AZ-104 Microsoft Azure Administrator Interview Guide

Section 1: Azure Identities and Governance (20-25%) ▼

Q1: What is Microsoft Entra ID and how does it differ from traditional Active Directory? ▼

Microsoft Entra ID (formerly Azure AD) is a cloud-based identity and access management service. Unlike traditional Active Directory which is on-premises and uses LDAP/Kerberos, Microsoft Entra ID is cloud-native, uses modern protocols like OAuth 2.0/SAML, and is designed for internet-scale applications and SaaS integration.

Q2: How do you create and manage users in Microsoft Entra ID? ▼

Users can be created through:

Azure Portal (single or bulk creation)
PowerShell using New-AzureADUser cmdlet
Azure CLI using az ad user create
Microsoft Graph API
Synchronized from on-premises AD using Azure AD Connect
Invited as guest users (B2B collaboration)

Q3: What are the different types of groups in Microsoft Entra ID? ▼

Security Groups: Used for managing access to resources
Microsoft 365 Groups: Provide collaboration services (email, SharePoint, Teams)
Assignment Types: Assigned (manual membership) or Dynamic (rule-based membership)

Q4: Explain Self-Service Password Reset (SSPR) in Azure. ▼

SSPR allows users to reset their own passwords without IT intervention. Key features:

Authentication methods: Phone, email, security questions, Microsoft Authenticator
Requires Azure AD Premium P1 or P2 license
Can be configured with password writeback to sync with on-premises AD
Administrators can configure minimum number of authentication methods required

Q5: What are managed identities in Azure? ▼

Managed identities provide Azure services with automatically managed credentials in Microsoft Entra ID:

System-assigned: Tied to a specific Azure resource lifecycle
User-assigned: Independent identity that can be assigned to multiple resources
Eliminates need to store credentials in code

Q6: What are the built-in Azure roles and their hierarchy? ▼

Owner: Full access including ability to delegate access
Contributor: Can create and manage resources but cannot grant access
Reader: View-only access to resources
User Access Administrator: Can manage user access to Azure resources

Q7: At what scopes can you assign RBAC roles? ▼

RBAC roles can be assigned at four scopes (hierarchical):

Management Group: Highest level, applies to multiple subscriptions
Subscription: Applies to all resource groups in subscription
Resource Group: Applies to all resources in the group
Resource: Individual resource level

Q8: How do you interpret access assignments in Azure? ▼

Access assignments consist of:

Security Principal: Who (user, group, service principal, managed identity)
Role Definition: What permissions
Scope: Where the permissions apply
Assignments are additive (permissions accumulate)
Deny assignments (Azure Blueprints) override allow assignments

Q9: What is Azure Policy and how does it work? ▼

Azure Policy is a governance service that enforces organizational standards:

Policy Definitions: Rules to evaluate resource compliance
Policy Initiatives: Groups of related policies
Effects: Deny, Audit, Append, DeployIfNotExists, Modify, Disabled
Assignments: Apply policies at specific scopes
Evaluated during resource creation/update and periodic compliance scans

Q10: What are resource locks in Azure? ▼

Resource locks prevent accidental deletion or modification:

CanNotDelete (Delete lock): Allows read and modify but prevents deletion
ReadOnly: Allows only read operations
Locks are inherited by child resources
Even owners need to remove locks before performing restricted operations

Q11: How do you implement tagging strategy in Azure? ▼

Tags are metadata key-value pairs:

Maximum 50 tags per resource
Tag names are case-insensitive, values are case-sensitive
Common uses: Cost allocation, environment identification, owner tracking
Can be enforced through Azure Policy
Some tags can be inherited using Azure Policy

Q12: What are Management Groups in Azure? ▼

Management Groups provide enterprise-scale governance:

Hierarchical structure above subscriptions
Maximum 6 levels of depth (excluding root and subscription)
Enable governance at scale (policies, RBAC)
Root management group created automatically
All subscriptions inherit settings from parent management groups

Q13: How do you manage Azure costs and budgets? ▼

Cost Management + Billing: Track and analyze spending
Budgets: Set spending limits with alerts at threshold percentages
Azure Advisor: Provides cost optimization recommendations
Reservations: Pre-purchase compute capacity for discounts
Auto-shutdown: Schedule VM shutdowns to save costs
Tags: Track costs by department, project, or environment

Section 2: Azure Storage (15-20%) ▼

Q14: What are the different types of Azure Storage accounts? ▼

General-purpose v2 (GPv2): Recommended for most scenarios
General-purpose v1 (GPv1): Legacy, fewer features
BlockBlobStorage: Premium performance for block blobs
FileStorage: Premium files-only storage accounts
BlobStorage: Legacy blob-only accounts

Q15: Explain Azure Storage redundancy options. ▼

LRS (Locally Redundant Storage): 3 copies in single datacenter
ZRS (Zone-Redundant Storage): 3 copies across availability zones
GRS (Geo-Redundant Storage): LRS + 3 copies in paired region
GZRS (Geo-Zone-Redundant Storage): ZRS + 3 copies in paired region
RA-GRS/RA-GZRS: Read-access to secondary region

Q16: What are Storage Account access tiers? ▼

Hot: Frequently accessed data, higher storage cost, lower access cost
Cool: Infrequently accessed data (30+ days), lower storage cost, higher access cost
Archive: Rarely accessed data (180+ days), lowest storage cost, highest access cost
Archive tier requires rehydration before access (hours)

Q17: How do you secure access to Storage Accounts? ▼

Access Keys: Shared keys providing full access (rotate regularly)
Shared Access Signatures (SAS): Delegated access with specific permissions
- Account SAS: Access to multiple services
- Service SAS: Access to specific service
- User Delegation SAS: Secured with Azure AD credentials
Stored Access Policies: Reusable SAS parameters
Azure AD Integration: For Blob and Queue services
Firewalls and Virtual Networks: IP and network restrictions
Private Endpoints: Access through private IP

Q18: What is Azure Storage encryption? ▼

Encryption at Rest: Always enabled, 256-bit AES encryption
Encryption in Transit: HTTPS/TLS required
Customer-Managed Keys (CMK): Using Azure Key Vault
Infrastructure Encryption: Double encryption at infrastructure level
Client-side Encryption: Encrypt before sending to Azure

Q19: What are the different blob types in Azure? ▼

Block Blobs: For text and binary data, up to 190.7 TiB
Append Blobs: Optimized for append operations (logs)
Page Blobs: For random read/write, up to 8 TiB (VHDs)

Q20: Explain Blob Storage lifecycle management. ▼

Automated policies to transition or delete blobs based on:

Last modified date
Last accessed date (requires access tracking)
Actions: Transition to cool/archive, delete blob/snapshots
Filters by blob type, prefix, or index tags
Runs once daily

Q21: What is Blob versioning? ▼

Automatically maintains previous versions of blobs
Each version has unique version ID
Protects against accidental deletes/overwrites
Can be enabled at storage account level
Works with soft delete for enhanced protection

Q22: What is soft delete for blobs? ▼

Retains deleted data for specified period (1-365 days)
Deleted blobs marked but not immediately removed
Can be restored during retention period
Available for blobs and containers
Protects against accidental deletion

Q23: What is Azure Files and its key features? ▼

Fully managed file shares in the cloud
SMB 3.0 and NFS protocols support
Can be mounted on Windows, Linux, macOS
Features:
- Azure File Sync for hybrid scenarios
- Snapshots for point-in-time recovery
- Soft delete protection
- Identity-based authentication with AD/Azure AD

Q24: What are the performance tiers for Azure Files? ▼

Standard: HDD-based, cost-effective
Premium: SSD-based, consistent low latency
Transaction Optimized: For transaction-heavy workloads
Hot: Frequently accessed files
Cool: Archival storage

Q25: How does Azure File Sync work? ▼

Synchronizes files between Azure Files and on-premises servers
Cloud tiering frees local storage space
Multi-site access and sync
Rapid disaster recovery
Cloud backup integration

Section 3: Azure Compute Resources (20-25%) ▼

Q26: What are Azure VM sizes and families? ▼

B-series: Burstable, for variable workloads
D-series: General purpose, balanced CPU-to-memory
E-series: Memory optimized (high memory-to-CPU ratio)
F-series: Compute optimized (high CPU-to-memory ratio)
M-series: Memory optimized for large databases
N-series: GPU-enabled for AI/ML workloads

Q27: What are Availability Zones and Availability Sets? ▼

Availability Zones: Physically separate datacenters within a region

99.99% SLA for VMs
Protects against datacenter failure

Availability Sets: Logical grouping within a datacenter

99.95% SLA for VMs
Update Domains (UD): For planned maintenance
Fault Domains (FD): For unplanned hardware failures

Q28: How do you implement Azure Disk Encryption? ▼

Uses BitLocker (Windows) or DM-Crypt (Linux)
Requires Azure Key Vault for key storage
Supports managed disks
Can encrypt OS and data disks
Prerequisites: Key Vault and VM in same region
PowerShell: Set-AzVMDiskEncryptionExtension

Q29: What are Managed Disks in Azure? ▼

Azure-managed storage for VM disks. Types:

Ultra Disk: Highest performance, sub-millisecond latency
Premium SSD: High performance, production workloads
Standard SSD: Cost-effective for web servers
Standard HDD: Lowest cost for dev/test
Integrated with availability sets/zones
Snapshot and image support
Disk encryption support

Q30: Explain VM Scale Sets. ▼

Deploy and manage identical VMs as a set. Auto-scaling based on metrics or schedule. Features:

Automatic OS and application updates
Load balancer or Application Gateway integration
Availability zone support
Large scale: up to 1000 VMs (custom image) or 600 (platform image)
Health monitoring and automatic repairs

Q31: What are ARM templates? ▼

JSON files defining infrastructure and configuration with declarative syntax. Components:

Parameters: Input values
Variables: Reusable values
Resources: Azure resources to deploy
Outputs: Return values
Idempotent deployments
Support for dependencies and deployment order

Q32: What is Bicep and how does it compare to ARM templates? ▼

Domain-specific language (DSL) for Azure deployments. Advantages over ARM:

Simpler syntax
Better type safety
Modularity with modules
No state management required
Transpiles to ARM templates
First-class VS Code support

Q33: What are the deployment modes for ARM templates? ▼

Incremental Mode (default): Adds/updates resources, doesn't delete
Complete Mode: Deletes resources not in template
Validation before deployment
What-if operations to preview changes
Deployment history tracking

Q34: What is Azure Container Registry (ACR)? ▼

Managed Docker registry service. Tiers: Basic, Standard, Premium. Features:

Geo-replication (Premium)
Content trust for image signing
Webhook integration
Azure AD authentication
Helm chart repository

Q35: Compare Azure Container Instances and Azure Container Apps. ▼

Azure Container Instances (ACI):

Serverless containers
Fast startup (seconds)
Per-second billing
Single container focus
Good for batch jobs, CI/CD

Azure Container Apps:

Serverless container platform
Built on Kubernetes
Automatic scaling (including to zero)
Microservices and web apps
Built-in traffic splitting
DAPR integration

Q36: How do you manage container scaling? ▼

For ACI:

Manual scaling through container groups
CPU and memory limits per container

For Container Apps:

Automatic scaling based on:
- HTTP traffic
- CPU/Memory usage
- Custom metrics
- Event-driven (KEDA)
Min/max replica configuration

Q37: What are App Service Plans? ▼

Compute resources for web apps. Tiers:

Free/Shared: Dev/test, shared infrastructure
Basic: Dedicated, no auto-scale
Standard: Production, auto-scale, staging slots
Premium: Enhanced performance, more slots
Isolated: Dedicated environment
Resources: CPU, memory, storage, features
Can host multiple apps in same plan

Q38: What are deployment slots in App Service? ▼

Live apps with separate hostnames
Staging environments for testing
Features:
- Swap with production (zero downtime)
- Auto-swap capability
- Traffic routing (canary deployment)
- Configuration elements can be slot-specific
Available in Standard tier and above

Q39: How do you configure custom domains and SSL/TLS? ▼

Custom Domains:

Add CNAME or A record in DNS
Validate domain ownership
Map to app service

SSL/TLS:

App Service Certificates
Import existing certificates
Free managed certificates for custom domains
SNI SSL or IP-based SSL
Minimum TLS version configuration

Q40: What backup options exist for App Service? ▼

Automatic backups (retained for 30 days)
On-demand backups
Scheduled backups
Backup includes:
- App configuration
- File content
- Connected database (optional)
Stored in Azure Storage account
Restore to same or different app

Section 4: Virtual Networking (15-20%) ▼

Q41: What are Virtual Networks (VNets) in Azure? ▼

Isolated network boundary in Azure
IPv4 and IPv6 support
Address space: Private IP ranges (RFC 1918)
Features:
- Subnets for segmentation
- Communication between Azure resources
- Internet connectivity
- On-premises connectivity
- Traffic filtering and routing

Q42: Explain VNet Peering. ▼

Connects VNets seamlessly. Types:

Regional: Same region
Global: Cross-region

Characteristics:

Non-transitive (must peer each VNet pair)
Low latency, high bandwidth
Cross-subscription support
No downtime during creation
Gateway transit for hub-spoke topology

Q43: What are Service Endpoints and Private Endpoints? ▼

Service Endpoints:

Direct connectivity to Azure services
Traffic remains on Azure backbone
Service-level access control
No private IP for service

Private Endpoints:

Private IP in your VNet for Azure service
Eliminates public internet exposure
DNS integration required
More secure than service endpoints
Cross-region support

Q44: How do User-Defined Routes (UDRs) work? ▼

Override Azure's default routing
Route tables contain routes
Next hop types:
- Virtual Network Gateway
- Virtual Network
- Internet
- Network Virtual Appliance
- None (drop traffic)
Applied to subnets
Priority: UDR > BGP > System

Q45: Explain Network Security Groups (NSGs). ▼

Filter network traffic to/from Azure resources. Contain security rules with:

Priority (100-4096)
Source/destination (IP, service tag, ASG)
Protocol (TCP, UDP, ICMP, Any)
Port ranges
Action (Allow/Deny)
Default rules cannot be deleted
Applied to subnets or NICs
Stateful (return traffic automatically allowed)

Q46: What are Application Security Groups (ASGs)? ▼

Logical grouping of VMs for NSG rules
Simplifies security rule management
No IP address management
Allows grouping by application role
Dynamic membership through NIC assignment
Same region as NSG

Q47: What is Azure Bastion? ▼

Managed PaaS service for secure RDP/SSH. Benefits:

No public IP on VMs
HTML5 browser-based access
SSL/TLS protection
NSG integration
No bastion host management
Deployment at VNet level
Standard SKU supports multiple sessions

Q48: How does Azure Firewall differ from NSGs? ▼

NSGs:

Layer 3-4 filtering
Distributed per subnet/NIC
Basic allow/deny rules
No threat intelligence

Azure Firewall:

Layer 3-7 filtering
Centralized service
FQDN filtering
Threat intelligence
NAT rules
Application rules
Network rules

Q49: What are Azure DNS capabilities? ▼

Host DNS domains
Public and Private DNS zones
Record types: A, AAAA, CNAME, MX, PTR, SOA, SRV, TXT
Features:
- Alias records for Azure resources
- Traffic Manager integration
- Azure AD authentication
- Activity logs and metrics
- DNS zones delegation

Q50: Compare Azure Load Balancer types. ▼

Public Load Balancer:

Internet-facing
Maps public IP to private IP
Outbound connectivity for VMs

Internal Load Balancer:

Private IP only
Within VNet or hybrid scenarios
No internet exposure

SKUs:

Basic: Free, limited features
Standard: Paid, zone-redundant, SLA, diagnostics

Q51: What are Load Balancer health probes? ▼

Monitor backend pool endpoints. Types:

HTTP/HTTPS: Custom probe path
TCP: Port connectivity

Configuration:

Interval: Frequency of probes
Timeout: Response wait time
Unhealthy threshold: Failed probes before unhealthy
Determines traffic routing

Q52: How do you troubleshoot network connectivity issues? ▼

Tools and methods:

Network Watcher:
- IP flow verify
- Next hop analysis
- Connection troubleshoot
- Packet capture
- VPN troubleshoot
Connection Monitor: Continuous monitoring
NSG flow logs: Traffic analysis
Diagnostic logs: Resource-level logging
Azure Monitor insights: Performance metrics

Section 5: Monitoring and Maintenance (10-15%) ▼

Q53: What are the components of Azure Monitor? ▼

Data Sources: Applications, VMs, Azure resources, subscriptions, tenants
Data Types:
- Metrics: Time-series numerical data
- Logs: Structured query data
Analysis Tools:
- Metrics Explorer
- Log Analytics
- Application Insights
- Workbooks
Responses: Alerts, Autoscale, Export

Q54: How do you create and configure alerts? ▼

Components:

Alert Rules:
- Target resource
- Signal (metric/log)
- Criteria/threshold
- Frequency
Action Groups:
- Email/SMS/Push/Voice
- Azure Functions
- Logic Apps
- Webhooks
- ITSM
Alert Processing Rules: Suppress or modify alerts
Severity Levels: 0 (Critical) to 4 (Verbose)

Q55: What are Log Analytics workspaces? ▼

Central repository for log data. Features:

KQL (Kusto Query Language) for queries
Data retention configuration (31-730 days)
Data collection rules
Access control (workspace/resource level)
Cost management through commitment tiers

Q56: Explain Azure Monitor Insights. ▼

Specialized monitoring experiences:

VM Insights: Performance, dependencies, health
Container Insights: AKS and container monitoring
Network Insights: Network health and metrics
Storage Insights: Capacity, performance, availability
Pre-built workbooks and dashboards
Recommended alerts

Q57: What is Recovery Services vault? ▼

Stores backup data and recovery points. Supports:

Azure VMs
SQL/SAP in Azure VMs
Azure Files
On-premises workloads

Features:

Soft delete protection
Cross-region restore
Encryption at rest
RBAC support

Q58: What is Azure Backup vault? ▼

Next-generation backup storage. Supports:

Azure Disks
Azure Database for PostgreSQL
Azure Blobs (operational backup)

Differences from Recovery Services:

Modern architecture
Improved performance
Better integration with Azure services

Q59: How do backup policies work? ▼

Configuration elements:

Schedule: Frequency and time
Retention: How long to keep backups
- Daily/Weekly/Monthly/Yearly points
Instant Restore: Snapshots for quick recovery
Backup types:
- Full: Complete backup
- Incremental: Changes only
- Differential: Changes since last full

Q60: What is Azure Site Recovery? ▼

Disaster recovery service. Capabilities:

Azure-to-Azure replication
On-premises-to-Azure
Cross-region failover

Features:

RPO (Recovery Point Objective): Typically 5 minutes
RTO (Recovery Time Objective): Minutes
Application-consistent snapshots
Failover testing without production impact
Customizable recovery plans

Q61: What are Azure Advisor recommendations? ▼

Categories:

Reliability: Improve availability
Security: Enhance security posture
Performance: Increase speed
Cost: Reduce spending
Operational Excellence: Best practices
Personalized, actionable recommendations
Impact levels: High, Medium, Low

Q62: How do you implement cost optimization? ▼

Strategies:

Right-sizing: Match resources to actual needs
Reserved Instances: 1 or 3-year commitments
Spot VMs: For interruptible workloads
Auto-shutdown: Schedule VM shutdowns
Azure Hybrid Benefit: Use existing licenses
Delete unused resources: Regular cleanup
Storage tiering: Move to appropriate tiers

Q63: What are common troubleshooting approaches for Azure resources? ▼

Resource Health: Service availability status
Activity Logs: Administrative operations
Diagnostic Settings: Stream logs to storage/analytics
Metrics: Real-time performance data
Azure Status Page: Platform-wide issues
Support Plans: Technical support options

Q64: How do you ensure compliance in Azure? ▼

Azure Policy: Enforce standards
Azure Blueprints: Repeatable environment sets
Regulatory Compliance dashboard: Track compliance
Azure Security Center: Security posture management
Resource locks: Prevent accidental changes
Activity logs: Audit trail
Management groups: Hierarchical governance

Q65: What are monitoring best practices? ▼

Enable diagnostic settings for all resources
Centralize logs in Log Analytics
Create baseline metrics
Set up proactive alerts
Use tags for resource organization
Implement automated responses
Regular review of Advisor recommendations
Document monitoring procedures

Q66: A company needs to migrate 50 on-premises VMs to Azure. What's your approach? ▼

Assessment: Azure Migrate for discovery and assessment
Planning:
- Size recommendations
- Dependency mapping
- Cost estimation
Network design: Hub-spoke topology with ExpressRoute/VPN
Migration waves: Pilot, then phased migration
Methods:
- Azure Site Recovery for lift-and-shift
- Azure Database Migration Service for databases
Post-migration: Optimization, monitoring, backup configuration

Q67: Design a highly available web application architecture. ▼

Frontend: Application Gateway with WAF
Web tier: App Service with multiple instances
Application tier: VMs in availability zones
Database: Azure SQL with geo-replication
Storage: Blob storage with RA-GRS
Caching: Azure Redis Cache
Monitoring: Application Insights
DR: Traffic Manager for cross-region failover

Q68: How would you secure a multi-tier application? ▼

Network segmentation: Separate subnets per tier
NSGs: Restrict traffic between tiers
Azure Firewall: Centralized security
Private Endpoints: For PaaS services
Azure Bastion: Secure management access
Key Vault: Secret management
Managed Identities: No credentials in code
Azure Security Center: Threat protection

Q69: Implement a backup strategy for critical workloads. ▼

3-2-1 Rule: 3 copies, 2 different media, 1 offsite
Azure Backup: Primary backup solution
Retention policies: Daily (7), Weekly (4), Monthly (12), Yearly (10)
Cross-region backup: GRS storage
Testing: Regular restore tests
Monitoring: Alert on backup failures
Documentation: Recovery procedures

Q70: Design a cost-effective development environment. ▼

B-series VMs: Burstable performance
Auto-shutdown: Daily shutdown schedules
Dev/Test subscriptions: Reduced pricing
Spot instances: For non-critical workloads
Shared resources: Central services (AD, DNS)
Azure DevTest Labs: Automated environment management
Tags: Track costs by project/developer
Budgets and alerts: Prevent overspending

Q100: What should candidates focus on for AZ-104 exam success? ▼

Hands-on experience (labs)
Understanding concepts, not memorization
Resource relationships and dependencies
Cost implications of decisions
Security best practices
Troubleshooting methodology
PowerShell and CLI commands
ARM template structure
Networking fundamentals
Identity and access management

Interview Success Tips