Basket
{{item.CourseTitle}}
Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}
Browse by Topic
Browse by Vendor
Unlimited Training
Attend all the top-notch LIVE Instructor-led Courses you want for the price of less than one course.
Before the AZ-104 exam, Azure administrators need hands-on rehearsal of the portal tasks, validation habits, and operational judgement required to manage identity, governance, storage, compute, networking, and monitoring in Microsoft Azure.
The value of a checklist is not that it predicts the exam. Its value is that it exposes weak spots before exam day, especially where a learner understands a concept but hesitates in the Azure Portal. The AZ-104 exam measures administrative ability across services, so preparation should include building, changing, validating, troubleshooting, and cleaning up real resources.
Last updated for current Azure portal terminology: Azure Active Directory is now Microsoft Entra ID, and Azure Security Center capabilities are surfaced through Microsoft Defender for Cloud. Microsoft Learn remains the authoritative source for the AZ-104 skills outline, exam policies, and service-specific behaviour. This checklist uses current portal names while recognising that older study notes, forum posts, and lab scripts may still use previous product names.
A good AZ-104 practice environment should be small, consistent, and disposable. Use a sandbox, free trial, personal subscription, or approved company training subscription where test resources can be created safely. Choose one nearby region with available quota, use a predictable naming pattern, and apply tags such as purpose=az104-practice and owner=training to every resource so cleanup is straightforward.
Cost-safe preparation matters because Azure practice can create spend long after a lab session ends. Keep VM sizes modest, enable auto-shutdown, create a budget alert, and delete unused public IP addresses, managed disks, snapshots, gateways, and Log Analytics workspaces when they are no longer needed. A practical rhythm is to timebox each domain, record the resource group and resource names used, validate the result, then clean up before moving to the next domain.
Exam-lab conditions can also feel different from an open personal subscription. Performance-based tasks, when used, may involve constrained permissions, pre-provisioned resources, blocked internet access, or limited access to command-line tooling. Portal-first fluency is therefore important: the learner should know where to find identity, networking, storage, monitoring, and governance settings without relying on copied commands.
Command-line practice still has value. Azure CLI and Azure PowerShell often provide equivalent outcomes, but parameters, object names, default behaviour, and permission requirements differ. Administrators who want a structured comparison can use the protected Azure fundamentals path at Azure fundamentals training before moving into deeper administrator work; the important point for AZ-104 is to understand what the portal is doing and then recognise the matching command pattern.
Before starting the tasks, create a Log Analytics workspace for diagnostics practice and decide how logs will be validated. A common mistake is enabling diagnostic settings without first preparing a destination, assigning RBAC at the wrong scope, expecting NSG rules to override Azure Firewall behaviour, skipping DNS checks when using private endpoints, or assuming every resource can be moved between resource groups. These false negatives can make a correct configuration look broken.
The following checklist is intentionally operational. Each task should be performed in the Azure Portal first, then repeated with Azure CLI or Azure PowerShell where practical. Validation is part of the task, not an optional extra, because real administration depends on proving that a change worked.
| Task | Portal action | CLI or PowerShell equivalent | Validation and cleanup |
|---|---|---|---|
| 1. Create a resource group | Create a resource group in the chosen region and apply practice tags. | az group create or New-AzResourceGroup. |
Confirm the tags and region in the Overview blade. Delete the group only after dependent resources are no longer needed. |
| 2. Deploy a Windows VM | Create a small Windows VM with managed disks and controlled management access. | az vm create or New-AzVM. |
Confirm VM power state, NIC, disk, and boot diagnostics. Prefer Bastion or just-in-time access over leaving RDP open. |
| 3. Deploy a Linux VM | Create a Linux VM using SSH keys rather than password-only access. | az vm create --generate-ssh-keys or New-AzVM. |
Validate SSH reachability only through the chosen secure access method. Remove test public IPs if they are not needed. |
| 4. Resize a VM and change disk type | Stop or deallocate the VM if required, change size, and adjust disk performance tier where available. | az vm resize, az disk update, or Update-AzDisk. |
Check Activity Log for completion and confirm the new size and disk SKU. Return oversized test VMs to a low-cost size. |
| 5. Create a storage account | Create a general-purpose storage account with appropriate redundancy and secure transfer enabled. | az storage account create or New-AzStorageAccount. |
Confirm replication, networking, and minimum TLS settings. Delete empty accounts after storage tasks are complete. |
| 6. Create a blob container and upload a file | Create a private container and upload a small test file. | az storage container create, az storage blob upload, or Set-AzStorageBlobContent. |
Download the blob to verify access. Avoid hard-coded keys in notes or scripts; use temporary access methods where appropriate. |
| 7. Create an Azure file share and mount it | Create a file share and connect it to a VM using the portal-generated mount guidance. | az storage share-rm create or New-AzRmStorageShare. |
Create and read a test file from the VM. Unmount the share and remove test data before deleting the storage account. |
| 8. Configure storage replication | Change or select LRS, ZRS, GRS, or RA-GRS where supported. | az storage account update or Set-AzStorageAccount. |
Confirm the replication setting in Configuration. Check Microsoft Learn for regional and account-type availability. |
| 9. Configure SAS access | Create a narrowly scoped SAS for a blob or container with an expiry time. | az storage blob generate-sas or New-AzStorageBlobSASToken. |
Test access in a private browser session and then let the SAS expire or revoke the delegation path. |
| 10. Assign Azure Policy | Assign a built-in policy such as allowed locations at resource-group scope. | az policy assignment create or New-AzPolicyAssignment. |
Check compliance state after evaluation. Allow time for policy processing before assuming the result is wrong. |
| 11. Create a custom RBAC role | Define a limited custom role with specific actions and assignable scopes. | az role definition create or New-AzRoleDefinition. |
Review the role definition and scope. Remove unused custom roles to avoid confusion in later labs. |
| 12. Assign and remove RBAC roles | Grant access to a user, group, or managed identity at the correct scope. | az role assignment create/delete or New-AzRoleAssignment. |
Validate in Access control (IAM). RBAC propagation can take time, so use the Role assignments view and Activity Log before retesting. |
| 13. Configure resource locks | Add delete or read-only locks to a resource group or resource. | az lock create or New-AzResourceLock. |
Attempt the blocked action carefully to confirm behaviour. Remove locks before scripted cleanup. |
| 14. Move a resource between resource groups | Use the Move action after checking whether the resource type supports movement. | az resource move or Move-AzResource. |
Confirm dependencies and resource IDs after the move. Do not assume all resources, child resources, or linked services are movable. |
| 15. Configure a cost alert | Create a budget and alert threshold in Cost Management. | CLI and PowerShell support vary by billing scope; portal use is often clearer for practice. | Confirm the budget scope and alert recipients. Keep budgets in place until all practice is finished. |
| 16. Deploy an ARM template | Deploy a small template through Custom deployment. | az deployment group create or New-AzResourceGroupDeployment. |
Review deployment outputs and failures. Delete template-created resources with the same tag or resource group. |
| 17. Configure VM auto-shutdown | Enable auto-shutdown on test VMs and set a realistic local time. | Automation options exist, but the portal is the fastest validation path. | Confirm the schedule and notification setting. This is a cost-control task as much as a compute task. |
| 18. Configure VM backup and restore | Create a Recovery Services vault, enable backup, and perform a test restore where practical. | az backup commands or Azure PowerShell Recovery Services cmdlets. |
Check backup job status and restore points. Delete protected items and vaults carefully because vault cleanup has dependencies. |
| 19. Create and manage VM snapshots | Create a disk snapshot and review its storage type. | az snapshot create or New-AzSnapshot. |
Confirm snapshot creation and delete it after testing. Snapshots can create avoidable cost if forgotten. |
| 20. Apply and query tags | Apply consistent tags to resources and resource groups. | az tag, az resource tag, or Update-AzTag. |
Use Resource Graph or portal filters to find all az104-practice resources before cleanup. |
| 21. Create a virtual network and subnets | Create a VNet with at least two subnets for workload separation. | az network vnet create or New-AzVirtualNetwork. |
Confirm address ranges and subnet membership. Avoid overlapping address spaces if peering will be tested. |
| 22. Configure an NSG | Create inbound and outbound rules with clear priorities. | az network nsg rule create or New-AzNetworkSecurityRuleConfig. |
Use Effective security rules or IP Flow Verify. Remember that Azure Firewall, routes, and application rules can still affect traffic. |
| 23. Associate an NSG with a subnet or NIC | Attach the NSG at subnet or network-interface level. | az network vnet subnet update or Set-AzVirtualNetworkSubnetConfig. |
Confirm effective rules on the VM NIC. Remove duplicate test NSGs to reduce troubleshooting noise. |
| 24. Implement an Application Security Group | Create an ASG and associate VM NICs for rule targeting. | az network asg create and NIC update commands. |
Validate NSG rules that reference the ASG. Keep ASG membership simple during exam preparation. |
| 25. Assign a public IP to a VM | Create or associate a public IP with a NIC configuration. | az network public-ip create and az network nic ip-config update. |
Confirm the IP address and DNS label if used. Remove public IPs after testing and prefer Bastion or just-in-time access for admin sessions. |
| 26. Configure VNet DNS settings | Set Azure-provided or custom DNS servers on the VNet. | az network vnet update --dns-servers or Set-AzVirtualNetwork. |
Use nslookup from a VM to verify name resolution. Restart or renew network settings if the VM does not pick up changes immediately. |
| 27. Implement Azure Load Balancer | Create a backend pool, health probe, and load-balancing rule. | az network lb commands or Azure PowerShell load balancer cmdlets. |
Run an HTTP probe or repeated browser requests to confirm traffic distribution. Remove test backend VMs when finished. |
| 28. Configure VNet peering | Peer two VNets with non-overlapping address spaces. | az network vnet peering create or Add-AzVirtualNetworkPeering. |
Ping or test TCP connectivity where allowed by OS firewall and NSG rules. Delete both peering links during cleanup. |
| 29. Implement a VPN Gateway | Create a gateway subnet and deploy a VPN gateway configuration for a site-to-site scenario. | az network vnet-gateway commands or Azure PowerShell equivalents. |
Validate gateway provisioning state. Gateways can be slow and costly, so schedule this task deliberately and delete it promptly after practice. |
| 30. Use Network Watcher troubleshooting | Use IP Flow Verify, Next hop, and Connection troubleshoot. | az network watcher test-ip-flow or Network Watcher PowerShell cmdlets. |
Compare results with NSG rules and route tables. Save notes on the exact source, destination, port, and protocol tested. |
| 31. Create a Microsoft Entra ID user and group | Create a test user and security group in Microsoft Entra ID. | az ad user create, az ad group create, or Microsoft Graph PowerShell cmdlets. |
Confirm membership and sign-in properties. Delete test identities after RBAC and access tasks are complete. |
| 32. Configure MFA | Review authentication methods and enforce MFA through the appropriate tenant controls. | Microsoft Graph PowerShell may be required for some identity operations. | Test with a non-production user. Avoid locking out administrative accounts during practice. |
| 33. Configure Conditional Access | Create a policy targeting a test group and use report-only mode where available. | Microsoft Graph PowerShell is commonly used for automation. | Validate sign-in logs and policy impact before enforcing. Exclude break-glass accounts in real environments. |
| 34. Configure self-service password reset | Enable SSPR for a selected group and configure authentication methods. | Microsoft Graph PowerShell can support related directory settings. | Test with a training user. Revert tenant-wide changes if the subscription is shared. |
| 35. Review Defender for Cloud recommendations | Open Microsoft Defender for Cloud and review secure score, recommendations, and alerts. | az security commands or relevant Defender for Cloud PowerShell cmdlets where available. |
Record one recommendation and the resource it applies to. Avoid enabling paid plans unintentionally in a practice subscription. |
| 36. Create an Activity Log alert | Create an alert for an administrative action such as resource deletion. | az monitor activity-log alert create or New-AzActivityLogAlert. |
Trigger a safe test event and confirm the alert rule. Remove action groups that send unwanted notifications. |
| 37. Configure diagnostic settings | Send resource logs and metrics to Log Analytics. | az monitor diagnostic-settings create or New-AzDiagnosticSetting. |
Confirm data arrival in the workspace. Create the workspace first, and remember that some logs take time to appear. |
| 38. Run basic KQL queries | Use Logs in Azure Monitor or the Log Analytics workspace to query recent data. | KQL is run in the query experience rather than through standard CLI administration. | Use simple checks such as AzureActivity | take 10 or resource-specific tables. Practical validation beats reading query syntax alone. |
| 39. Configure Azure Firewall policy | Create a basic firewall policy and a simple application or network rule. | az network firewall policy commands or Azure PowerShell firewall policy cmdlets. |
Validate routing and rule processing with a controlled test. Do not expect NSG rules to override firewall routing decisions. |
| 40. Implement just-in-time VM access | Use Defender for Cloud to configure JIT access for VM management ports where supported. | Automation support depends on Defender for Cloud configuration and permissions. | Request access, confirm the temporary rule, and verify that exposure closes afterward. This is safer practice than leaving public RDP or SSH open. |
Many learners finish a portal task when the deployment succeeds, but Azure administration does not end at deployment. A resource can be created successfully and still be misconfigured, unreachable, noncompliant, or invisible to the expected identity. Every task should therefore end with a validation step that proves the intended outcome.
For networking, validation may be a ping, Test-NetConnection, nslookup, Network Watcher result, or HTTP probe depending on the service. For monitoring, it should include a simple KQL query in Log Analytics, not merely a diagnostic setting that appears enabled. For RBAC and policy, Activity Log, Access control (IAM), policy compliance state, and sign-in logs often explain why a change appears delayed.
Propagation delays deserve special attention. RBAC assignments, policy evaluation, diagnostic ingestion, DNS changes, and security recommendations may not behave instantly. In a lab, the correct response is to check the relevant status view, wait where appropriate, and retest with a precise action rather than changing several settings at once and losing the ability to identify the cause.
Structured training can be useful when this validation discipline is hard to build alone. The Microsoft Certified Azure Administrator course aligns naturally with AZ-104 because administrator skills depend on repeated configuration and troubleshooting, not passive review.
The Azure Portal is the safest starting point for final AZ-104 rehearsal because it exposes service relationships visually. It shows where a NIC belongs, which subnet an NSG is attached to, whether a resource has locks, and how diagnostic settings connect to a workspace. That visual model helps when a scenario asks what should be changed rather than what command should be typed.
Azure CLI and Azure PowerShell are still worth practising because administrators rarely manage cloud environments only by clicking. The main exam-readiness skill is not memorising every parameter; it is recognising which resource provider is involved, which scope is being changed, and which identity has permission to make the change. When commands fail, read the error carefully for scope, provider registration, naming, region, or quota problems.
Command parity is not perfect. Some Microsoft Entra ID and Conditional Access operations are better handled through Microsoft Graph PowerShell, while some governance, billing, and Defender for Cloud tasks are clearer in the portal. Microsoft Learn command references should be checked for the current module names and parameter behaviour, especially where older AzureRM examples still appear in search results.
AZ-104 learners often use a mix of Microsoft Learn, older blog posts, lab manuals, and video courses. The terminology mismatch can create unnecessary confusion. Azure AD now appears as Microsoft Entra ID in the portal, while many commands, API names, and older screenshots still include ad or Azure AD wording. The concept is identity and directory management; the current product name is Microsoft Entra ID.
Security Center is another common source of outdated language. The relevant portal experience is Microsoft Defender for Cloud, which surfaces recommendations, workload protection settings, secure score information, and just-in-time VM access depending on subscription configuration. Learners should recognise the older name but practise with the current portal route.
There is also a practical difference between recognising a renamed service and understanding its permissions. A learner may be able to find Microsoft Entra ID but still assign a role at the wrong scope, or may open Defender for Cloud without realising that some capabilities depend on plan settings. The best preparation is to write down the current portal path, the resource scope, and the validation method for each task.
Completing the 40 tasks gives a strong practical foundation, but it should not be treated as a guarantee of passing AZ-104. The exam can test judgement, sequencing, dependencies, least-privilege access, troubleshooting, and interpretation of scenario requirements. A learner who can complete a task only by following a script may still struggle when the task is embedded in a case study.
The strongest preparation combines the checklist with deliberate variation. Replace public IP administration with Bastion or just-in-time access, compare a basic load balancer scenario with Application Gateway for layer 7 routing concepts, test private endpoint name resolution, and practise reading Activity Log entries after failed deployments. These variations build the operational reasoning that multiple-choice study alone rarely develops.
AZ-104 also sits in a broader Microsoft certification path. Learners who still need cloud fundamentals can begin with Microsoft Azure Fundamentals preparation, while those aiming at design roles may later move toward Azure Solutions Architect training for AZ-305. Administrators whose work leans toward delivery pipelines or cloud security may find the Azure DevOps Engineer course or Azure Security Engineer course a logical next step after the administrator credential.
No checklist can guarantee an exam result. This one is designed to strengthen hands-on readiness by covering common administrator tasks, but learners should still review the current Microsoft Learn AZ-104 skills outline, practise scenario questions, and understand why each configuration works.
Portal-first practice is sensible near the exam because it builds familiarity with service locations, dependencies, and validation screens. CLI and PowerShell practice should follow so the learner can recognise automation equivalents, but command memorisation should not replace understanding of scope, permissions, and resource relationships.
Some Azure changes take time to propagate or ingest data. RBAC assignments, policy compliance, DNS updates, diagnostic logs, and Defender for Cloud recommendations may require a wait period, a new sign-in, or a fresh test event before the result appears.
Delete the resource groups, public IP addresses, disks, snapshots, gateways, backup vault contents, action groups, test identities, and Log Analytics workspaces that were created only for practice. Tags make this easier because the learner can filter for training resources before cleanup.
AZ-104 preparation should leave the learner comfortable with both the expected configuration path and the unexpected troubleshooting path. The practical standard is simple: create the resource, secure it appropriately, prove that it works, understand where to find evidence, and remove it safely when the exercise is complete.
A focused next step is to repeat the checklist under light time pressure, using only Microsoft Learn, the Azure Portal, and personal notes for validation commands. Readynez can support this stage with guided Azure Administrator training, but the core habit remains the same in any study plan: practise the work until the portal, permissions, logs, and cleanup process feel routine.
Get Unlimited access to ALL the LIVE Instructor-led Microsoft courses you want - all for the price of less than one course.
You're viewing our global site from United States
Would you like to view the site in
English
with prices in
Dollar?