Exam AZ-104: Microsoft Azure Administrator – Skills

Measured

Audience Profile
Candidates for this exam should have subject matter expertise implementing, managing, and
monitoring an organization’s Microsoft Azure environment.

Responsibilities for an Azure Administrator include implementing, managing, and monitoring

identity, governance, storage, compute, and virtual networks in a cloud environment, plus
provision, size, monitor, and adjust resources, when needed.

An Azure Administrator often serves as part of a larger team dedicated to implementing your
organization's cloud infrastructure.

A candidate for this exam should have at least six months of hands-on experience administering
Azure, along with a strong understanding of core Azure services, Azure workloads, security, and
governance. In addition, this role should have experience using PowerShell, Azure CLI, Azure
portal, and Azure Resource Manager templates.

Skills Measured
NOTE: The bullets that appear below each of the skills measured are intended to illustrate how
we are assessing that skill. This list is not definitive or exhaustive.

NOTE: In most cases, exams do NOT cover preview features, and some features will only be
added to an exam when they are GA (General Availability).

Manage Azure identities and governance (15-20%)

Manage Azure AD objects

 create users and groups

 manage user and group properties
 manage device settings
 perform bulk user updates
 manage guest accounts
 configure Azure AD Join
 configure self-service password reset
 NOT: Azure AD Connect; PIM

Manage role-based access control (RBAC)

  create a custom role
 provide access to Azure resources by assigning roles
o subscriptions
o resource groups
o resources (VM, disk, etc.)
 interpret access assignments
 manage multiple directories

Manage subscriptions and governance

 configure Azure policies

 configure resource locks
 apply tags
 create and manage resource groups
o move resources
o remove RGs
 manage subscriptions
 configure Cost Management
 configure management groups

Implement and manage storage (10-15%)

Manage storage accounts

 configure network access to storage accounts

 create and configure storage accounts
 generate shared access signature
 manage access keys
 implement Azure storage replication
 configure Azure AD Authentication for a storage account

Manage data in Azure Storage

 export from Azure job

 import into Azure job
 install and use Azure Storage Explorer
 copy data by using AZCopy

Configure Azure files and Azure blob storage

 create an Azure file share

 create and configure Azure File Sync service
 configure Azure blob storage
  configure storage tiers for Azure blobs

Deploy and manage Azure compute resources (25-30%)

Configure VMs for high availability and scalability

 configure high availability

 deploy and configure scale sets

Automate deployment and configuration of VMs

 modify Azure Resource Manager (ARM) template

 configure VHD template
 deploy from template
 save a deployment as an ARM template
 automate configuration management by using custom script extensions

Create and configure VMs

 configure Azure Disk Encryption

 move VMs from one resource group to another
 manage VM sizes
 add data discs
 configure networking
 redeploy VMs

Create and configure containers

 create and configure Azure Kubernetes Service (AKS)

 create and configure Azure Container Instances (ACI)
 NOT: selecting an container solution architecture or product; container registry settings

Create and configure Web Apps

 create and configure App Service

 create and configure App Service Plans
 NOT: Azure Functions; Logic Apps; Event Grid

Configure and manage virtual networking (30-35%)

Implement and manage virtual networking

 create and configure VNET peering

  configure private and public IP addresses, network routes, network interface, subnets,
and virtual network

Configure name resolution

 configure Azure DNS

 configure custom DNS settings
 configure a private or public DNS zone

Secure access to virtual networks

 create security rules

 associate an NSG to a subnet or network interface
 evaluate effective security rules
 deploy and configure Azure Firewall
 deploy and configure Azure Bastion Service
 NOT: Implement Application Security Groups; DDoS

Configure load balancing

 configure Application Gateway

 configure an internal load balancer
 configure load balancing rules
 configure a public load balancer
 troubleshoot load balancing
 NOT: Traffic Manager and FrontDoor and PrivateLink

Monitor and troubleshoot virtual networking

 monitor on-premises connectivity

 use Network Performance Monitor
 use Network Watcher
 troubleshoot external networking
 troubleshoot virtual network connectivity

Integrate an on-premises network with an Azure virtual network

 create and configure Azure VPN Gateway

 create and configure VPNs
 configure ExpressRoute
 configure Azure Virtual WAN

Monitor and back up Azure resources (10-15%)

Monitor resources by using Azure Monitor

 configure and interpret metrics

o analyze metrics across subscriptions
 configure Log Analytics
o implement a Log Analytics workspace
o configure diagnostic settings
 query and analyze logs
o create a query
o save a query to the dashboard
o interpret graphs
 set up alerts and actions
o create and test alerts
o create action groups
o view alerts in Azure Monitor
o analyze alerts across subscriptions
 configure Application Insights
 NOT: Network monitoring

Implement backup and recovery

 configure and review backup reports

 perform backup and restore operations by using Azure Backup Service
 create a Recovery Services Vault
o use soft delete to recover Azure VMs
 create and configure backup policy
 perform site-to-site recovery by using Azure Site Recovery
 NOT: SQL or HANA
 AZ-103/104 Comparison
Microsoft Azure Administrator
Current Skills Measured as of January
15, 2020
Audience Profile
Candidates for this exam are Azure
Administrators who manage cloud services
that span storage, security, networking, and
compute cloud capabilities. Candidates have a
deep understanding of each service across the
full IT lifecycle, and take requests for
infrastructure services, applications, and
environments. They make recommendations
on services to use for optimal performance
and scale, as well as provision, size, monitor,
and adjust resources as appropriate.
Candidates for this exam should have
proficiency in using PowerShell, the Command
Line Interface, Azure Portal, ARM templates,
operating systems, virtualization, cloud
infrastructure, storage structures, and
networking.
1. Manage Azure subscriptions and
resources (15-20%)
1.1 Manage Azure subscriptions
Assign administrator permissions;
configure cost center quotas and tagging;
configure policies at Azure subscription
level
1.2 Analyze resource utilization and
consumption
Updated Skills Measured List (ignore
the numbering below)
Audience Profile
The Azure Administrator implements,
manages, and monitors identity, governance,
storage, computevirtual machines, and virtual
networks in a cloud environment. This role
focuses primarily on enabling Infrastructure as
a Service (IaaS). The Azure Administrator will
provision, size, monitor, and adjust resources
as appropriate.
Candidates should have a minimum of six
months of hands-on experience
administering Azure. Candidates should
have a strong understanding of core Azure
services, Azure workloads, security, and
governance. Candidates for this exam
should have experience in using
PowerShell, the Command Line Interface,
Azure Portal, and ARM templates.
6. Manage Azure Identities and
Governance (15-20%)
6.1 Manage Azure AD objects
 create users and groups
 manage user and group properties
 manage device settings
 perform bulk user updates
 manage guest accounts
 configure Azure AD Join
 configure self-service password reset
 Configure diagnostic settings on resources;
create baseline for resources; create and
test alerts; analyze alerts across
subscription; analyze metrics across
subscription; create action groups and
action rules; monitor for unused resources;
monitor spend; report on spend; utilize log
queries in Azure Monitor; view alerts in
Azure Monitor
1.3 Manage resource groups
Use Azure policies for resource groups;
configure resource locks; configure
resource policies; implement and set
tagging on resource groups; move
resources across resource groups; remove
resource groups
1.4 Managed role based access control
(RBAC)
May include but is not limited to: Create a
custom role, configure access to Azure
resources by assigning roles, configure
management access to Azure, troubleshoot
RBAC, implement RBAC policies, assign
RBAC Roles
2. Implement and manage storage (15-
20%)
2.1 Create and configure storage
accounts
Configure network access to the storage
account; create and configure storage
account; generate shared access signature;
install and use Azure Storage Explorer;
manage access keys; monitor activity log
by using Monitor Logs; implement Azure
storage replication; Implement Azure AD
Authentication, manage blob storage
lifecycle management
 NOT: Azure AD Connect; PIM
6.2 Manage role-based access control
(RBAC)
 create a custom role
 provide access to Azure resources by
assigning roles
o subscriptions
o resource groups
o resources (VM, disk, etc.)
 interpret access assignments
 manage multiple directories
6.3 Manage subscriptions and
governance
 configure Azure policies
 configure resource locks
 apply tags
 create and manage resource groups
o move resources
o remove RGs
 manage subscriptions
 configure Cost Management
 configure management groups
7. Implement and Manage Storage (10-
15%)
7.1 Manage storage accounts
 configure network access to storage
accounts
 create and configure storage accounts
 generate shared access signature
 manage access keys
 implement Azure storage replication
 configure Azure AD Authentication for
a storage account
7.2 Manage data in Azure Storage
 2.2 Import and export data to Azure
Create export from Azure job; create
import into Azure job; configure and use
Azure blob storage; configure Azure
content delivery network (CDN) endpoints
2.3 Configure Azure files
Create Azure file share; create Azure File
Sync service; create Azure sync group;
troubleshoot Azure File Sync
2.4 Implement Azure backup
Configure and review backup reports;
perform backup operation; create Recovery
Services Vault; create and configure
backup policy; perform a restore operation
3. Deploy and manage virtual machines
(VMs) (15-20%)
3.1 Create and configure a VM for
Windows and Linux
Configure high availability; configure
monitoring, networking, storage, and
virtual machine size; deploy and configure
scale sets
3.2 Automate deployment of VMs
Modify Azure Resource Manager (ARM)
template; configure location of new VMs;
configure VHD template; deploy from
template; save a deployment as an ARM
template; deploy Windows and Linux VMs
3.3 Manage Azure VM
Add data discs; add network interfaces;
automate configuration management by
using PowerShell Desired State
Configuration (DSC) and VM Agent by
using custom script extensions; manage
 export from Azure job
 import into Azure job
 install and use Azure Storage Explorer
 copy data by using AZCopy
7.3 Configure Azure files and Azure blob
storage
 create an Azure file share
 create and configure Azure File Sync
service
 configure Azure blob storage
 configure storage tiers for Azure blobs
8. Deploy and Manage Azure Compute
Resources (25-30%)
8.1 Configure VMs for high availability
and scalability
 configure high availability
 deploy and configure scale sets
8.2 Automate deployment and
configuration of VMs
 modify Azure Resource Manager (ARM)
template
 configure VHD template
 deploy from template
 save a deployment as an ARM template
 automate configuration management
by using custom script extensions
8.3 Create and configure VMs
 configure Azure Disk Encryption
 move VMs from one resource group to
another
 VM sizes; move VMs from one resource
group to another; redeploy VMs
3.4 Manage VM backups
Configure VM backup; define backup
policies; implement backup policies;
perform VM restore; soft delete for Azure
VMs; Azure Site Recovery
4. Configure and manage virtual
networks (30-35%)
4.1 Create connectivity between virtual
networks
Create and configure VNET peering; create
and configure VNET to VNET connections;
verify virtual network connectivity; create
virtual network gateway
4.2 Implement and manage virtual
networking
Configure private and public IP addresses,
network routes, network interface, subnets,
and virtual network
4.3 Configure name resolution
Configure Azure DNS; configure custom
DNS settings; configure private and public
 manage VM sizes
 add data discs
 configure networking
 redeploy VMs
8.4 Create and configure containers
 create and configure Azure Kubernetes
Service (AKS)
 create and configure Azure Container
Instances (ACI)
 NOT: selecting an container solution
architecture or product; container
registry settings
8.5 Create and configure Web Apps
 create and configure App Service
 create and configure App Service Plans
 NOT: Azure Functions; Logic Apps;
Event Grid
9. Configure and Manage Virtual
Networking (30-35%)
9.1 Implement and manage virtual
networking
 create and configure VNET peering
 configure private and public IP
addresses, network routes, network
interface, subnets, and virtual network
9.2 Configure name resolution
 configure Azure DNS
 configure custom DNS settings
 configure a private or public DNS zone
9.3 Secure access to virtual networks
 create security rules
 associate an NSG to a subnet or
 DNS zones
4.4 Create and configure a Network
Security Group (NSG)
Create security rules; associate NSG to a
subnet or network interface; identify
required ports; evaluate effective security
rules
4.5 Implement Azure load balancer
May include but is not limited to: Configure
internal load balancer, configure load
balancing rules, configure public load
balancer, troubleshoot load balancing
4.6 Monitor and troubleshoot virtual
networking
May include but is not limited to: Monitor
on-premises connectivity, use Network
resource monitoring, use Network
Watcher, troubleshoot external networking,
troubleshoot virtual network connectivity
4.7 Integrate on premises network with
Azure virtual network
May include but is not limited to: Create
and configure Azure VPN Gateway, create
and configure site to site VPN, configure
Express Route, verify on premises
connectivity, troubleshoot on premises
connectivity with Azure
5. Manage identities (15-20%)
5.1 Manage Azure Active Directory (AD)
Add custom domains; Azure AD Join;
configure self-service password reset;
network interface
 evaluate effective security rules
 deploy and configure Azure Firewall
 deploy and configure Azure Bastion
Service
 NOT: Implement Application Security
Groups; DDoS
9.4 Configure load balancing
 configure Application Gateway
 configure an internal load balancer
 configure load balancing rules
 configure a public load balancer
 troubleshoot load balancing
 NOT: Traffic Manager and FrontDoor
and PrivateLink
9.5 Monitor and troubleshoot virtual
networking
 monitor on-premises connectivity
 use Network resource monitoring
 use Network Watcher
 troubleshoot external networking
 troubleshoot virtual network
connectivity
9.6 Integrate an on-premises network
with an Azure virtual network
 create and configure Azure VPN
Gateway
 create and configure VPNs
 configure ExpressRoute
 configure Azure Virtual WAN
[NO EQUIVALENT --- SEE NEW FG 5 BELOW]
manage multiple directories

5.2 Manage Azure AD objects (users,

groups, and devices)

Create users and groups; manage user and

group properties; manage device settings;
perform bulk user updates; manage guest
accounts

5.3 Implement and manage hybrid

identities

Install Azure AD Connect, including

password hash and pass-through
synchronization; use Azure AD Connect to
configure federation with on-premises
Active Directory Domain Services (AD DS);
manage Azure AD Connect; manage
password sync and password writeback

5.4 Implement multi-factor

authentication (MFA)

May include but is not limited to: Configure

user accounts for MFA, enable MFA by
using bulk update, configure fraud alerts,
configure bypass options, configure
Trusted IPs, configure verification methods
10. Monitor and back up Azure
resources (10-15%)

10.1 Monitor resources by using Azure

Monitor

 configure and interpret metrics

o analyze metrics across
subscriptions
 configure Log Analytics
o implement a Log Analytics
workspace
o configure diagnostic settings
 query and analyze logs
o create a query
 o save a query to the dashboard
o interpret graphs
 set up alerts and actions
o create and test alerts
o create action groups
o view alerts in Azure Monitor
o analyze alerts across subscriptions
 configure Application Insights
 NOT: Network monitoring

10.2 Implement backup and recovery

 configure and review backup reports

 perform backup and restore operations
by using Azure Backup Service
 create a Recovery Services Vault
o use soft delete to recover Azure
VMs
 create and configure backup policy
 perform site-to-site recovery by using
Azure Site Recovery
 NOT: SQL or HANA