AZ-104 Microsoft Azure Administrator Comprehensive Study Guide

1. Manage Azure Identities and Governance

Manage Microsoft Entra Users and Groups

- User Management: Learn how to create, delete, and manage users in Azure Active Directory (Azure AD). Understand

user properties like roles, licenses, and settings. Ensure users have the correct permissions for accessing resources.

- Groups: Use security groups to organize users. Groups can be assigned roles in Azure RBAC for easy access

management. Study dynamic groups that automatically add/remove users based on attributes.

- Roles: Differentiate between built-in roles (e.g., Contributor, Reader) and custom roles. Custom roles allow you to tailor

permissions for specific needs.

- Self-Service Password Reset (SSPR): Enable SSPR to allow users to reset their own passwords. Understand the

setup process, including setting up authentication methods and enabling SSPR for specific users or groups.

Manage Access to Azure Resources

- RBAC: RBAC allows you to assign granular permissions to users, groups, or applications, limiting access to Azure

resources based on defined roles. Learn how to apply RBAC at different scopes (subscription, resource group, or

individual resources).

- Conditional Access: Conditional Access policies enforce access requirements, like requiring Multi-Factor

Authentication (MFA) for certain conditions (e.g., accessing from untrusted networks). Familiarize yourself with policy

configuration options and troubleshooting common issues.

- Privileged Identity Management (PIM): PIM provides just-in-time access to critical resources, requiring approval for

elevated permissions. Learn how to configure PIM, request temporary access, and review audit logs to monitor high-risk

activities.

Manage Azure Subscriptions and Governance

- Resource Groups: Resource groups are containers for resources, allowing centralized management of resources
sharing the same lifecycle. Understand best practices, such as organizing resources by department or application.

- Management Groups: Use management groups to manage access, policies, and compliance across multiple

subscriptions. They enable you to apply policies at a high level across your organization.

- Azure Policies: Policies enforce specific rules for resources, such as ensuring they are deployed in specific regions or

following naming conventions. Study policy creation, assignment, and compliance tracking.

- Budgets: Set budgets in Azure Cost Management to control spending. Budgets help you monitor expenses and alert

you when spending approaches or exceeds the limit.

- Azure Blueprints: Blueprints are packages of templates, policies, and role assignments to quickly deploy compliant

environments. They help standardize deployments and ensure governance requirements are met.

2. Implement and Manage Storage

Configure Access to Storage

- Access Keys: Storage accounts have two access keys. Regenerating keys periodically helps enhance security.

Understand how to use and rotate keys effectively.

- Shared Access Signatures (SAS): SAS tokens grant temporary access to storage resources with specific permissions.

Configure SAS to control which operations are allowed and for how long.

- Firewall and Virtual Network Rules: Restrict storage access by allowing traffic only from specific IP addresses or virtual

networks. Familiarize yourself with enabling firewalls and setting up private endpoints for more secure access.

Configure and Manage Storage Accounts

- Types of Storage Accounts: Choose between Standard (general-purpose, suitable for most applications) and Premium

(optimized for high-performance scenarios).

- Replication Options:

- LRS (Locally Redundant Storage): Replicates data within a single data center. Provides low-cost redundancy within

the same region.

- GRS (Geo-Redundant Storage): Replicates data across two regions, providing disaster recovery capabilities.
 - RA-GRS (Read-Access Geo-Redundant Storage): Offers read-only access to the replicated region, allowing read

operations even if the primary region is unavailable.

- ZRS (Zone-Redundant Storage): Replicates data across multiple availability zones, providing high availability within

the same region.

- Encryption: Data in Azure Storage is encrypted by default. You can use customer-managed keys (stored in Azure Key

Vault) for enhanced control over encryption.

Configure Azure Files and Azure Blob Storage

- Azure Files: Offers fully managed file shares accessible via the SMB protocol. It's suitable for lift-and-shift migrations of

file-based applications.

- Azure Blob Storage: Optimized for unstructured data, such as documents, images, and video. Supports different tiers

(Hot, Cool, Archive) based on access frequency.

- Soft Delete: Enable Soft Delete to protect blobs from accidental deletion. Deleted data is retained for a specified

retention period, allowing recovery.

3. Deploy and Manage Azure Compute Resources

Automate Deployment of Resources Using ARM Templates or Bicep Files

- ARM Templates: ARM (Azure Resource Manager) templates are JSON files that define your infrastructure. They

support declarative syntax for consistent deployments across environments.

- Bicep: A domain-specific language that simplifies ARM syntax, making it easier to author and manage templates. Bicep

compiles into ARM templates for deployment.

Create and Configure Virtual Machines (VMs)

- VM Sizes: Select VM sizes based on requirements like CPU, memory, storage, and workload type. Each size has

specific capabilities.

- Availability Sets: Availability Sets provide redundancy by distributing VMs across fault domains (hardware clusters) and
update domains (logical groupings for updates).

- Availability Zones: Availability Zones are physically separate locations within an Azure region, providing better fault

tolerance by isolating VMs in different zones.

- Scaling: VM Scale Sets enable autoscaling, allowing VMs to automatically increase or decrease based on workload.

Provision and Manage Containers in the Azure Portal

- Azure Kubernetes Service (AKS): Fully managed Kubernetes clusters for orchestrating containerized applications.

Learn how to deploy, scale, and manage applications in AKS.

- Azure Container Instances (ACI): ACI provides a simple way to deploy containers without managing the underlying

infrastructure, ideal for single, isolated workloads.

Create and Configure an Azure App Service

- Azure App Service Plans: App Service Plans define the pricing and scaling of web apps. Choose based on compute

resources and expected load.

- Scaling: Scale out by increasing the number of instances or scale up by increasing the resources of a single instance.

Automatic scaling can be configured based on metrics.

- Deployment Options: Support for multiple deployment methods, including Git, GitHub, Azure DevOps, FTP, and

Docker containers.

... (Content continues with similar expanded details)