yes/No). Extra columns you add are ignored and not processed, and a bulk operation can fail if it doesn't complete within about an hour, so split very large imports into smaller batches.

4 questions test this
Use -in for multiple values and minimize -match/-contains for fast dynamic groups

When a dynamic membership rule tests one property against several values, the single -in operator (for example user.department -in ["Sales","Marketing"]) is more efficient than chaining many -or/-eq expressions. Microsoft advises minimizing the -match and -contains operators as much as possible for better dynamic group processing times; prefer -eq or -startsWith where you can.

5 questions test this
Manage Entra users with New-MgUser, Get-MgUser, and Update-MgUser

In the Microsoft Graph PowerShell SDK, New-MgUser creates a user (its PasswordProfile parameter takes a hash table such as @{Password='...'}), Update-MgUser edits an existing user's properties, and Get-MgUser piped to Update-MgUser bulk-updates a filtered set. Connect-MgGraph must request the User.ReadWrite.All scope to create or modify users.

Trap Passing PasswordProfile as a string, or requesting only User.Read.All (read-only) when you need to write.

8 questions test this
External collaboration settings decide who may invite guests

Guest invitations are governed in External collaboration settings: you can restrict them so only users assigned to specific admin roles can invite, and the built-in Guest Inviter role grants invite rights (even when that restriction is on) without other user-management privileges. Collaboration restrictions can allow or block invitations to specific named domains (for example only fabrikam.com).

Trap Assigning User Administrator just to let someone invite guests when the least-privilege Guest Inviter role suffices.

4 questions test this
Pilot SSPR with the Selected scope and force registration at sign-in

Self-service password reset can be enabled for None, Selected, or All users; choose Selected and pick one security group to pilot it before a wider rollout. Turning on 'Require users to register when signing in' prompts users to supply authentication contact info at next sign-in, and the re-confirmation interval accepts 0 to 730 days (0 means users are never asked to re-confirm).

Trap Leaving SSPR set to All when only a pilot group is intended.

5 questions test this

Azure RBAC

Read full chapter
  • A role assignment binds a security principal, a role, and a scope
  • Scope is a four-level tree and access is inherited downward
  • Assign at the narrowest scope that does the job
  • Owner is full management plus the right to assign roles
  • Contributor manages everything but cannot assign roles
  • Reader can view resources but change nothing
  • User Access Administrator manages access, not resources
  • Effective permissions are additive: they never subtract
  • Role assignments are transitive through nested groups
  • Deny assignments are created by Azure, not by you
  • Azure RBAC roles control resources; Microsoft Entra roles control the directory
  • By default a Global Administrator has no access to Azure resources
  • User Administrator and User Access Administrator are different roles on different planes
  • A Global Admin regains lost subscription access by elevating access
  • Start with the most restrictive built-in role that fits
  • Assigning a role requires the roleAssignments/write permission
  • Classic subscription administrator roles are fully retired
  • Effective control-plane permission equals Actions minus NotActions
  • Actions cover management; DataActions cover the data inside resources
  • Custom roles need a non-root AssignableScopes, no Id, and the right create/update cmdlet
  • A subscription allows up to 4,000 role assignments, so assign to groups
  • User-assigned identities are shareable; assigning one needs Managed Identity Operator

Unlock with Premium — includes all practice exams and the complete study guide.

Subscriptions and Governance

Read full chapter
  • Governance flows down the management hierarchy: assign at the highest scope that should be affected
  • Use a management group to govern many subscriptions at once
  • A subscription is the billing and quota boundary; a resource group is a logical lifecycle container
  • Azure Policy governs what resources look like; RBAC governs who can act
  • Definition is one rule, initiative bundles many, assignment binds them to a scope
  • Deny blocks new non-compliant resources; Audit only logs them
  • DeployIfNotExists auto-fixes via remediation, and the assignment needs a managed identity
  • Policy compliance re-evaluates about every 24 hours, not instantly
  • A resource lock overrides RBAC: even an Owner is blocked
  • CanNotDelete allows modify; ReadOnly is the stricter one that blocks modify too
  • A ReadOnly lock can block operations that look like reads but are POSTs
  • When locks overlap, the most restrictive one in the chain wins
  • Tags do not inherit: a resource doesn't get its resource group's tags automatically
  • A resource can hold up to 50 tags; names are case-insensitive, values case-sensitive
  • Moving a resource locks source and target and isn't supported for every type
  • A budget alerts when crossed: it never stops spending on its own
  • Cost analysis breaks spend down by subscription, resource group, service, or tag
  • Azure Advisor has five categories: Cost is the one that finds savings
  • Buy reservations for steady, always-on workloads
  • Budgets offer Actual and Forecasted alert types, up to five thresholds
  • Budget action groups work only at subscription and resource-group scope

Unlock with Premium — includes all practice exams and the complete study guide.

Storage

Storage Access

Read full chapter
  • Network rules and authorization are two independent gates: both must pass
  • A new storage account allows all networks until you restrict it
  • A virtual network rule requires the Microsoft.Storage service endpoint on the subnet
  • Use IP rules for on-premises callers, virtual network rules for Azure subnets
  • A storage account allows up to 400 virtual network rules and 400 IP rules
  • Allow first-party Azure services through the firewall with the trusted-services exception
  • The three SAS types are distinguished by what signs them
  • Prefer a user delegation SAS: it never exposes the account key
  • An account SAS spans services; a service SAS reaches one
  • Always send a SAS over HTTPS with least privilege and short lifetime
  • Bind a service SAS to a stored access policy to revoke it without rotating keys
  • Stored access policies: five per container, and service-SAS only
  • Each account has two access keys that grant full, unscoped access
  • Rotate access keys one at a time so applications never lose access
  • Disallow Shared Key authorization to enforce Entra Conditional Access
  • Azure Files identity-based authentication works over SMB only
  • Enable exactly one Azure Files identity source per storage account
  • Azure Files SMB authorizes in two layers: share-level RBAC then file-level NTFS ACLs
  • Choose Microsoft Entra Kerberos for cloud-only identities or macOS clients
  • Management roles like Owner and Contributor grant no access to blob or file data
  • A private endpoint created without RBAC on the target shows Pending until the owner approves it
  • A private endpoint needs a privatelink private DNS zone linked to every VNet that resolves it
  • Each storage service needs its own private endpoint
  • AzFilesHybrid's Join-AzStorageAccount domain-joins the account as an AD DS computer object
  • A user delegation SAS can never outlive its 7-day user delegation key
  • Azure Files AD DS auth needs hybrid identities and a domain-joined client for ACLs

Unlock with Premium — includes all practice exams and the complete study guide.

Storage Accounts

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Standard general-purpose v2 is the default account kind, and it hosts all four services

A Standard general-purpose v2 (StorageV2) account supports Blob, Azure Files, Queue, and Table storage together, and it is Microsoft's recommended kind for almost all new work. The premium kinds are single-purpose: premium block blobs (block/append blobs), premium file shares (Azure Files), and premium page blobs. Reach for a premium kind only when one service needs SSD-backed low latency or high transaction rates; otherwise StorageV2 keeps everything in one account.

Standard is HDD-backed, Premium is SSD-backed

The Standard performance tier runs on hard-disk drives and is the cost-effective choice for general blob, file, queue, and table workloads. The Premium tier runs on solid-state drives for low, consistent latency and high throughput, and it costs more. Pick Premium when a workload is latency-sensitive or has a high transaction rate against small objects; pick Standard for everything else.

Account kind and performance tier are fixed at creation. You can't change them in place

You choose the account kind and performance tier when you create a storage account, and you cannot convert an account to a different type afterward. To move from Standard to Premium (or change kind), you create a new account and copy the data across with a tool like AzCopy. The single exception is the one-way in-place upgrade of a legacy general-purpose v1 or BlobStorage account to general-purpose v2.

Trap Assuming you can switch a Standard account to Premium in the portal. There is no in-place tier change; you must create a new account and copy the data.

1 question tests this
Storage account names are 3–24 lowercase alphanumeric characters and globally unique

A storage account name must be between 3 and 24 characters, contain only lowercase letters and numbers (no hyphens, underscores, or uppercase), and be unique across all of Azure because it forms the subdomain of every endpoint, such as account.blob.core.windows.net. A name that is taken anywhere in Azure, or that uses an illegal character, is rejected at creation.

Redundancy answers two questions: spread within the primary region, and whether to add a second region

Within the primary region you choose LRS (three copies in one datacenter) or ZRS (synchronous copies across three availability zones). Layering a distant secondary region on top gives the geo options: GRS (LRS in primary + async copy to the paired region) or GZRS (ZRS in primary + async copy). The redundancy setting is account-wide, so every service in the account shares one durability profile.

LRS keeps three copies in one datacenter. It survives hardware failure, not a datacenter loss

Locally redundant storage replicates data three times within a single physical datacenter in the primary region and gives at least eleven 9s (99.999999999%) of durability over a year. It is the lowest-cost option and protects against drive, server, and rack failures, but if that datacenter is destroyed, every replica is lost. Choose it only when data is easily reconstructed or residency rules forbid leaving the region and a zone outage is acceptable.

Trap Treating LRS as protection against a datacenter or zone outage. All three LRS copies sit in one datacenter, so losing it loses everything.

1 question tests this
ZRS spreads three synchronous copies across three availability zones

Zone-redundant storage writes data synchronously across three availability zones in the primary region (each a separate datacenter with independent power, cooling, and networking) and gives at least twelve 9s (99.9999999999%) durability. Reads and writes keep working through a full zone outage. It is the right within-region choice when you must survive losing a whole datacenter but data must stay in the region.

2 questions test this
GRS and GZRS add a distant secondary region; they differ only in how the primary spreads copies

Both geo options copy data asynchronously to a paired secondary region hundreds of miles away and give at least sixteen 9s (99.99999999999999%) durability. The only difference is the primary region: GRS uses LRS there, GZRS uses ZRS there (so GZRS also survives a primary-region zone outage). In the secondary region both always use LRS. Use a geo option to survive a region-wide disaster.

Trap Thinking GRS and GZRS differ in the secondary region. Both use LRS in the secondary; the difference (LRS vs ZRS) is entirely in the primary region.

3 questions test this
The paired secondary region is fixed by your primary and can't be chosen

When you create a geo-redundant account you pick the primary region; Azure determines the paired secondary region automatically, and it cannot be changed. The pairing is a hundreds-of-miles-away region in the same geography, so you can't, for example, point a West Europe account's secondary at a US region. If a scenario needs a specific secondary, geo-redundancy can't deliver it.

Geo-replication is asynchronous, so a primary disaster can lose recent writes (non-zero RPO)

Writes commit in the primary region first and replicate to the secondary asynchronously, so the secondary trails the primary. The gap between the last primary write and the last write that reached the secondary is the recovery point objective (RPO), and it is non-zero: a disaster that destroys the primary before it catches up loses that window of data. This is the inherent trade for cross-region protection.

A GRS/GZRS secondary isn't readable or writable until you initiate account failover

With plain GRS or GZRS the secondary copy exists for durability but is inaccessible during normal operation; you cannot read or write it. If the primary region is lost, you trigger a customer-managed account failover, after which the secondary becomes the new primary and serves reads and writes. To read the secondary before any failover, you instead need the read-access variant.

Trap Expecting to read a plain GRS account's secondary copy during a primary outage. GRS gives no secondary read access; that requires RA-GRS, or an account failover first.

RA-GRS and RA-GZRS add read-only access to the secondary via the -secondary endpoint

The read-access variants RA-GRS and RA-GZRS let an application read the secondary copy at any time (including before a failover) through a read-only endpoint formed by appending -secondary to the account name (e.g. myaccount-secondary.blob.core.windows.net), using the same access keys. Choose RA- when the app must keep serving reads during a primary-region outage without waiting for failover.

4 questions test this
Azure Files can't use RA-GRS or RA-GZRS

Azure Files supports LRS, ZRS, and the geo options GRS and GZRS, but it does not support read access to the secondary region: there is no RA-GRS or RA-GZRS for file shares. If a requirement asks to read a file share's secondary copy before failover, it cannot be satisfied; plan failover-based recovery instead. (RA- read access applies to Blob, Queue, and Table.)

Trap Choosing RA-GRS for an Azure Files share to get secondary read access. Azure Files doesn't support the RA- variants, only LRS/ZRS/GRS/GZRS.

The archive blob tier needs LRS, GRS, or RA-GRS, never a ZRS-based option

The archive access tier for block blobs is supported only on LRS, GRS, and RA-GRS accounts. It is not supported on ZRS, GZRS, or RA-GZRS. So if a scenario both requires zone redundancy and uses the archive tier, those constraints conflict and you can't have both on the same account.

Trap Putting archive-tier blobs in a GZRS or ZRS account. The archive tier isn't supported on any zone-redundant option; use LRS, GRS, or RA-GRS.

3 questions test this
Object replication asynchronously copies block blobs from a source account to a destination account

Object replication is a blob feature, separate from account redundancy: it asynchronously copies block blobs from a source storage account to a destination account you can read and use directly, to cut read latency in a distant region, distribute compute, or stage results. It is one-directional, and the source and destination can be in the same or different regions, subscriptions, or even Microsoft Entra tenants.

Object replication requires versioning on both accounts and change feed on the source

Before object replication works, blob versioning must be enabled on both the source and destination accounts, and change feed must be enabled on the source (Azure reads the change feed to discover new writes to replicate). Both accounts must be general-purpose v2 or premium block blob. Miss any of these prerequisites and the policy won't replicate.

Trap Enabling object replication without turning on blob versioning on both accounts and change feed on the source. Those are hard prerequisites, not optional.

Object replication handles block blobs only, not append or page blobs

Object replication supports block blobs exclusively; append blobs and page blobs are not replicated, and accounts with a hierarchical namespace (Data Lake Storage) aren't supported. If a workload needs to replicate page or append blobs, object replication is the wrong tool. By default a rule copies only new block blobs written after the rule is created, though you can opt to also copy existing blobs.

Trap Expecting object replication to copy page or append blobs. It copies block blobs only; the others are unsupported.

The object replication destination container is read-only while the policy is active

Object replication is one-directional: once a policy is active, the destination container rejects writes with HTTP 409 (Conflict). Reads and deletes are allowed, but to write to the destination you must first remove the rule or the whole policy. You create the policy on the destination account (Azure assigns a policy ID), then apply that same policy ID on the source so both ends match.

Encryption at rest is always on (256-bit AES) and cannot be disabled

Every storage account encrypts all data at rest automatically with 256-bit AES service-side encryption, which is FIPS 140-2 compliant and covers blobs, files, queues, and tables (including metadata, every access tier, and both primary and secondary regions). There is no option and no cost to turn it off: the only thing you configure is who controls the key.

Trap Treating storage encryption at rest as an optional setting you enable. It is always on and can't be disabled; only key management is configurable.

Microsoft-managed keys are the default; customer-managed keys give you control

By default a storage account encrypts with a Microsoft-managed key (Microsoft stores and rotates it, zero config). Switch to a customer-managed key (CMK) when you must control rotation, auditing, or revocation. You can switch between Microsoft-managed and customer-managed keys at any time, and applying a CMK to an existing account takes effect immediately without re-encrypting your data.

A customer-managed key lives in Key Vault or Managed HSM, reached via a managed identity

A customer-managed key must be stored in Azure Key Vault or Azure Key Vault Managed HSM, and that vault must have both soft delete and purge protection enabled. The storage account accesses the key through a managed identity (system-assigned or user-assigned) that holds get, wrapKey, and unwrapKey permissions on the key. The CMK wraps the account's root encryption key rather than encrypting data directly, so disabling the key in the vault revokes access (operations then fail 403) without re-encrypting anything.

Trap Configuring a CMK on a key vault without soft delete and purge protection enabled. Both are required, or the configuration is rejected.

1 question tests this
Infrastructure encryption double-encrypts, but only if enabled at account creation

Infrastructure encryption adds a second layer: data is encrypted twice, once at the service level and once at the infrastructure level, with two different 256-bit AES keys and algorithms, so a single compromised key or algorithm still leaves data protected. The infrastructure layer always uses a separate Microsoft-managed key even if the service layer uses your CMK. The catch: it can only be enabled when the account is created, you can't add it to an existing account.

Trap Planning to enable infrastructure (double) encryption on an existing account. It's a create-time-only option; you'd have to make a new account and copy the data.

AzCopy is the CLI for scripted, high-throughput transfers; Storage Explorer is the GUI for ad hoc work

AzCopy is a cross-platform command-line utility (Windows, Linux, macOS) for copying data to, from, or between storage accounts, the right tool for scripted, repeatable, or bulk transfers. Azure Storage Explorer is a free desktop GUI for point-and-click browsing and management, ideal for occasional interactive work; it uses AzCopy under the hood for its bulk transfers. Choose AzCopy when a scenario says 'script', 'automate', or 'large/efficient'; choose Storage Explorer for an occasional manual upload.

Trap Reaching for Storage Explorer's GUI to move terabytes in a repeatable script. That's AzCopy's job; Storage Explorer is for interactive, ad hoc use.

7 questions test this
azcopy copy moves data; azcopy sync makes the destination match the source

AzCopy's two core commands: azcopy copy copies source data to a destination (local-to-Azure, Azure-to-local, or account-to-account server-to-server), and azcopy sync performs one-directional synchronization so the destination ends up matching the source, transferring only what changed on re-runs. Use sync when you must keep a destination continuously aligned with a source rather than copying everything each time.

AzCopy authenticates with Microsoft Entra ID (azcopy login) or a SAS token on the URL

AzCopy supports two authorization methods: Microsoft Entra ID (run azcopy login once and reuse the credential across commands) or a shared access signature (SAS) token appended to each source or destination URL. Owning the storage account does not by itself grant data access, so you must provide one of these. Entra ID suits interactive or managed-identity use; a SAS token suits handing scoped, time-limited access to a script without sign-in.

A key expiration policy is a rotation reminder, and you must rotate each key once before setting it

A key expiration policy sets an interval and surfaces a reminder in the portal when the access keys haven't been rotated in time. It does not rotate keys automatically. You cannot create the policy until each access key has been rotated at least once; if keyCreationTime is null the Set rotation reminder option is greyed out. The built-in Azure Policy 'Storage account keys should not be expired' then reports which accounts are out of compliance.

7 questions test this

Files and Blob Storage

Read full chapter
  • Blob Storage holds objects in containers; Azure Files holds a mountable SMB/NFS share
  • Access tiers apply to block blobs only, set per blob, and trade storage cost for read cost
  • Hot, Cool, and Cold are online; Archive is offline and must be rehydrated before any read
  • Each tier below Hot has a minimum retention: Cool 30, Cold 90, Archive 180 days
  • Rehydrate from Archive with Set Blob Tier (in place) or Copy Blob (to a new blob)
  • Standard rehydration takes up to 15 hours; High priority under 1 hour for objects under 10 GB
  • Blob soft delete recovers a deleted or overwritten blob for 1 to 365 days
  • Blob soft delete does NOT restore a deleted container. That needs container soft delete
  • No soft delete recovers a deleted storage account. Only a resource lock prevents it
  • Snapshots are manual point-in-time copies; versioning captures every write automatically
  • Versioning keeps one current version and immutable previous versions, created on every write
  • Don't enable versioning on frequently overwritten data without managing cost
  • Lifecycle management is a JSON rule set that auto-tiers or deletes blobs by age
  • A lifecycle policy can target current versions, previous versions, and snapshots independently
  • Lifecycle policies move data colder only. They cannot rehydrate from Archive
  • Azure Files serves SMB or NFS, but one share uses exactly one protocol
  • NFS file shares require the SSD (premium) tier; HDD (standard) supports SMB only
  • Azure Files snapshots are incremental, read-only, up to 200 per share and 10-year retention
  • Soft delete for Azure Files protects a deleted share and is a storage-account setting on by default
  • When lifecycle conditions overlap, the least expensive action wins
  • Lifecycle rules for previous versions and snapshots age by creation time
  • A sync group has exactly one cloud endpoint and at most one server endpoint per registered server
  • A Windows Server can register with only one Storage Sync Service at a time
  • With multiple endpoints on one volume, the largest free-space policy wins
  • Azure Backup centrally protects Azure file shares with full or item-level restore

Unlock with Premium — includes all practice exams and the complete study guide.

Compute Resources

ARM Templates and Bicep

Read full chapter
  • Bicep and ARM JSON are functionally equivalent. Bicep transpiles to ARM JSON
  • Both languages declare desired state, not a sequence of steps
  • Only $schema, contentVersion, and resources are required in an ARM template
  • Parameters are deploy-time inputs; variables are computed inside the template
  • Outputs return values from a finished deployment
  • Bicep resolves dependencies implicitly through symbolic names
  • Use dependsOn only when no implicit reference expresses the order
  • Incremental mode is the default and leaves untouched resources alone
  • Complete mode deletes resources in the group that aren't in the template
  • Complete mode has hard limits: root-level RG templates only, never locked groups
  • A redeploy reapplies the resource's full state, not just the properties you changed
  • Deployment scope is set by the template and must match the CLI command
  • Bicep targetScope defaults to resourceGroup
  • bicep decompile converts ARM JSON to Bicep; bicep build goes the other way
  • Decompilation is best-effort, so expect to fix the generated Bicep
  • Export a resource group as an ARM template to capture existing resources
  • You deploy .bicep and .json the same way. The CLI compiles Bicep for you
  • Bicep deploys a resource or module conditionally with an if expression after the equals sign
  • Define a resource once in a Bicep module and reference it to avoid duplicating code
  • A module's scope property targets a different resource group or subscription
  • Read a module's output with moduleName.outputs.outputName
  • Linked/nested templates must sit at a URI that Azure Resource Manager can reach
  • Chain linked templates with reference('deploymentName').outputs.name.value
  • what-if previews the changes; validate only checks the template can deploy
  • allowedValues constrains a parameter; a parameter file supplies values without editing the template

Unlock with Premium — includes all practice exams and the complete study guide.

Virtual Machines

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

An availability set needs 2+ VMs to earn the 99.95% SLA

An availability set is a single-datacenter grouping that spreads VMs across fault and update domains, but the 99.95% Azure SLA applies only when you place two or more VMs in the set: a set with one VM gives no redundancy and no set-level SLA. The set itself is free; you pay only for the VM instances. Because the spreading is inside one datacenter, it protects against hardware, power, and switch failures but not a datacenter-wide outage.

Trap Expecting the 99.95% availability-set SLA from a single VM in the set. The SLA requires two or more VMs across the fault domains.

Availability zones cross datacenters for the 99.99% SLA

Availability zones are physically separate zones within a region, each with independent power, cooling, and networking, and every zone-enabled region has three of them. Spreading a workload's VMs across two or more zones earns the 99.99% SLA and survives the loss of a whole datacenter, the resilience an availability set cannot provide. The cost is slightly higher VM-to-VM latency than an availability set, whose VMs are physically closer.

8 questions test this
A single VM gets 99.9% only if all its disks are Premium SSD or Ultra

Azure grants a 99.9% single-instance VM SLA, but only when the OS and all data disks are Premium SSD or Ultra Disk; a VM using Standard storage gets no single-instance SLA. This is the floor option with no redundancy grouping, appropriate only when an outage of that one VM is tolerable. For anything that must stay up, spread VMs across an availability set or zones.

Trap Claiming a single VM with Standard HDD/SSD disks carries the 99.9% SLA. The single-instance SLA requires Premium SSD or Ultra Disk on every disk.

An availability set has up to 3 fault domains and 20 update domains, fixed at creation

Azure assigns each VM in an availability set a fault domain (a group sharing a power source and network switch, up to 3) and an update domain (a group rebooted together during planned maintenance, up to 20). Only one update domain reboots at a time, with 30 minutes to recover before the next. Both counts are set when the availability set is created and cannot be changed afterward, so size them up front.

3 questions test this
Fault domains isolate hardware failure; update domains isolate maintenance reboots

The two domain types answer different failure modes. A fault domain is a physical boundary: VMs in different fault domains don't share a power source or network switch, so a hardware fault hits only one. An update domain is a maintenance boundary: Azure reboots update domains one at a time during host updates, so a planned reboot never takes the whole set down at once. An availability set distributes VMs across both simultaneously.

3 questions test this
Availability sets can't autoscale. Use a scale set when capacity must follow demand

Availability sets provide redundancy but have no automatic scaling: the instance count is whatever you deployed. When a workload must add instances under load and remove them when idle, you need a Virtual Machine Scale Set, which autoscales horizontally on a metric (such as average CPU) or a schedule. Reach for the availability set only when the instance count is fixed and you just need redundancy.

Trap Choosing an availability set for a workload that must scale out and in with demand. Availability sets never autoscale; a Virtual Machine Scale Set does.

1 question tests this

A Virtual Machine Scale Set's orchestration mode is chosen at creation and can never be changed. Flexible orchestration is Microsoft's recommended mode: it manages standard IaaS VMs with the normal VM APIs, scales to 1,000 instances, can mix VM sizes, operating systems, and Spot with on-demand instances, and spreads instances across fault domains and availability zones. Uniform orchestration instead deploys identical instances from one profile for very large, homogeneous fleets.

Trap Planning to switch a scale set from Uniform to Flexible later. Orchestration mode is immutable after the scale set is created.

VMSS autoscale is horizontal; changing a VM's size is a separate resize

Autoscale on a Virtual Machine Scale Set is horizontal: it adds instances (scale out) when a metric crosses a threshold and removes them (scale in) when load drops, or follows a schedule. Increasing an individual VM's vCPU/memory is vertical scaling and is a resize operation, not autoscale. A question describing 'more power per instance' points to a resize; 'more instances under load' points to scale-set autoscale.

Trap Treating a VM resize (bigger SKU) as autoscale. Autoscale changes the instance count horizontally, while a resize changes one VM's size vertically.

1 question tests this
Managed disks come in five types; Ultra and Premium SSD v2 can't be the OS disk

The five managed disk types in ascending performance are Standard HDD, Standard SSD, Premium SSD, Premium SSD v2, and Ultra Disk, with IOPS ceilings of about 2,000–3,000, 6,000, 20,000, 80,000, and 400,000 respectively. The OS disk must be Premium SSD, Standard SSD, or Standard HDD: Ultra Disk and Premium SSD v2 are data-disk-only. A high-IOPS database VM therefore pairs a Premium SSD OS disk with an Ultra or Premium SSD v2 data disk.

Trap Selecting Ultra Disk or Premium SSD v2 as the OS disk. Both can only be attached as data disks; the OS disk falls back to Premium SSD, Standard SSD, or Standard HDD.

Ultra Disk doesn't support availability sets. Only single VM or availability zones

Ultra Disk supports single-VM and availability-zone deployments but not availability sets. A scenario that needs both the highest disk IOPS (Ultra Disk) and platform redundancy must use an availability zone, not an availability set. This pairs with Ultra's other limits: it can't be an OS disk and doesn't support disk caching.

Trap Attaching an Ultra Disk to a VM in an availability set. Ultra Disk is unsupported there; use a single VM or an availability zone instead.

1 question tests this
The temp disk is non-persistent. Never store durable data on it

Every VM has a temp disk (drive D: on Windows, /dev/sdb on Linux) for scratch data such as a page or swap file. It is local to the host, not a managed disk, and its contents are wiped on deallocation or when Azure migrates the VM to another host. Anything that must survive belongs on the OS disk or a data disk, both of which are persistent managed disks.

Trap Placing application data or a database file on the temp disk. It is wiped on deallocation/host migration, so durable data must go on a managed OS or data disk.

Server-side encryption is always on but doesn't cover the temp disk

Server-side encryption (SSE), also called encryption-at-rest, is always enabled on managed disks and can't be turned off; it encrypts the OS and data disks with platform-managed keys, or customer-managed keys when you attach a Disk Encryption Set (DES). Its boundary is the testable point: SSE does not encrypt the temp disk or disk caches. To cover those, layer on encryption at host.

Trap Assuming default SSE encrypts the temp disk and caches. It covers only the persisted OS and data disks; the temp disk needs encryption at host.

1 question tests this
Encryption at host covers temp disk and caches without using VM CPU

Encryption at host extends SSE so the temp disk, disk caches, and data flowing between the VM and storage are all encrypted, and it runs on the Azure host rather than inside the guest, so it consumes no VM CPU. It is Microsoft's recommended encryption option for new VMs and is what Microsoft Defender for Cloud's 'encrypt temp disks, caches, and data flows' recommendation detects. Choose it when the temp disk must be encrypted without a guest agent.

2 questions test this
Azure Disk Encryption uses BitLocker/DM-Crypt in the guest and needs a Key Vault

Azure Disk Encryption (ADE) encrypts the OS and data disks from inside the guest OS (BitLocker on Windows, DM-Crypt on Linux) and integrates with Azure Key Vault to store the disk-encryption keys, so an ADE deployment requires a Key Vault. Because it runs in the guest, ADE uses the VM's CPU and doesn't work for custom Linux images. A stem naming BitLocker or DM-Crypt is describing ADE specifically.

Trap Configuring ADE without an Azure Key Vault. ADE stores its keys in Key Vault, so the deployment fails without one.

1 question tests this
Prefer encryption at host over ADE. ADE retires September 15, 2028

Azure Disk Encryption is scheduled for retirement on September 15, 2028, after which ADE-encrypted disks will fail to unlock on reboot. Microsoft directs new VMs to encryption at host, which covers more (temp disk and caches) without using VM CPU. For a new long-lived VM, encryption at host is the forward-looking answer; ADE remains only for the specific BitLocker/DM-Crypt-in-guest requirement.

Moving a VM by resource group or subscription never changes its region

Moving a VM to another resource group or subscription only re-parents it: the physical region is unchanged and the VM keeps running. To relocate a VM to a different region you must replicate it with Azure Resource Mover or Azure Site Recovery; the move-resource-group operation can't change a resource's region. A question asking how to move a VM 'to another region' is testing that distinction.

Trap Using a move-to-resource-group or move-to-subscription operation to relocate a VM to a new region. Those never change the region; use Azure Resource Mover or Site Recovery.

3 questions test this
A cross-subscription move requires the same Entra tenant and locks both resource groups

Moving a VM across subscriptions requires both subscriptions to belong to the same Microsoft Entra ID (formerly Azure Active Directory) tenant, and the VM must move together with its dependent resources (disks, NIC, and virtual network). During the move both the source and target resource groups are locked for up to four hours, so you can't create, delete, or resize resources in them while it runs.

Trap Expecting a cross-subscription move to work across two different Entra tenants. Both subscriptions must share one tenant first (transfer billing ownership otherwise).

3 questions test this
A move changes the resource ID and orphans role assignments

Because a resource ID embeds the subscription and resource group, moving a VM changes its ID: any scripts, dashboards, or templates referencing the old ID must be updated. Azure role assignments are not carried across the move and become orphaned, so you must recreate them on the moved resource. Plan to re-point references and re-grant RBAC after a move.

Resizing across VM families may force a deallocation

A VM's size (SKU) fixes its vCPU, memory, and feature support, and sizes are grouped into families by purpose (general purpose, compute optimized, memory optimized, storage optimized, GPU). You can resize a running VM if its current host cluster supports the target size; if it doesn't (often when moving to a different family) the VM must be stopped (deallocated) first and restarts on a new cluster. Not every size is offered in every region.

Trap Assuming any resize is hot. Moving to a size the current host cluster doesn't support requires deallocating the VM first.

The scale set and availability set resources are free; you pay for instances

Neither a Virtual Machine Scale Set nor an availability set carries a charge for the grouping construct itself: billing is purely for the VM instances they contain (plus their disks and networking). This means the redundancy or autoscaling capability is free to adopt; cost scales only with the number and size of running instances.

The Custom Script Extension times out after 90 minutes

A Custom Script Extension run is allowed up to 90 minutes; a script that runs longer fails the extension with a timeout. For long jobs, split the work into scripts that each finish inside 90 minutes. This 90-minute limit is an exception to the shorter timeout most other VM extensions use.

Trap Assuming the Custom Script Extension shares the shorter timeout of most VM extensions and letting a long job run past 90 minutes; it caps at 90 minutes and then fails with a timeout.

5 questions test this
VM extensions need a healthy Azure VM Agent and access to 168.63.129.16

The Azure VM Agent must be installed and reporting Ready for any extension to install or run; if it is missing or unhealthy, extensions fail. The agent signals readiness over the Azure platform IP 168.63.129.16 (WireServer, ports 80/tcp and 32526/tcp), so a guest firewall or NSG that blocks it breaks extensions. An extension already in a failed provisioning state will also block any new extension until it is fixed.

Trap Blaming a failed extension on the script while a guest firewall or NSG blocks 168.63.129.16 or the VM Agent is unhealthy; the agent must report Ready and reach the WireServer IP first.

4 questions test this
Azure Disk Encryption needs a same-region Key Vault enabled for disk encryption and a supported VM size

Azure Disk Encryption requires a Key Vault in the same region and subscription as the VM, with the vault's 'Enabled for disk encryption' access policy turned on. ADE is not supported on Basic or A-series VMs (or VMs with under 2 GB RAM), and you set VolumeType=All to encrypt both OS and data disks. You cannot apply ADE to a VM whose disks use server-side encryption with customer-managed keys (SSE + CMK).

Trap ADE (in-guest BitLocker/DM-Crypt) and SSE with customer-managed keys are mutually exclusive. Pick one.

5 questions test this
You can only place a VM in an availability set at creation. Change it by recreating the VM

A VM's availability set is fixed at creation; you cannot add or move an existing VM into (or between) availability sets. To do it, delete the VM while keeping its managed disks, then recreate the VM from those disks specifying the target availability set, which preserves the data.

Trap Expecting to move an already-running VM into an availability set in place; the set is fixed at creation, so you must delete and recreate the VM from its disks.

4 questions test this
Default availability set: 3 fault domains, 5 update domains; use the Aligned SKU for managed disks

A new availability set defaults to 3 fault domains and 5 update domains (update domains can be raised up to 20). For VMs with managed disks, set the availability set sku.name to Aligned so storage fault domains align with compute. The maximum managed-disk fault domains varies by region (some regions support only 2) so configure no more fault domains than the region allows.

Trap Leaving an availability set on the default Classic SKU for managed-disk VMs; managed disks require the Aligned SKU so storage fault domains align with compute.

3 questions test this

Containers

Read full chapter
  • ACR stores images; ACI and Container Apps run them
  • ACR Premium unlocks geo-replication, private link, content trust, and CMK
  • Use Premium ACR geo-replication to serve one registry from many regions
  • ACR SKU changes are in-place with no downtime
  • Authenticate to ACR with a Microsoft Entra identity, not the admin account
  • The ACR admin account is off by default and has two passwords
  • An ACI container group shares host, network, and storage like a pod
  • ACI multi-container groups are Linux-only
  • An ACI container group needs at least 1 vCPU and 1 GB of memory
  • ACI restart policy Always is the default; use OnFailure or Never for finite jobs
  • ACI bills per second and does not autoscale
  • An ACI container group's public IP can change on restart
  • An ACI image can't exceed 15 GB
  • Container Apps creates an immutable revision on every change
  • Container Apps ingress is external or internal, over HTTP or TCP
  • Container Apps autoscales with KEDA between min and max replicas
  • Container Apps scales to zero, but not on a CPU or memory rule
  • Container Apps scales out, not up: no vertical scaling
  • Choose ACI for fixed tasks, Container Apps for autoscaling services
  • An AKS Spot node pool must be a secondary user node pool, never the default
  • An AKS node pool's VM size and availability zones are fixed at creation: recreate to change them
  • A subnet hosting an ACI container group must be delegated to Microsoft.ContainerInstance/containerGroups
  • An ACI container group in a VNet needs a NAT gateway for outbound internet, and gets no public IP

Unlock with Premium — includes all practice exams and the complete study guide.

App Service

Read full chapter
  • Every app runs in an App Service plan, and the plan is the unit of compute, billing, and scaling
  • Free and Shared tiers are dev/test only: shared VMs, CPU quota, no scale-out
  • Dedicated tiers give you VMs reserved to your plan; Isolated adds your own VNet
  • Scale up changes the pricing tier; scale out changes the instance count
  • Scale-out instance ceilings rise with the tier: Basic 3, Standard 10, Premium 30, Isolated 100
  • Autoscale is automatic horizontal scaling, available from the Standard tier up
  • Custom domains require a paid tier (Basic+), not Free F1
  • Root domains use an A record; subdomains and wildcards use a CNAME
  • Domain ownership is proven with an asuid TXT record
  • SNI TLS bindings are free and share one IP; IP-based SSL dedicates an IP and needs Standard+
  • The App Service Managed Certificate is a free, auto-renewing cert for a mapped domain
  • App Service defaults to TLS 1.2 and terminates TLS at the front end
  • Backup needs Basic+ and comes in automatic vs custom flavors
  • A custom backup caps at 10 GB total with at most 4 GB of linked database
  • Restore stops the target app, so restore into a slot then swap
  • VNet integration is outbound only; private endpoints handle inbound private access
  • VNet integration needs Basic+ and a dedicated subnet delegated to Microsoft.Web/serverFarms
  • Deployment slots need Standard+ and let you swap with zero downtime
  • Slot counts by tier: Standard 5, Premium 20, Isolated 20
  • Mark a value as a deployment slot setting to keep it from swapping
  • Swap with preview pauses for validation; auto swap fires on every deploy
  • A Key Vault reference needs the app's managed identity granted Get-secret access
  • Key Vault reference syntax; omitting the version auto-tracks the latest secret

Unlock with Premium — includes all practice exams and the complete study guide.

Virtual Networking

Virtual Networks

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A VNet lives in one region and one subscription but spans every zone in that region

An Azure virtual network is scoped to a single region and a single subscription, yet it automatically spans all availability zones in that region, so you never split or size a VNet by zone. Resources in different subnets of the same VNet route to each other by default with no configuration. To connect VNets that are in different regions or subscriptions, you use peering, not a single larger VNet.

Azure reserves 5 addresses in every subnet, so a /24 yields 251 usable hosts

Every subnet loses five addresses to Azure: the network address (.0), the default gateway (.1), two for Azure-mapped DNS (.2 and .3), and the broadcast address (last). A /24 therefore gives 251 usable host IPs, not 256, and the smallest usable subnet is a /29 (8 minus 5 = 3 usable). This is why a /29 handed to you in a stem holds 3 VMs, not 6.

Trap Assuming a /29 gives 6 usable IPs by counting only the .0 and broadcast: Azure reserves three more (gateway and two DNS), leaving just 3.

Subnet delegation hands a subnet to a PaaS service to inject its instances

Subnet delegation designates a subnet for a specific Azure PaaS service (such as Azure SQL Managed Instance or App Service integration) so that service can deploy its own instances into the subnet and manage relevant subnet settings. A delegated subnet is dedicated to that service. Use it when a managed service requires VNet injection rather than just a service or private endpoint.

7 questions test this
Peering keeps traffic on the Microsoft backbone with no gateway or encryption

VNet peering connects two virtual networks so resources reach each other by private IP, with traffic staying entirely on the Microsoft backbone: no public internet, no VPN gateway, and no encryption are involved. Regional peering connects VNets in the same region; global peering connects VNets across regions. Both can cross subscriptions and Microsoft Entra tenants and carry a nominal ingress/egress data charge.

Trap Assuming peering needs a VPN gateway or that traffic traverses the public internet: peered traffic is private on the Azure backbone with no gateway required.

2 questions test this
VNet peering is non-transitive, so spokes can't reach each other through a hub

If A peers with hub H and H peers with B, A still cannot reach B: peering never routes transitively through an intermediate VNet. To make a hub-and-spoke route spoke-to-spoke or spoke-to-on-premises, you put a network virtual appliance or firewall in the hub and steer traffic to it with user-defined routes (service chaining), or use Azure Virtual Network Manager / Virtual WAN. This non-transitivity is the single most-tested peering property.

Trap Assuming a spoke peered to a hub automatically reaches the hub's other peers: transit requires an NVA/gateway in the hub plus UDRs, not peering alone.

1 question tests this
Peered VNets must have non-overlapping address spaces

You cannot peer two VNets whose CIDR ranges overlap: for example two 10.0.0.0/16 networks. Plan address spaces up front, or re-IP / resize one VNet's range before creating the peering. Overlapping spaces make the routes ambiguous, so Azure blocks the peering.

Trap Trying to peer two VNets that both use 10.0.0.0/16: overlapping ranges are rejected; one side must be re-addressed first.

1 question tests this
Share a hub gateway with 'Allow gateway transit' on the hub and 'Use remote gateways' on the spoke

Because a VNet can have at most one gateway, gateway transit lets spokes use the hub's VPN or ExpressRoute gateway instead of deploying one each. It is a per-peering setting on both ends: enable Allow gateway transit on the hub side and Use remote gateways on the spoke side. A spoke that uses a remote gateway must not have its own gateway, and transit works on both regional and global peering.

Trap Setting Use remote gateways on a spoke that already has its own gateway: a VNet can have only one gateway, so the configuration is invalid.

1 question tests this
New public IPs are Standard SKU: Basic was retired in September 2025

The Basic public IP SKU was retired on September 30, 2025, so every new design uses the Standard SKU. Standard differs in three ways: allocation is always static, it is secure by default, and it is zone-redundant by default in zone-enabled regions. A public IP is a separate resource you attach for inbound internet connectivity; outbound already works through an Azure-assigned ephemeral address without one.

Standard public IPs are always static, so the address never changes on stop/start

A Standard SKU public IP uses static allocation: the address is fixed at creation and stays until you delete the resource. This matters whenever something external depends on a stable address: firewall allow-lists, DNS A records, IP-based security models, or TLS certificates bound to the IP. (Basic's dynamic IPv4 could change when a VM was stopped and started, the classic 'why did my IP change?' cause.)

A Standard public IP is closed inbound until an NSG rule allows it

Standard SKU public IPs are secure by default: attaching one to a VM does not open inbound traffic. the resource stays closed until a network security group rule explicitly permits it. If a VM with a Standard public IP is unreachable, a missing NSG allow rule is the first thing to check. (Basic public IPs were open by default, which is the behavior people wrongly expect from Standard.)

Trap Expecting a Standard public IP to be reachable as soon as it's attached: it's secure by default, so inbound is blocked until an NSG rule allows it.

Azure builds a system route table for every subnet that you can't delete

Each subnet automatically gets system routes: a Virtual network route for intra-VNet traffic, a 0.0.0.0/0 route to the Internet, and None routes that drop the RFC 1918 private ranges. You cannot create or delete system routes, but you can override specific ones with user-defined routes. Azure also adds optional system routes (Virtual network peering, Virtual network gateway) as you enable those features.

A UDR's next hop is one of five types, and peering/service-endpoint are not options

User-defined routes live in a route table you create and associate to a subnet (each subnet has zero or one table). A UDR's next hop is exactly one of: Virtual appliance, Virtual network gateway, Virtual network, Internet, or None. You cannot specify Virtual network peering or a service endpoint as a UDR next hop: Azure creates those route types only when you configure the feature itself.

Trap Trying to set 'Virtual network peering' or a service endpoint as a UDR next hop: only Azure creates those routes; they aren't selectable next-hop types in a UDR.

2 questions test this
Force all outbound traffic through a firewall with a UDR for 0.0.0.0/0 (forced tunneling)

Forced tunneling overrides Azure's default internet route by adding a UDR for 0.0.0.0/0 whose next hop is a firewall appliance or the VPN/ExpressRoute gateway, then associating the route table to the subnet. All outbound traffic is then sent to that next hop for inspection or on-premises egress instead of going directly to the internet. This is the canonical use of a UDR.

3 questions test this
A subnet can have at most one route table

You associate a single route table to a subnet, never two. Consolidate all custom routes into one table; longest-prefix-match and the UDR-over-system priority resolve precedence within it. A route table can be associated to many subnets, but each subnet points to only one table.

Trap Trying to attach two route tables to one subnet to combine rule sets: a subnet supports only one; merge the routes into a single table.

Longest prefix match wins first; only on an exact prefix tie does source priority decide

Azure selects a route by longest-prefix-match: 10.0.0.0/24 beats 10.0.0.0/16 for 10.0.0.5 because it is more specific, regardless of where each route came from. Source priority (user-defined route, then BGP route, then system route) is the tiebreaker only when two routes share the same prefix. That tie rule is exactly why a UDR for 0.0.0.0/0 overrides the default internet route.

Trap Assuming a UDR always beats a system route: a more-specific system prefix still wins by longest-prefix-match; UDR priority applies only on an exact prefix tie.

5 questions test this
VNet, peering, and service-endpoint routes are preferred and can't be overridden by a UDR

Routes for the VNet itself, for VNet peerings, and for virtual-network service endpoints are preferred system routes that a UDR cannot override, even with a more-specific prefix. In particular a service-endpoint route always wins for that service's addresses. This is the exception to the normal 'UDR overrides system route' rule.

Trap Writing a UDR to redirect service-endpoint or peering traffic: those preferred system routes can't be overridden, so the UDR is ignored for them.

Read effective routes on a NIC to see which route actually wins

The routes you author aren't necessarily the routes that run: Azure merges your UDRs with system and BGP routes and applies the selection rules, and the result is the effective routes on a network interface. View them per NIC (Portal Effective routes, or az network nic show-effective-route-table) to confirm the final next hop for a destination. A present 'Virtual network peering' route here is also your proof that a peering exists and is synced.

Every VNet resource gets outbound internet access by default, no public IP needed

All resources in a VNet can reach the internet outbound by default, through an Azure-assigned ephemeral IP, even with no public IP attached. A public IP (or public load balancer) is required only for inbound reachability. This is why outbound connectivity 'just works' but a VM is not reachable from the internet until you give it a public endpoint.

1 question tests this
A VM acting as an NVA needs IP forwarding enabled to forward traffic

Azure delivers a packet to a NIC only when the destination matches that NIC's own IP, so a VM used as a network virtual appliance silently drops forwarded traffic unless IP forwarding is enabled on its NIC. A Linux/Windows NVA must also enable forwarding inside the guest OS, not just on the Azure NIC.

Trap A correct UDR pointing at the NVA's private IP still black-holes traffic if NIC (or OS) IP forwarding is off.

4 questions test this

Network Security

Read full chapter
  • NSG rules match on a 5-tuple and fire in priority order, lowest number first
  • NSGs are stateful, so you only write a rule for the initiating direction
  • An NSG attaches to a subnet, a NIC, or both, and can be reused
  • When a subnet NSG and a NIC NSG both apply, traffic must pass both
  • Default NSG rules allow VNet and load-balancer traffic and deny inbound internet
  • Service tags name Microsoft-managed IP sets so you don't track changing prefixes
  • Group VM NICs into an ASG and reference the group instead of IPs in NSG rules
  • All NICs in an ASG, and an ASG used as both ends of a rule, must be in the same VNet
  • Effective security rules merge the subnet and NIC NSGs into the list Azure applies
  • Network Watcher IP flow verify tells you which rule allowed or blocked a 5-tuple
  • Azure Bastion gives portal RDP/SSH over TLS with no public IP on the VM
  • Bastion needs a subnet named exactly AzureBastionSubnet
  • Bastion SKUs gate features, and the dedicated host bills per hour while provisioned
  • A service endpoint extends the subnet identity to a PaaS service over the backbone
  • Service endpoints don't extend to on-premises traffic
  • A private endpoint projects one PaaS resource into your VNet as a private IP
  • A private endpoint needs DNS to resolve the service name to its private IP
  • Choose private endpoint for on-prem or per-resource isolation; service endpoint for in-VNet, no-cost
  • An NSG filters the 5-tuple only: it cannot inspect application-layer content
  • A service endpoint swaps the source IP from public to the VM's private IP
  • A service endpoint policy limits a subnet to specific Azure Storage accounts
  • Azure Firewall processes DNAT, then Network, then Application rules
  • FQDN tags let an application rule reach Microsoft services with no maintenance
  • Azure Firewall threat intelligence defaults to Alert-only, not block

Unlock with Premium — includes all practice exams and the complete study guide.

DNS and Load Balancing

Read full chapter
  • Azure-provided default name resolution works inside one VNet but can't cross VNets
  • A public DNS zone resolves nothing until you delegate the domain at the registrar
  • A record set groups all records of one name and one type
  • A private DNS zone resolves only for VNets you attach with a virtual network link
  • A VNet can autoregister into only one private DNS zone (not the other way round)
  • Azure Load Balancer is Layer 4: it routes on the 5-tuple, never on URL or host
  • Public vs internal load balancer is decided by the frontend IP type
  • Every load balancer is four objects: frontend IP, backend pool, health probe, rule
  • An inbound NAT rule forwards a frontend port to one specific backend VM
  • Choose the Load Balancer SKU first: there is no in-place Basic-to-Standard upgrade
  • Standard Load Balancer is the production answer; Basic was retired in 2025
  • The default distribution is a 5-tuple hash and does NOT pin a client to a backend
  • A Standard public Load Balancer gives backends NO default outbound internet access
  • SNAT exhaustion comes from too many concurrent outbound flows, not inbound load
  • A Standard Load Balancer is closed until an NSG allows the traffic
  • An all-unhealthy backend pool serves nothing: suspect the health probe
  • "Multiple regions" rules out Azure Load Balancer: it's a regional service
  • Application Gateway is Layer 7 for HTTP routing within one region
  • Traffic Manager routes at the DNS layer; Front Door routes at the HTTP edge
  • Path-based rules route by URL path, with a default pool for non-matches
  • Multi-site listeners route by host name for several sites on one gateway
  • Load Balancer health probes come from 168.63.129.16 and must be allowed

Unlock with Premium — includes all practice exams and the complete study guide.

Monitor and Maintain

Azure Monitor

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Metrics are numeric time series; logs are queryable table rows

Azure Monitor stores telemetry as two types. Metrics are numeric values sampled at regular intervals into a time-series database, so they are lightweight and near-real-time and you read them in Metrics Explorer. Logs are richer records held in a Log Analytics workspace and queried with Kusto Query Language (KQL). A number trending over time (CPU %, request count) is a metric; event-level detail (who deleted what, every failed request) is a log.

Trap Reaching for Log Analytics/KQL to chart a simple numeric trend: it works but needs data routed to a workspace first; Metrics Explorer already has platform metrics for free.

Platform metrics and the activity log are automatic; resource logs are not

Platform metrics (built-in numeric counters) and the activity log (subscription control-plane events) are collected automatically with no configuration. Resource logs, the detailed per-operation logs a service emits, are off by default and produce nothing to query until you create a diagnostic setting. This gap is why a resource shows metrics instantly but its detailed logs are missing from your workspace.

Trap Assuming resource logs appear automatically because metrics did: only metrics and the activity log are automatic; resource logs need a diagnostic setting first.

A diagnostic setting is what collects resource logs and routes any source to a destination

A diagnostic setting does two jobs: it starts collecting resource logs, and it routes platform metrics, the activity log, or resource logs to a durable destination. Even auto-collected sources need a diagnostic setting to send them somewhere they outlive their default window. You opt platform metrics into a destination with the AllMetrics category, and pick log categories individually or via a category group (audit or allLogs).

1 question tests this
A resource can have at most five diagnostic settings

Each Azure resource supports a maximum of five diagnostic settings. A single setting can send to several destinations at once but only one of each type, so two Log Analytics workspaces (or two storage accounts) require two separate settings, and you cannot exceed five total per resource.

Trap Trying to add a second workspace to one diagnostic setting: a setting allows only one destination of each type, so a second workspace needs a second setting (up to five).

Pick the diagnostic-setting destination by the verb: query, archive, or stream

The four destinations map to distinct jobs. A Log Analytics workspace is for querying and correlating with KQL, building workbooks, and firing log alerts. An Azure Storage account is the cheapest archive, kept indefinitely, for audit and compliance. Azure Event Hubs is the only destination that streams telemetry live to an external system such as a non-Microsoft SIEM. A partner solution hands off to an integrated third-party platform.

Trap Choosing a Storage account or Log Analytics workspace to feed a real-time external SIEM: only Event Hubs streams out; the others store data for later retrieval.

Stream to a SIEM with Event Hubs, archive cheaply with a Storage account

When security needs Azure logs streamed into a third-party SIEM in real time, route the diagnostic setting to Azure Event Hubs: the SIEM reads from the hub. When the requirement is keeping audit logs cheaply for years, route to an Azure Storage account, which can be kept indefinitely and supports an immutability policy for tamper-proof records. Storage and Log Analytics hold data; only Event Hubs pushes a live stream.

Metrics Explorer offers exactly five aggregation types

When reading a metric you choose one of five aggregations: Sum (total of all values in the interval, a.k.a. Total), Count (number of samples, ignoring their values), Average (the values' mean, normally Sum/Count), Min (smallest value), and Max (largest value). Picking the wrong aggregation misreads the data: Count on a request-duration metric tells you how many samples there were, not how long requests took.

Average is recalculated from Sum and Count, so Min/Max expose spikes it hides

Sum, Count, Min, and Max are pre-aggregated and stored, but Average is never stored: it is recomputed as Sum ÷ Count for the chosen grain. A short spike can vanish from Average and Sum at coarse granularity while still showing in Min and Max, so to catch transient anomalies inspect Max rather than trusting Average alone.

Trap Using Average to detect a brief spike: averaging smooths it out across the interval; Max is the aggregation that still surfaces the peak.

Metric granularity bottoms out at 1 minute; widen it to cut alert noise

The minimum time granularity (time grain) for charting metrics is 1 minute; coarser grains are computed from the stored 1-minute values. Widening the grain trades detail for noise reduction, which is usually what you want before wiring a metric to an alert so a momentary CPU blip doesn't page you but a sustained one does.

Split a metric by a dimension to find which instance caused a spike

Dimensions are name-value pairs attached to a metric (for example a per-instance breakdown). In Metrics Explorer you split a chart by a dimension to see each value as its own line, or filter to show only some. Splitting is how you turn an aggregated line that shows a spike into the specific instance responsible for it.

One Log Analytics workspace lets a single log search alert span subscriptions and regions

Logs from many resources can land in one Log Analytics workspace regardless of their subscription or region, and KQL queries that workspace across all of them. That is why a single log search alert can monitor resources spread across subscriptions and regions at once, whereas a metric alert is generally scoped to resources of one type in one region.

An alert rule = target + signal/condition + action group

An alert rule binds three things: the target resource to watch, the signal and condition (a metric threshold, a KQL log query, or an activity-log event filter), and an action group to invoke when it fires. Keeping the action group separate from the rule means one action group serves many rules, so you maintain recipients in one place.

Three alert types map to three signals: metric, log search, activity log

Metric alerts evaluate a metric against a static or dynamic threshold at regular intervals: fast and numeric. Log search alerts run a KQL query against workspace logs at a set frequency, for event detail and cross-resource conditions. Activity log alerts fire on a new control-plane event matching a filter. Resource Health and Service Health alerts are themselves activity log alerts.

Trap Treating Resource Health or Service Health as their own alert category: both are implemented as activity log alerts.

An action group bundles reusable notifications and actions

An action group is a named, reusable set of notifications (email, SMS, push, voice) and actions (webhook, secure webhook, Azure Function, Logic App, ITSM, automation runbook, Event Hub). Many alert rules reference the same action group, so the on-call list or remediation runbook is defined once and changed in one place rather than per rule.

3 questions test this
An alert carries a system condition (fired/resolved) and a user response (New/Acknowledged/Closed)

Each fired alert has two independent states. The monitor condition is system-set: fired while the condition holds, then resolved when it clears (a stateful metric alert resolves after the condition is unmet for three consecutive checks). The user response, New, Acknowledged, or Closed, is set by you and never changes on its own. Alert instances are retained for 30 days.

Trap Assuming closing an alert (a user response) clears the underlying problem: the monitor condition only becomes resolved when the actual condition clears, independent of your response.

1 question tests this
Suppress maintenance-window noise with an alert processing rule, not by disabling alerts

An alert processing rule modifies alerts as they fire, by filter and on a schedule, without touching any alert rule. Its two jobs are suppressing notifications (silence a resource group during planned maintenance: rules keep evaluating, only the noise is muted, and suppression lifts automatically) and adding an action group to many alerts at once. Use it instead of disabling or deleting the alert rules.

Trap Disabling each alert rule (or deleting the action group) to go quiet during maintenance: that loses the rule/breaks it for other rules; an alert processing rule suppresses temporarily and reverts on its own.

3 questions test this
Creating an alert rule needs Monitoring Contributor; Monitoring Reader can only view

To create alert rules you need Monitoring Contributor (read on the target resource, write on the resource group holding the rule). Monitoring Reader can view alerts and read resources but cannot create rules. These are the two built-in roles supported at all Resource Manager scopes for alerting.

Insights are curated, ready-made monitoring views for a resource type

Azure Monitor Insights are Microsoft-curated monitoring experiences (preconfigured dashboards, workbooks, and sometimes alerts) built on the same metrics and Log Analytics data you could assemble yourself. The ones an administrator reaches for are VM Insights (VM and scale-set performance, processes, and a dependency map), Storage Insights (account performance, capacity, availability), Network Insights (health and metrics across network resources), and Container Insights (AKS workloads). Use an Insight when you want the page already built.

Network Watcher diagnoses IaaS network paths, not PaaS, and is regional

Azure Network Watcher is a regional service for monitoring and diagnosing the network of IaaS resources (VMs, VNets, gateways, load balancers); it is not designed for PaaS monitoring or web analytics. It is auto-enabled per region when you create a VNet, and there is exactly one Network Watcher instance per region per subscription.

Trap Choosing Network Watcher to monitor a PaaS service's own health: it targets IaaS network paths; for PaaS use that service's metrics, resource logs, and Insights.

IP flow verify names the NSG rule allowing or denying a packet

IP flow verify checks whether a packet to or from a VM is allowed or denied based on the effective network security group rules, and it tells you which security rule made the decision. Reach for it when traffic is blocked and you need to identify the exact NSG rule responsible, rather than reading rules by hand.

Trap Using Next hop to find a blocking firewall rule: Next hop diagnoses routing (where traffic goes), while IP flow verify is the tool that names the allow/deny security rule.

Next hop diagnoses routing; Connection Troubleshoot tests connectivity once

Next hop returns the next hop type and IP for traffic from a VM to a destination, so it diagnoses routing problems such as a misconfigured user-defined route. Connection Troubleshoot tests whether a source can actually reach a destination right now, reporting latency and hops. Next hop answers 'where does this route send the traffic?'; Connection Troubleshoot answers 'can it connect at this moment?'.

Connection Monitor watches connectivity continuously; Connection Troubleshoot is a one-time test

Connection Monitor provides ongoing end-to-end connectivity monitoring between endpoints, with metrics and alerts over time. Connection Troubleshoot performs the same kind of check but only at a single point in time. When a scenario needs continuous monitoring with alerting, choose Connection Monitor; for a one-off diagnosis, Connection Troubleshoot.

Trap Using Connection Troubleshoot for ongoing connectivity SLA monitoring: it tests once at that moment; Connection Monitor is the continuous, alert-capable tool.

Migrate NSG flow logs to VNet flow logs before the 2027 retirement

Network Watcher flow logs record IP traffic for traffic analysis. NSG flow logs are being retired: no new ones can be created after June 30, 2025, and they are fully retired on September 30, 2027. Virtual network (VNet) flow logs are the successor and address NSG flow log limitations, so new logging should use VNet flow logs.

Trap Creating new NSG flow logs for traffic logging: they are end-of-life (no new ones after June 30, 2025; retired September 30, 2027); use virtual network flow logs instead.

VM Insights needs a Log Analytics workspace, the Azure Monitor Agent, and a DCR

Before VM Insights can collect performance data it needs a Log Analytics workspace (data lands in the InsightsMetrics table), the Azure Monitor Agent on the VM, and a data collection rule (DCR) that tells the agent what to collect. The default VM Insights DCR gathers guest performance only: it does not collect Windows event logs or Syslog, so add a separate DCR for those. A VM Insights DCR must already exist before you assign an Azure Policy initiative to onboard VMs at scale.

Trap VM Insights does not collect event logs/Syslog out of the box; you create an additional DCR rather than editing the VM Insights one.

9 questions test this
The VM Insights Map feature requires the Dependency Agent; performance does not

VM Insights has two features: Performance (Azure Monitor Agent only) and Map. The Map view of processes and application dependencies needs the Dependency Agent (the 'processes and dependencies' option) installed in addition to the Azure Monitor Agent. The portal's default data collection rule enables guest performance but leaves processes-and-dependencies (Map) disabled, so by default only the Azure Monitor Agent is installed and the Map view shows no data.

Trap Empty Map view with working Performance data means the Dependency Agent is missing, not a workspace or DCR problem.

5 questions test this
KQL essentials: summarize with bin() for time buckets, project to pick columns, render to chart

In Log Analytics KQL, summarize aggregates rows and bin(TimeGenerated, 1h) buckets results into time intervals (e.g. hourly average per Computer). project selects, renames, or drops specific columns. render (e.g. render timechart) must be the last operator and turns query results into a visualization.

Trap bin() groups the time axis inside summarize: it is not the operator that draws the chart (that is render).

5 questions test this
Azure Workbooks combine logs, metrics, Resource Graph, text, and parameters into one interactive report

Azure Workbooks are the tool when you must blend Azure Monitor Logs, metrics, and Azure Resource Graph data in a single interactive report with embedded text, then let users filter via parameters (time range, resource selectors) and export to PDF. Azure Resource Graph is a supported data source for querying resource inventory and metadata (location, tags) across subscriptions to scope a report.

Trap Parameters (not editing the KQL) are what let consumers filter a workbook interactively.

8 questions test this
Action group notifications are rate limited: email 100/hour, SMS and voice 1 per 5 minutes

Azure Monitor rate-limits action group notifications per recipient: email is capped at no more than 100 emails per hour to each email address (per region), and SMS and voice calls at no more than one notification every five minutes per phone number. Once the limit is hit, further notifications are dropped until the window expires, which is the usual reason an admin stops receiving alerts even though alerts are firing.

Trap Missing notifications with alerts clearly firing usually means rate limiting, not a wrong email/phone or an unsubscribe.

5 questions test this
Service Health alerts need a Global action group; inactive events stay in Health History for 90 days

Azure Service Health reports subscription-wide event types including Service issues, Planned maintenance, Health advisories, Security advisories, and Billing updates. To be notified of planned maintenance you create a Service Health (activity log) alert plus an action group, and the action group region must be set to Global for Service Health alerts to work. Inactive Service Health events are retained in Health History for up to 90 days after they become inactive.

Trap An action group used for a Service Health alert must be in the Global region, not a specific Azure region.

6 questions test this
Resource Health reports a single resource's availability and whether an issue was platform- or user-initiated

Resource Health shows the health of an individual resource (such as one VM) and its reason type tells you whether unavailability was platform-initiated (Azure maintenance/host issue) or user-initiated (e.g. a manual stop or deallocate). A Resource Health status of Unknown means Azure has had no data about the resource for over 10 minutes, which commonly happens when a VM is deallocated.

Trap Service Health is for subscription-wide Azure incidents; Resource Health is the one that drills into a specific resource instance.

5 questions test this

Backup and Recovery

Read full chapter
  • Azure Backup recovers data; Site Recovery keeps the app running
  • Classic workloads use a Recovery Services vault; newer datasources use a Backup vault
  • Back up on-premises files and folders with the MARS agent into a Recovery Services vault
  • A backup policy is a schedule plus retention; Azure VM retention follows GFS
  • Use the Enhanced policy for multiple backups a day; Standard backs up once daily
  • SQL Server and SAP HANA in an Azure VM reach a 15-minute RPO via log backups
  • Application-consistent is the default VM snapshot, with file-system and crash-consistent as fallbacks
  • Instant restore serves the local snapshot, kept 1–5 days (Standard) or 1–30 days (Enhanced)
  • Cross-region restore needs a GRS vault with cross-region restore enabled
  • Cross-region restore is vault-tier only: snapshots aren't replicated, so no Replace-existing
  • Restore options: Create new VM, Restore disks, Replace existing, or recover individual files
  • Azure VM region-to-region replication is the core AZ-104 Site Recovery scenario
  • Run a test failover to rehearse DR without touching production
  • RPO is data loss, RTO is recovery time: ASR targets seconds of RPO for Azure VMs
  • Use Backup center (now Azure Business Continuity Center) to manage backups across many vaults
  • Backup reports need diagnostic settings sending vault data to a Log Analytics workspace
  • Get real-time backup-failure notification with an Azure Monitor alert routed to an action group
  • Azure Files backup protects SMB shares only and needs a vault in the same region
  • Azure Files snapshot backups allow up to 6 per day and 200 snapshots per share
  • Snapshot Azure Files backups support item-level restore; vault-standard does full-share restore only
  • On-demand backups keep their own retention; deleted backup data is soft-deleted for 14 days
  • After an ASR failover: commit it (deleting all recovery points), then reprotect to replicate back
  • Blob soft delete retains deleted blobs 1–365 days; Undelete Blob restores them when versioning is off
  • Blob versioning creates a new version on every write; restore by promoting a previous version with Copy Blob
  • Azure SQL long-term retention uses W/M/Y plus WeekOfYear and applies only to future backups
  • Azure SQL point-in-time restore retention tops out at 35 days (Basic only 7) and restores to a new database

Unlock with Premium — includes all practice exams and the complete study guide.