AZ-104 Azure administrator associate

1.Manage Azure identities and governance (20–25%)

• Create and manage Microsoft Entra users and groups
• Manage user and group properties
• Configure self-service password reset (SSPR)
• Manage access to Azure resources using built-in Azure roles
• Implement and manage Azure Policy
• Configure resource locks and management groups
• Manage subscriptions and resource groups
• Manage costs using alerts, budgets, and Azure Advisor

2.Implement and manage storage (15–20%)

• Configure access to storage accounts
• Create and configure storage accounts
• Configure Azure Storage redundancy and encryption
• Manage data using Azure Storage Explorer and AzCopy
• Configure Azure Files and Blob Storage
• Implement storage tiers and lifecycle management

3.Deploy and manage Azure compute resources (20–25%)

• Automate deployment using ARM templates or Bicep
• Create and configure virtual machines (VMs)
• Manage VM sizes, disks, and high availability
• Deploy and configure VM Scale Sets
• Provision and manage containers using Azure Container Instances and Azure App
Service
• Configure scaling, networking, and deployment slots for App Services

4.Implement and manage virtual networking (15–20%)

• Create and configure virtual networks and subnets
• Configure IP addresses, network security groups (NSGs), and application security
groups
• Implement Azure Bastion and configure service endpoints
• Configure load balancing using Azure Load Balancer and Application Gateway
• Monitor and troubleshoot network connectivity using Azure Network Watcher

5.Monitor and maintain Azure resources (10–15%)

• Interpret metrics and configure log settings in Azure Monitor
• Set up alert rules and action groups
• Configure monitoring for virtual machines, storage accounts, and networks
• Implement backup and recovery using Azure Backup and Site Recovery
1.Manage Azure identities and governance (20–25%)
1. Create and manage Microsoft Entra users and groups
What it is:
Microsoft Entra (formerly Azure AD) is used to manage identity and access. You can create users,
security groups, and Microsoft 365 groups.

How to configure in Azure Portal:

Go to Microsoft Entra ID.
Click Users > + New user > Enter details and click Create.
For groups: Go to Groups > + New group.
Choose Security or Microsoft 365.
Set membership type: Assigned / Dynamic User / Dynamic Device.
Add members and create.

2. Manage user and group properties

What it is:
You can edit user info like job title, location, or update group ownership and membership.

How to configure in Azure Portal:

Go to Microsoft Entra ID > Users.
Select a user > Profile > Edit and update details.
For groups: Go to Groups > select group > Manage Owners or Members.

3. Configure Self-Service Password Reset (SSPR)

What it is:
Allows users to reset their passwords without admin help.

How to configure in Azure Portal:

Go to Microsoft Entra ID > Password reset.
Choose Selected or All users.
Configure Authentication methods (e.g., mobile phone, email).
Test by logging in as a user and selecting "Forgot password?"

4. Manage access to Azure resources using built-in Azure roles

What it is:
Role-Based Access Control (RBAC) assigns permissions to users/groups.

How to configure in Azure Portal:

Navigate to a resource (subscription, resource group, etc.).
Click Access control (IAM).
Select + Add > Add role assignment.
Choose a role (e.g., Reader, Contributor), assign to user/group.
5. Implement and manage Azure Policy
What it is:
Enforces rules across your environment (e.g., only allowed VM sizes, specific locations).

How to configure in Azure Portal:

Search for Policy in the portal.
Click Definitions to view or create custom policies.
To apply:
Click Assignments > + Assign Policy.
Choose scope (management group/resource group).
Select a definition (e.g., "Allowed locations").
Click Review + Create.

6. Configure resource locks and management groups

What it is:
Locks prevent accidental deletion or modification.
Management Groups allow you to manage access/policies across multiple subscriptions.

How to configure in Azure Portal:

Resource Locks:
Go to a resource (VM, RG, etc.).
Click Locks > + Add.
Choose type: Read-only or Delete.
Management Groups:
Search Management groups.
Click + Add management group.
Assign a name/ID, then add subscriptions to it.

7. Manage subscriptions and resource groups

What it is:
You can organize resources using resource groups and manage access/costs at the subscription level.

How to configure in Azure Portal:

Resource Groups:
Go to Resource groups > + Create.
Set subscription, name, region, and tags.
Subscriptions:
Search Subscriptions.
Select one to:
View cost and usage
Set policies
Assign RBAC roles
8. Manage costs using alerts, budgets, and Azure Advisor
What it is:
Helps monitor and optimize your spending in Azure.

How to configure in Azure Portal:

Budgets & Alerts:
Go to Cost Management + Billing > Budgets.
Click + Add.
Set amount, time range, scope.
Add alerts when thresholds (e.g., 80%) are reached.
Azure Advisor:
Search Azure Advisor in portal.
View cost-saving recommendations, performance, security, and reliability suggestions.

1. What are the different ways to assign access in Azure?

Answer:
Role-Based Access Control (RBAC) at the subscription, resource group, or resource level
Built-in roles like Reader, Contributor, Owner
Custom roles
Azure AD Privileged Identity Management (PIM)

2. How do you enforce compliance with company policies in Azure?

Answer:
Use Azure Policy to define and assign policies (e.g., allowed VM sizes, allowed regions)
Use Initiatives for groupings of policies
Audit compliance in the Policy blade
2. Implement and manage storage
1. Configure access to storage accounts
What it is:
Controls who can access your storage account and how they can access it—via RBAC, shared access
signatures (SAS), or access keys.

How to configure (Azure Portal):

Go to Storage accounts > select your account.
Under Security + networking, use:
Access keys: Manage > copy Key1/Key2 for use in apps.
Shared access signature (SAS): Define permissions, services, and generate URL/token.
IAM (Access control): Assign RBAC roles like Storage Blob Data Reader/Contributor.
Best practice: Use RBAC over access keys for security.

2. Create and configure storage accounts

What it is:
You create a storage account to host blobs, files, queues, and tables with settings like performance,
redundancy, and networking.

How to configure (Azure Portal):

Go to Storage accounts > + Create.
Fill in:
Subscription, Resource Group, Name, Region
Performance: Standard / Premium
Redundancy: LRS / GRS / ZRS / RA-GRS etc.
Click Review + Create.

3. Configure Azure Storage redundancy and encryption

What it is:
Redundancy ensures high availability; encryption protects data at rest.

How to configure (Azure Portal):

In the storage account, go to Configuration:
Set Redundancy (e.g., LRS = locally redundant, GRS = geo-redundant).
Go to Encryption:
Choose between Microsoft-managed or Customer-managed keys.
Optional: Use your own key from Key Vault.
Note: Encryption is enabled by default in Azure Storage.
4. Manage data using Azure Storage Explorer and AzCopy
What it is:
Storage Explorer: GUI tool for managing files/blobs.
AzCopy: Command-line tool to upload/download/copy blobs.

How to configure:
Storage Explorer:
Download from: https://azure.microsoft.com/en-us/features/storage-explorer/
Connect using Azure account or storage account keys/SAS.
AzCopy:
Download: https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-
v10
Example: azcopy copy "C:\MyFiles"
"https://<account>.blob.core.windows.net/container?<SAS>" --recursive

5. Configure Azure Files and Blob Storage

What it is:
Azure Blob Storage: For unstructured object data (images, logs, backups).
Azure Files: Managed file shares over SMB/NFS, usable by VMs and apps.

How to configure (Azure Portal):

Blob Storage:
Go to your storage account > Containers > + Container.
Set access level: Private / Blob / Container.
File Share:
Storage account > File shares > + File share.
Create share, then mount it using SMB path on VMs.

6. Implement storage tiers and lifecycle management

What it is:
Storage tiers: Hot, Cool, Archive – optimize cost based on access frequency.
Lifecycle rules: Automatically transition or delete blobs.

How to configure (Azure Portal):

Storage Tiers:
When uploading blobs, choose tier: Hot (default), Cool, Archive.
Change tier later: Blob > Change tier.
Lifecycle Management:
Storage account > Lifecycle Management > + Add rule.
Define filters (e.g., blob prefix, age), and actions:
Move to cool/archive tier
Delete after X days
Example: Move blobs older than 30 days to Cool, delete after 365 days.

3. What is the difference between LRS, ZRS, GRS, and RA-GRS?

LRS: Locally redundant (within one data center)
ZRS: Zone-redundant (across zones in one region)
GRS: Geo-redundant (across regions, asynchronous)
RA-GRS: Read-access Geo-redundant (GRS with read access in the secondary region)
4. How do you restrict access to a blob storage container?
Use private access level
Configure RBAC roles or shared access signatures (SAS)
Enable firewall or VNet integration

3.Deploy and manage Azure compute resources (20–25%)

1. Automate deployment using ARM templates or Bicep
What it is:
ARM Templates: JSON files to define infrastructure as code.
Bicep: A more concise, readable DSL that compiles to ARM.

How to configure in Azure Portal:

Go to Template Deployment:
Home > Deploy a custom template.
Choose:
Use a built-in template or build your own.
Paste/upload the ARM JSON or Bicep (via Azure CLI/Bicep CLI).
Click Review + Create.
Tip: Use https://portal.azure.com/#blade/HubsExtension/TemplateGallery for pre-built
templates.

2. Create and configure virtual machines (VMs)

What it is:
VMs provide scalable compute in Azure for apps, dev/test, or services.

How to configure in Azure Portal:

Go to Virtual machines > + Create.
Configure:
Image (OS), Size, Authentication (SSH/password), Disk type.
Networking: Virtual network, subnet, public IP, NSG.
Click Review + Create > Create.
After creation, you can:
Connect via SSH/RDP
Stop, resize, or reimage the VM

3. Manage VM sizes, disks, and high availability

What it is:
Resize VM to increase CPU/memory.
Attach additional disks for storage.
Use availability options for fault tolerance.

How to configure in Azure Portal:

Resize VM: VM > Size > Choose a new size > Resize.
Manage Disks:
VM > Disks > + Add data disk or change OS disk type.
Choose disk type (Standard HDD, Premium SSD, etc.)
High Availability:
While creating VM or from Settings > Availability:
Use Availability Set or Availability Zone.
4. Deploy and configure VM Scale Sets
What it is:
VM Scale Sets allow you to deploy and manage a group of identical VMs that auto-scale.

How to configure in Azure Portal:

Go to Virtual Machine Scale Sets > + Create.
Choose:
Image, instance count, load balancing, scaling policies.
Configure scaling rules (CPU usage, time-based).
Click Review + Create.
Scale sets can integrate with Azure Load Balancer or Application Gateway.

5. Provision and manage containers using Azure Container Instances and Azure App Service
What it is:
Azure Container Instances (ACI): Run containers without managing servers.
App Service: Run web apps (including containerized apps) with built-in scaling and deployment tools.

How to configure in Azure Portal:

Azure Container Instances (ACI):
Search Container Instances > + Create.
Enter:
Container name, image (e.g., from Docker Hub), DNS, CPU/memory.
Choose restart policy and click Create.
App Service (Web App):
Go to App Services > + Create.
Choose code or container deployment:
For Docker: Select “Docker Container” > provide image source.
Choose App Service Plan (affects scale/performance) and region.
Click Review + Create.

6. Configure scaling, networking, and deployment slots for App Services

What it is:
App Services support autoscaling, VNet integration, and multiple deployment slots for zero-
downtime updates.

How to configure in Azure Portal:

Scaling:
App Service > Scale out (App Service Plan).
Enable autoscale > define rules (e.g., CPU > 70%).

Networking:
App Service > Networking:
Enable VNet Integration to connect to private resources.
Set Access restrictions and configure custom domains.
Deployment Slots:
App Service > Deployment slots > + Add Slot.
Create a new slot (e.g., staging) and deploy to it.
You can swap slots for smooth production releases.
Q5. What are the key differences between Azure VM Scale Sets and Availability Sets?
Availability Sets: Improve uptime by distributing VMs across update/fault domains in one region
Scale Sets: Automatically scale VM instances and distribute them across zones for high availability

Q6. How do you deploy a web application in Azure?

Use App Services for managed hosting
Select deployment method: Code, Docker container, or external repo (GitHub, Azure Repos)
Configure deployment slots, scaling, and custom domains

4.Implement and manage virtual networking

1. Create and configure virtual networks and subnets

What it is:
A Virtual Network (VNet) is the fundamental building block for private networking in Azure. It allows
resources to securely communicate with each other, the internet, and on-premises networks.

How to configure in Azure Portal:

Go to Virtual networks > + Create.
Set Name, Region, IP address space (e.g., 10.0.0.0/16).
Add subnets (e.g., 10.0.1.0/24 for web, 10.0.2.0/24 for DB).
Review and click Create.
Tip: Plan IP ranges carefully to avoid overlap with on-prem networks.

2. Configure IP addresses, Network Security Groups (NSGs), and Application Security Groups
(ASGs)
What it is:
Private/Public IPs: Used to connect resources internally or externally.
NSGs: Filter inbound/outbound traffic at NIC or subnet level.
ASGs: Group VMs logically for easier security rule management.

How to configure in Azure Portal:

Private/Public IPs:
Go to Virtual Machines > select VM > Networking > View or assign a static/dynamic IP.
NSGs:Go to Network Security Groups > + Create.
Add inbound/outbound rules (e.g., allow port 80/443).
Associate NSG with a subnet or NIC.
ASGs:Go to Application Security Groups > + Create.
Assign VMs to ASG when configuring NIC.
Use ASGs in NSG rules for source/destination targeting.
3. Implement Azure Bastion and configure service endpoints
What it is:
Azure Bastion: Secure RDP/SSH access via browser without public IP.
Service Endpoints: Extend private VNet access to Azure services (e.g., Storage, SQL).

How to configure in Azure Portal:

Azure Bastion:
Go to Bastion > + Create Bastion.
Attach it to a VNet/subnet (must have a subnet named AzureBastionSubnet).
Once created, go to VM > Connect > Bastion for browser-based access.
Service Endpoints:
Go to Virtual Network > Subnets > select subnet.
Click + Service endpoint.
Choose services (e.g., Microsoft.Storage) and click Add.

4. Configure load balancing using Azure Load Balancer and Application Gateway
What it is:
Azure Load Balancer (Layer 4): Distributes TCP/UDP traffic among VMs.
Application Gateway (Layer 7): Handles HTTP/HTTPS with WAF and URL routing.

How to configure in Azure Portal:

Azure Load Balancer:
Go to Load balancers > + Create.
Choose Public or Internal.
Configure frontend IP, backend pool, and health probes.
Set Load balancing rules (e.g., forward port 80 to backend pool).
Application Gateway:
Go to Application Gateway > + Create.
Configure:
Frontend IP (public/private)
Backend pool (VMs or App Services)
Routing rules (e.g., path-based routing)
Optionally enable WAF (Web Application Firewall).

5. Monitor and troubleshoot network connectivity using Azure Network Watcher

What it is:
Azure Network Watcher provides tools to monitor, diagnose, and log network issues.

How to configure in Azure Portal:

Go to Network Watcher > ensure it's enabled in the region.
Use tools like:
Connection Troubleshoot: Test VM-to-VM or VM-to-service connectivity.
IP Flow Verify: Diagnose if traffic is allowed or denied by NSGs.
NSG Flow Logs: Enable logging to storage account for packet-level diagnostics.
Topology: View network architecture visually.
Tip: Use Traffic Analytics (via Log Analytics) for deeper insights.
7. What is the use of Azure Bastion?
Secure RDP/SSH access to VMs without public IPs, through the Azure Portal

8. How would you restrict inbound internet traffic to a subnet?

Use Network Security Groups (NSGs)
Define inbound rules (e.g., deny all except port 443)

5.Monitor and maintain Azure resources

1. Interpret metrics and configure log settings in Azure Monitor
What it is:
Azure Monitor collects and analyzes performance and health data from Azure resources. It includes:
Metrics: Numeric values (CPU, memory, etc.).
Logs: Diagnostic and activity data (events, errors, operations).

How to configure in Azure Portal:

View Metrics:
Go to any resource (e.g., VM, Storage).
Click Monitoring > Metrics.
Select metric (e.g., CPU usage), time range, and apply filters.
Enable Diagnostic Logs:
Go to the resource > Monitoring > Diagnostic settings.
Click + Add diagnostic setting.
Choose logs/metrics to send to:
Log Analytics
Storage account
Event Hub
Click Save.
Logs require enabling diagnostic settings first to collect data.

2. Set up alert rules and action groups

What it is:
Alerts: Notify you when conditions (like high CPU or failed login) occur.
Action groups: Define what happens—email, SMS, webhook, automation runbook, etc.

How to configure in Azure Portal:

Create Action Group:
Go to Monitor > Alerts > Manage action groups > + Add.
Define name, subscription, and notifications (e.g., email, SMS).
Click Review + Create.
Create Alert Rule:
Go to Monitor > Alerts > + Create > Alert rule.
Select a scope (resource).
Set condition (e.g., “CPU > 80% for 5 minutes”).
Choose action group and define severity.
Click Create alert rule.
3. Configure monitoring for virtual machines, storage accounts, and networks
What it is:
Each Azure resource type has tailored monitoring options via Azure Monitor, metrics, logs, and
diagnostic settings.

How to configure in Azure Portal:

For VMs:
VM > Monitoring:
Enable Insights for performance metrics.
View CPU, memory, disk IO, and install the Log Analytics agent if needed.
For Storage Accounts:
Storage > Monitoring > Diagnostic settings:
Enable logging for read/write/delete operations.
Route logs to Log Analytics or Storage account.
For Networks:
Use Network Watcher for:
Connection troubleshoot
Topology maps
NSG flow logs

Use Log Analytics Workspace to centralize monitoring data.

4. Implement backup and recovery using Azure Backup and Site Recovery
What it is:
Azure Backup: Protects VMs, files, databases by backing them up to Recovery Services vault.
Azure Site Recovery (ASR): Ensures disaster recovery by replicating VMs across regions.

How to configure in Azure Portal:

Azure Backup:
Go to Recovery Services vaults > + Create.
Once created, go to Backup:
Select Backup goal: Azure (VMs), on-prem, etc.
Choose resources (VMs or others), configure Backup policy.
Enable backup and run the first backup job.

Site Recovery:
In Recovery Services vault > Site Recovery > + Enable replication.
Select source region, VMs, target region, and replication policy.
Set up failover and recovery options.

Regularly test failover and restore to ensure business continuity.

9. What are action groups in Azure Monitor?

A group of notification methods (email, SMS, webhook, runbook) that are triggered by alert rules

10. How would you troubleshoot a network issue between two VMs?
Use Azure Network Watcher tools:
Connection troubleshoot
IP flow verify
NSG flow logs
Topology view
11. What’s the difference between Azure Backup and Site Recovery?

Azure Backup: Backup and restore VMs or data

Site Recovery: Replicate VMs and orchestrate failover between regions

7. Cost Management
12. How can you control costs in Azure?
Use Budgets and alerts in Cost Management
Apply Azure Reservations for discounts
Use Azure Advisor for cost optimization suggestions

Behavioral / Scenario-Based
13. Describe a time you resolved a critical Azure service issue.
Tip: Use STAR format (Situation, Task, Action, Result) — mention tools like Log Analytics, Network
Watcher, or diagnostics.

14. How do you handle deploying changes to production in Azure?

Use deployment slots in App Services
Set up Infrastructure as Code using ARM/Bicep or Terraform
Test in staging, then swap to production