AZ Study Guide

AZ-104 & AZ-305 Comprehensive Study Guide

📅 Last Researched: May 2026 📖 Source: Microsoft Learn Official Study Guides
AZ-104Azure Administrator Associate
AZ-305Solutions Architect Expert
700 / 1000Pass Score (Both)
120 minDuration (Both)
⚡ Strategy: You already work heavily with Azure — this guide focuses on exam-specific nuances, decision-tree logic, and the details Microsoft actually tests. Conceptual overviews are kept brief; depth is on the tricky parts.
AZ-104

Microsoft Azure Administrator

Exam Overview & Strategy

AZ-104 is operational and hands-on. You must know how to configure, deploy, and manage Azure resources — not just what they are. Expect scenario-based questions asking you to choose the right command, portal setting, or configuration sequence.

Questions
40–60
Pass Score
700 / 1000
Duration
100 min
Updated
Apr 17, 2026
Labs
Yes (performance-based)

Recommended Study Order

D1 Identity & Governance
D2 Storage
D4 Networking
D3 Compute
D5 Monitor
Why This Order? Identity and RBAC underpins every other domain. Networking is the hardest — study it before compute so you understand the network layer VMs/containers rely on.

Domain 1 – Manage Azure Identities and Governance

20–25%

1.1 Manage Microsoft Entra ID (formerly Azure AD)

What's Tested
FeatureEntra JoinedHybrid Entra JoinedEntra Registered
Who uses itCloud-only orgsCorp devices with on-prem ADBYOD / personal devices
Managed byIntune/MDMGroup Policy + IntuneMDM (optional)
SSO to on-premNo (without Hybrid)YesNo

Entra ID Licenses:

💡 Exam Tip If a question involves Conditional Access, dynamic groups, or SSPR → P1 license required. If PIM or Identity Protection → P2 required.

1.2 Manage Azure Role-Based Access Control (RBAC)

What's Tested
RoleManage ResourcesAssign RolesGive Others Access
Owner✅ Yes✅ Yes✅ Yes
Contributor✅ Yes❌ No❌ No
Reader❌ Read-only❌ No❌ No
User Access Admin❌ No✅ Yes✅ Yes

Managed Identity Use Cases:

⚠️ Exam Trap "User Access Administrator" can grant roles but CANNOT manage resources. Often confused with Contributor.

1.3 Manage Azure Policy and Governance

What's Tested

Policy Effects — Know the Priority:

  1. Disabled — policy not evaluated
  2. Append — adds fields to request (e.g., force tags)
  3. Modify — changes/adds properties
  4. Deny — blocks the request
  5. Audit / AuditIfNotExists — allows but logs non-compliance
  6. DeployIfNotExists — deploys a related resource if missing

Resource Locks:

⚠️ Exam Trap ReadOnly lock on a storage account prevents listing access keys — even though it looks like a read. Listing keys is internally a write operation.

1.4 Manage Subscriptions and Costs

What's Tested

Non-moveable resources (commonly tested): Azure AD Domain Services, Recovery Services Vaults (with conditions), VNet gateways when VNet has peerings.

Domain 2 – Implement and Manage Storage

15–20%

2.1 Configure Storage Accounts

What's Tested
RedundancyCopiesSurvivesCost
LRS3 in one datacenterHardware failureLowest
ZRS3 across AZsZone failureMedium
GRS6 (3 local + 3 remote region)Regional outageHigher
GZRS6 (3 zone + 3 remote region)Zone + regionalHighest
🔑 Key Rule Zone failure → ZRS minimum  |  Regional failure → GRS minimum  |  Zone AND regional → GZRS

2.2 Manage Azure Blob Storage

What's Tested
SAS TypeSigned byRecommended for
Account SASStorage account key⚠️ Avoid — broad access
Service SASStorage account keyService-specific access
User Delegation SASEntra ID credentials✅ Preferred — most secure
💡 Exam Tip User Delegation SAS = signed with Entra ID = most secure. Always prefer this when the exam asks for "most secure" option.

2.3 Configure Azure Files and Azure File Sync

What's Tested

2.4 Configure Azure Storage Security and Tools

What's Tested
# Copy blob to blob
azcopy copy 'https://source.blob.core.windows.net/container/file' \
  'https://dest.blob.core.windows.net/container/' --recursive

# Sync (only copies new/changed, can delete destination extras)
azcopy sync 'source' 'dest' --delete-destination=true

# Login with Entra ID (preferred over SAS for automation)
azcopy login

Domain 3 – Deploy and Manage Azure Compute Resources

20–25%

3.1 Configure Virtual Machines

What's Tested
OptionSLAScopeUse Case
NoneNo SLA (99.9% if Premium SSD)Single VMDev/Test
Availability Set99.95%Within a datacenterLegacy HA (multiple racks)
Availability Zones99.99%Separate physical datacentersProduction HA
VMSS (Flexible)99.99%Cross-zoneAuto-scaling production
💡 Exam Tip Availability Sets = protect against rack failures within one datacenter. Availability Zones = protect against an entire datacenter failure. "Zone failure" in the question → needs Availability Zones.

3.2 ARM Templates and Bicep

What's Tested
{
  "type": "Microsoft.Compute/virtualMachines",
  "apiVersion": "2023-09-01",
  "name": "[parameters('vmName')]",
  "dependsOn": ["[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"]
}

3.3 Virtual Machine Scale Sets (VMSS)

3.4 Azure App Service Plans and Web Apps

ℹ️ Slot Swap Behavior Slot-specific settings (marked "slot setting") stay in their slot. Non-slot settings swap with the app. Swap warms up new slot before completing → zero-downtime deployments.

3.5 Containers

ScenarioService
Run a single container, no orchestrationAzure Container Instances (ACI)
Microservices with event-driven scalingAzure Container Apps (ACA)
Full Kubernetes control, custom workloadsAzure Kubernetes Service (AKS)
Build and store container imagesAzure Container Registry (ACR)
💡 Exam Tip ACI = billed per second, no infrastructure management. ACA = Kubernetes abstracted (KEDA, Dapr). AKS = full control but you manage node pools.

Domain 4 – Implement and Manage Virtual Networking

15–20% (Hardest Domain)

4.1 Configure Virtual Networks

FeatureService EndpointPrivate Endpoint
Traffic pathOptimized public pathPrivate IP in your VNet
Source IP seen by serviceVNet public IPPrivate IP
Works from on-prem❌ No✅ Yes (via ER/VPN)
CostFreePer hour + data charge
RecommendedLegacy/simpleProduction, compliance
🔑 Exam Rule "On-premises access to Azure PaaS" or "private IP" → Private Endpoint. Service Endpoints don't extend on-prem.

4.2 Configure Network Security Groups (NSGs)

NSG Evaluation Logic:

⚠️ Exam Trap NSG on subnet affects all VMs in that subnet. NSG on NIC affects only that specific VM. If both exist, BOTH must allow traffic.

4.3 Configure Load Balancing

RequirementService
TCP/UDP load balancing within regionAzure Load Balancer (Standard)
HTTP/HTTPS routing, URL-based, WAF (regional)Application Gateway
Global HTTP, CDN, WAF, anycastAzure Front Door
DNS-based global routing, non-HTTPTraffic Manager
Global redundancy across regional L4 LBsCross-region Load Balancer
⚠️ Exam Trap Standard Load Balancer requires NSG. Basic LB doesn't — but Basic is being retired. Always use Standard for new deployments.

4.4 Configure VPN Gateway and ExpressRoute

4.5 Monitor and Troubleshoot Networking

Domain 5 – Monitor and Maintain Azure Resources

10–15%

5.1 Configure Azure Monitor

Alert TypeData SourceLatencyUse Case
Metric alertAzure Monitor Metrics~1 min (near real-time)CPU > 90%, memory spikes
Log query alertLog Analytics1–15 minComplex query conditions
Activity log alertActivity log~5 minResource deletion, policy violations

5.2 Configure Azure Backup and Recovery

5.3 Azure Update Manager and Automation

AZ-305

Designing Microsoft Azure Infrastructure Solutions

Exam Overview & Strategy

AZ-305 is about architectural decision-making. You're not asked how to configure — you're asked which service to choose, why, and what the trade-offs are. Questions present a business requirement and ask which design meets it with the fewest compromises.

Questions
40–60
Pass Score
700 / 1000
Duration
120 min
Updated
Apr 17, 2026
Prerequisite
AZ-104 cert
AZ-104 (Admin)AZ-305 (Architect)
"How do you configure X?""Which service should you use for Y?"
CLI commands, portal stepsArchitectural trade-offs, cost/compliance
Single service deep divesCross-service integration patterns
Operations mindsetDesign / architect mindset

Azure Well-Architected Framework (WAF) — Always in Context

Every AZ-305 design decision should be evaluated against WAF pillars:

⚡ Reliability
HA, DR, resilience, fault tolerance
🔒 Security
Zero trust, defense in depth, least privilege
💰 Cost Optimization
Right-sizing, reserved capacity, eliminating waste
🛠️ Operational Excellence
Automation, observability, DevOps
🚀 Performance Efficiency
Scaling, caching, right service selection

Domain 1 – Design Identity, Governance, and Monitoring Solutions

25–30%

1.1 Design Identity and Access Management

Entra IDAD DS (on-prem)Entra Domain Services
ProtocolREST / OAuth / OIDCKerberos / LDAP / NTLMKerberos / LDAP / NTLM
ManagedFully managedYou manageFully managed
Use caseCloud apps, SaaSLegacy apps on-premLift-and-shift needing Kerberos
Domain joinEntra JoinTraditional domain joinClassic domain join
🔑 Exam Rule Partners/vendors → B2B (Entra External ID). Customers/consumers of your app → B2C (separate tenant).

1.2 Design Governance Solutions

1.3 Design Monitoring Solutions

Workspace StrategyWhen to UseTrade-off
Centralized (one workspace)SMB, unified ops teamData sovereignty concerns, noisy neighbors
Decentralized (per-team/region)Large orgs, complianceHigher cost, fragmented queries
HybridRegulated industriesBalance of both
💡 Exam Tip "Logs must stay in EU" or data sovereignty requirements → separate workspace per region.

Domain 2 – Design Data Storage Solutions

20–25%

2.1 Design Storage Accounts

ServiceUse Case
Blob StorageUnstructured data: images, videos, backups, logs
ADLS Gen2Big data analytics (Hadoop/Spark) — Blob + hierarchical namespace
Azure FilesSMB/NFS file shares, lift-and-shift file servers
Azure QueuesSimple message queuing, decoupling
Azure TablesNoSQL key-value store, simple structured data
Azure DisksVM OS and data disks

2.2 Design Relational Database Solutions

ScenarioService
New cloud-native app, no special SQL featuresAzure SQL Database (single DB)
Multiple DBs with variable/unpredictable loadElastic Pool
Need SQL Agent, cross-DB queries, CLR, Service BrokerSQL Managed Instance
Full OS access, custom SQL install, third-party toolsSQL Server on Azure VM
Very large database (100 TB+), rapid scalingHyperscale tier
🔑 Exam Rule SQL Agent jobs, linked servers, CLR, MSDTC → SQL Managed Instance. Everything else → consider SQL Database first.

2.3 Design NoSQL / Cosmos DB Solutions

The 5 Consistency Levels (memorize these):

  1. Strong — linearizability, highest read consistency, highest latency
  2. Bounded Staleness — lag by K operations or T time
  3. Session — consistent within a session (default, most popular)
  4. Consistent Prefix — never see out-of-order writes
  5. Eventual — lowest latency, highest throughput, no ordering guarantees
Use CaseRecommended Consistency
Financial transactions requiring accuracyStrong
Shopping cart, user sessionSession (default)
Social media likes, IoT telemetryEventual
Global reads with acceptable lagBounded Staleness
⚠️ Exam Trap "Session" is the default and best for most apps. "Strong" consistency kills performance across multi-region deployments — avoid unless truly required.

2.4 Design Data Integration Solutions

ServiceModelOrderingRetentionBest For
Event HubsStreamingBy partitionUp to 90 daysTelemetry, log ingestion, Kafka
Service BusQueue/TopicFIFO per sessionUp to 14 daysTransactional messaging, enterprise
Event GridPub/SubNoUp to 24 hoursReactive event routing, serverless
Storage QueueQueueBest-effort7 daysSimple, high-volume queue

Domain 3 – Design Business Continuity Solutions

15–20%

3.1 Design for High Availability

Composite SLA Formulas:

Serial (AND): SLA_A × SLA_B  →  99.9% × 99.9% = 99.8%
Parallel (OR): 1 − (1 − SLA_A) × (1 − SLA_B)  →  1 − (0.001 × 0.001) = 99.9999%
💡 Exam Tip Two serial dependencies → composite SLA is always lower than the weakest individual SLA. Redundant (parallel) copies dramatically increase availability.

3.2 Design for Disaster Recovery

Azure Site RecoveryAzure Backup
PurposeDR — replicate whole workloadBackup — restore individual items
RPOAs low as 30 seconds (VMs)Depends on policy (daily, hourly)
Fails overEntire VM/workloadIndividual files, databases, VMs
Cost driverReplication + storageStorage only
DR PatternRTORPOCost
Backup and restoreHoursHoursLowest
Pilot light10s of minutesMinutesLow
Warm standbyMinutesSecondsMedium
Active-activeNear zeroNear zeroHighest

3.3 Design Backup Solutions

Domain 4 – Design Infrastructure Solutions

30–35% — Largest Domain

4.1 Design Compute Solutions

ScenarioService
Lift-and-shift, full OS controlAzure VMs
Web/API app, no OS managementAzure App Service
Microservices, event-driven, serverless containersAzure Container Apps
Full Kubernetes controlAKS
Short-lived event-driven functionsAzure Functions
Batch processing jobsAzure Batch
ML training, GPU workloadsAzure ML + N-series / Spot VMs

4.2 Design Network Solutions

Network Security — Defense in Depth (outer to inner):

  1. DDoS Protection (edge)
  2. Azure Firewall / NVA (hub)
  3. NSG (subnet/NIC)
  4. Application Gateway + WAF (app layer)
  5. Private Endpoints (PaaS access)
  6. Encryption in transit (TLS)
Hub-Spoke (Custom)Virtual WAN
Hub managementYou manage hub VNet, firewall, routingMicrosoft managed
Any-to-any transitRequires UDRs + NVA/firewallBuilt-in
Best forCustom NVA, complex routingLarge-scale, simplified management
Branch connectivityManual VPN/ExpressRoute setupAutomated

4.3 Design Application Architecture

APIM TierVNet IntegrationNotes
ConsumptionNo (serverless)Pay-per-call, no developer portal
DeveloperExternal/InternalFull features, not for production
Basic / StandardExternalProduction, limited throughput
PremiumExternal/InternalMulti-region, high throughput

4.4 Design Migrations

SourceTargetTool
VMware / Hyper-V / Physical serversAzure VMsAzure Migrate + Site Recovery agent
SQL ServerAzure SQL DB / MIDatabase Migration Service (DMS)
Web apps (IIS)App ServiceApp Service Migration Assistant
File serversAzure FilesStorage Migration Service
Large data (offline)Azure StorageAzure Data Box

Migration phases: Discover → Assess → Migrate → Optimize

REF

Key Decision Trees & Reference

Storage Selection

Need to store... ├── Unstructured files/blobs (images, video, backups) → Blob Storage ├── Unstructured files + big data analytics → ADLS Gen2 ├── File shares (SMB/NFS for VMs or on-prem) → Azure Files ├── VM disks → Azure Managed Disks ├── NoSQL key-value (simple) → Azure Table Storage ├── NoSQL document/graph/column → Cosmos DB (choose API) ├── Relational data (cloud-native) → Azure SQL Database ├── Relational (needs SQL Agent, CLR) → SQL Managed Instance └── Full SQL Server control → SQL Server on Azure VM

Network Load Balancing

Traffic type? ├── HTTP/HTTPS │ ├── Global + CDN + WAF → Azure Front Door │ └── Regional only │ ├── WAF required → Application Gateway + WAF │ └── Basic L7 → Application Gateway └── TCP/UDP (non-HTTP) ├── Global routing (DNS-based) → Traffic Manager ├── Regional L4 → Azure Load Balancer (Standard) └── Global L4 → Cross-region Load Balancer

Identity Selection

Who needs access? ├── Employees (cloud-only) → Microsoft Entra ID ├── Employees (hybrid, on-prem AD) → Entra ID + Entra Connect ├── Partners/vendors (B2B) → Entra External ID (B2B) ├── Customers (consumer-facing app) → Entra External ID (B2C) └── Legacy apps needing Kerberos/LDAP (cloud-only) → Entra Domain Services

CLI / PowerShell Cheat Sheet

Identity & RBAC

# Create user
az ad user create --display-name "John Doe" --user-principal-name john@domain.com --password P@ssw0rd

# Assign role
az role assignment create --assignee <object-id> --role "Contributor" \
  --scope /subscriptions/<sub-id>/resourceGroups/<rg>

# Create custom role from JSON file
az role definition create --role-definition @custom-role.json

# List role assignments
az role assignment list --assignee <object-id> --all

Storage

# Create storage account
az storage account create --name mystorageacct --resource-group myRG \
  --location eastus --sku Standard_GRS

# Generate SAS token (User Delegation - preferred)
az storage blob generate-sas --account-name mystorageacct --auth-mode login \
  --container-name mycontainer --name myblob --permissions r --expiry 2026-12-31

# AzCopy sync
azcopy sync 'https://source.blob.core.windows.net/container' \
  'https://dest.blob.core.windows.net/container' --recursive

Networking

# Create VNet and subnet
az network vnet create --name myVNet --resource-group myRG \
  --address-prefix 10.0.0.0/16 --subnet-name default --subnet-prefix 10.0.0.0/24

# Create NSG rule
az network nsg rule create --name AllowSSH --nsg-name myNSG --resource-group myRG \
  --priority 100 --protocol Tcp --direction Inbound --destination-port-ranges 22 --access Allow

# IP flow verify (Network Watcher)
az network watcher test-ip-flow --vm <vm-id> --direction Inbound --protocol TCP \
  --local 10.0.0.4:22 --remote 203.0.113.0:12345

Compute

# Deploy VM in Availability Zone 1
az vm create --resource-group myRG --name myVM --image Ubuntu2204 --size Standard_D2s_v3 \
  --admin-username azureuser --generate-ssh-keys --zone 1

# Resize VM (deallocate first if changing hardware cluster)
az vm deallocate --resource-group myRG --name myVM
az vm resize --resource-group myRG --name myVM --size Standard_D4s_v3
az vm start --resource-group myRG --name myVM

# Create VMSS
az vmss create --resource-group myRG --name myScaleSet --image Ubuntu2204 \
  --upgrade-policy-mode automatic --admin-username azureuser --generate-ssh-keys

Common Exam Traps & Tips

AZ-104 Traps

1
ReadOnly lock on storage account blocks listing access keys — even though it looks like a read. Listing keys is internally a write operation.
2
NSG + subnet = BOTH must allow — traffic denied by either level is blocked. Don't assume subnet NSG alone controls everything.
3
VNet peering is non-transitive — A↔B and B↔C does NOT give A↔C connectivity. Requires UDR + NVA in hub.
4
Availability Set ≠ Availability Zones — AV Sets = rack failures within one DC. AV Zones = entire datacenter failures.
5
User Access Administrator can assign roles but CANNOT manage Azure resources. Often confused with Contributor.
6
Tags are not inherited by child resources — must use Azure Policy to enforce tag inheritance.
7
Standard Load Balancer requires NSG — without NSG, all inbound traffic is blocked by default on Standard LB.
8
Basic VPN Gateway SKU doesn't support BGP, zone redundancy, or active-active mode. Use VpnGw1 or higher.
9
Archive tier blobs must be rehydrated before access — this takes hours, not minutes.
10
Service Endpoints don't extend to on-prem. Private Endpoints do (via ExpressRoute/VPN).

AZ-305 Traps

1
SQL MI vs. SQL DB — SQL Agent jobs, cross-DB queries, CLR, linked servers → Managed Instance ONLY.
2
Cosmos DB consistency — "Session" is the default and best for most apps. "Strong" kills performance across regions.
3
ASR vs. Azure Backup — ASR = DR replication for whole workloads. Backup = point-in-time restore for individual data items.
4
Composite SLA is always LOWER than individual SLAs for serial dependencies. Two 99.9% services in series = 99.8%.
5
Traffic Manager = DNS only — it doesn't proxy traffic. Failover isn't instantaneous due to DNS TTL.
6
Front Door vs. App Gateway — Front Door = global HTTP/HTTPS + CDN. Application Gateway = regional L7 only.
7
Warm standby ≠ Hot standby — warm standby is scaled down until failover; hot standby runs at full capacity.
8
Entra Domain Services ≠ Entra ID — AADS provides Kerberos/LDAP for lift-and-shift. Entra ID is REST/OAuth only.
9
Policy remediation requires assigning a managed identity to the policy assignment for DeployIfNotExists/Modify effects.
10
vWAN vs. Hub-spoke — vWAN for simplicity at scale. Hub-spoke for custom NVAs and complex routing requirements.

General Strategy

Read the entire question — Microsoft often adds critical constraints at the end that rule out most answer choices.
"Minimum cost" + requirements = eliminate over-engineered solutions first. Pick the simplest service that meets all requirements.
"Least administrative effort" = prefer managed PaaS services over IaaS VMs.
"On-premises" in the scenario = think Private Endpoint, ExpressRoute, Hybrid Entra Join.
AZ-305 case studies — read all requirements and constraints tab BEFORE looking at individual questions.

Recommended Study Resources

📘 Official Microsoft Learn

📄AZ-104 Official Study Guide (Microsoft Learn) 📄AZ-305 Official Study Guide (Microsoft Learn) Free Practice Assessments (AZ-104 & AZ-305) 🎬AZ-104 Exam Readiness Videos 🎬AZ-305 Exam Readiness Videos

🧪 Hands-On Labs

⚙️AZ-104 Official GitHub Labs ⚙️AZ-305 Official GitHub Labs 🔬Microsoft Learn Sandbox — Free per-module Azure environment

🎯 High-Quality Third-Party

📝Tutorials Dojo — Practice exams (closest to real exam wording) ▶️John Savill's Azure Master Class (YouTube) — Best free conceptual content ☁️A Cloud Guru / Pluralsight — Structured video courses
ℹ️ Study Guide Metadata Compiled from Microsoft Learn official study guides. AZ-104 updated April 17, 2026. AZ-305 updated April 17, 2026.