Examworthyexamworthy.comMicrosoft Azure Administrator (AZ-104) cheat sheet
Microsoft
Free to share. Examworthy is not affiliated with or endorsed by Microsoft; AZ-104 and related marks belong to their respective owners.
At a glance
Format: Multiple choice, multiple response, and case studies, at a Pearson VUE testing center or online proctored
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
AZ-104 is an operator's exam that tests precise Azure defaults and limits: most questions hinge on one exact behaviour at a boundary, so the administrator who knows what Azure actually enforces beats the one who only knows what each service is for.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
Redeploying an ARM template whose storage account already exists with identical properties fails because a resource with that name already exists in the group.
Why it fails
ARM templates are idempotent: redeploying the same desired state succeeds without error rather than failing on the existing resource. When the declared properties already match, Resource Manager makes no changes.
Deploy and Manage Azure Compute Resources
Tempting but wrong
When a resource has both a role assignment granting access and a deny assignment for the same user and action, Azure Resource Manager checks the role assignment first, so access is allowed.
Why it fails
Wrong because deny assignments are evaluated before role assignments. If a deny assignment applies, access is blocked regardless of any role assignment, so the request is denied rather than allowed.
Manage Azure Identities and Governance
Tempting but wrong
GRS creates a secondary region copy while GZRS does not create any secondary copy at all.
Why it fails
Both GRS and GZRS create a copy in a paired secondary region. They differ only in primary-region replication: GRS uses LRS and GZRS uses ZRS in the primary, with the secondary always LRS for both.
Implement and Manage Storage
Tempting but wrong
Regular (regional) virtual network peering can connect two virtual networks that sit in different Azure regions.
Why it fails
Regional virtual network peering only connects virtual networks within the same Azure region, so it cannot join networks in different regions. Connecting virtual networks across regions requires global virtual network peering.
Configure and Manage Virtual Networking
Tempting but wrong
Azure Monitor Logs is the half of the data platform that stores numeric performance values at regular intervals in a time-series store for near real-time analysis.
Why it fails
Logs holds log and trace records that you query with KQL, not a numeric time-series store. Azure Monitor Metrics is the half that collects numeric values at regular intervals into a time-series database optimized for near real-time analysis.
Monitor and Maintain Azure Resources
Tempting but wrong
Redeploying an ARM template over a storage account that already matches deletes the existing account and recreates it from the template values.
Why it fails
When the declared state already matches the existing resource, Resource Manager makes no changes rather than tearing down and rebuilding it. Idempotency means repeated deployments of the same state leave the resource untouched.
Deploy and Manage Azure Compute Resources
Tempting but wrong
To let a teammate fully manage all resources in a resource group, including creating and deleting VMs but not assigning roles to other users, you should assign the Owner role.
Why it fails
Owner grants full management of all resources but also adds the ability to assign roles in Azure RBAC, which is exactly what this requirement forbids. Contributor grants full resource management without role-assignment rights, so Contributor is correct.
Manage Azure Identities and Governance
Tempting but wrong
The difference between GRS and GZRS is how each one replicates data within the secondary region.
Why it fails
Within the secondary region both GRS and GZRS always replicate synchronously using LRS, so the secondary is identical. The real difference is in the primary region: GRS uses LRS there while GZRS uses ZRS.
Implement and Manage Storage
Key terms
Exam-day rules
- Read each question for the exact requirement first. The named region, licence tier, redundancy need, or security boundary is what picks the answer, so find it before you weigh the options.
- Treat yes/no statements as guilty until proven correct. Identify the single fact the statement turns on, such as whether a budget stops resources or a type change is allowed in place, and check that one fact before committing.
- Anchor on documented defaults and limits, not on what sounds convenient. Many traps are built from a reasonable-sounding assumption Azure does not honour, so prefer the precise behaviour at the boundary every time.
- Default to the managed, built-in capability. When a requirement could be met by a script or a manual workaround, the intended answer is usually the platform feature: Azure Backup over scripts, Bastion over a public RDP port, managed identities over stored keys.
- Let the access pattern and constraint pick storage and networking. Cross-region connectivity means global peering, layer 7 HTTP routing means Application Gateway, durability targets pick the redundancy tier; do not default to the option you use most.
Revision schedule
- Day 1Map the blueprint and book a date
- Week 1Lock the governance precedence rules
- Weeks 1 to 3Drill storage and compute defaults
- Weeks 3 to 4Build the networking service map
- Week 4Cover monitoring and recovery