Exam Ref AZ-104 Microsoft Azure Administrator (2024)
Exam Ref AZ-104 Microsoft Azure Administrator (2024) is your shortcut to certification success—start preparing today!
John Wilson
Contributor
4.1
59
about 2 months ago
Preview (31 of 604)
Sign in to access the full document!
Exam Ref AZ-104 Microsoft Azure
Administrator
Second Edition
Charles Pluta
Administrator
Second Edition
Charles Pluta
Exam Ref AZ-104 Microsoft Azure Administrator, Second
Edition
Published with the authorization of Microsoft Corporation by: Pearson
Education, Inc.
Copyright © 2025 by Pearson Education, Inc.
Hoboken, New Jersey
All rights reserved. This publication is protected by copyright, and
permission must be obtained from the publisher prior to any prohibited
reproduction, storage in a retrieval system, or transmission in any form or by
any means, electronic, mechanical, photocopying, recording, or likewise. For
information regarding permissions, request forms, and the appropriate
contacts within the Pearson Education Global Rights & Permissions
Department, please visit www.pearson.com/permissions.
No patent liability is assumed with respect to the use of the information
contained herein. Although every precaution has been taken in the
preparation of this book, the publisher and author assume no responsibility
for errors or omissions. Nor is any liability assumed for damages resulting
from the use of the information contained herein.
ISBN-13: 978-0-13-834593-8
ISBN-10: 0-13-834593-7
Library of Congress Control Number: 2024935895
$PrintCode
TRADEMARKS
Microsoft and the trademarks listed at http://www.microsoft.com on the
“Trademarks” webpage are trademarks of the Microsoft group of companies.
All other marks are property of their respective owners.
Edition
Published with the authorization of Microsoft Corporation by: Pearson
Education, Inc.
Copyright © 2025 by Pearson Education, Inc.
Hoboken, New Jersey
All rights reserved. This publication is protected by copyright, and
permission must be obtained from the publisher prior to any prohibited
reproduction, storage in a retrieval system, or transmission in any form or by
any means, electronic, mechanical, photocopying, recording, or likewise. For
information regarding permissions, request forms, and the appropriate
contacts within the Pearson Education Global Rights & Permissions
Department, please visit www.pearson.com/permissions.
No patent liability is assumed with respect to the use of the information
contained herein. Although every precaution has been taken in the
preparation of this book, the publisher and author assume no responsibility
for errors or omissions. Nor is any liability assumed for damages resulting
from the use of the information contained herein.
ISBN-13: 978-0-13-834593-8
ISBN-10: 0-13-834593-7
Library of Congress Control Number: 2024935895
$PrintCode
TRADEMARKS
Microsoft and the trademarks listed at http://www.microsoft.com on the
“Trademarks” webpage are trademarks of the Microsoft group of companies.
All other marks are property of their respective owners.
Loading page 4...
WARNING AND DISCLAIMER
Every effort has been made to make this book as complete and as accurate as
possible, but no warranty or fitness is implied. The information provided is
on an “as is” basis. The author, the publisher, and Microsoft Corporation
shall have neither liability nor responsibility to any person or entity with
respect to any loss or damages arising from the information contained in this
book or from the use of the programs accompanying it.
SPECIAL SALES
For information about buying this title in bulk quantities, or for special sales
opportunities (which may include electronic versions; custom cover designs;
and content particular to your business, training goals, marketing focus, or
branding interests), please contact our corporate sales department at
corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact
governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact
intlcs@pearson.com.
CREDITS
EDITOR-IN-CHIEF
Brett Bartow
EXECUTIVE EDITOR
Loretta Yates
ASSOCIATE EDITOR
Shourav Bose
DEVELOPMENT EDITOR
Songlin Qiu
MANAGING EDITOR
Sandra Schroeder
Every effort has been made to make this book as complete and as accurate as
possible, but no warranty or fitness is implied. The information provided is
on an “as is” basis. The author, the publisher, and Microsoft Corporation
shall have neither liability nor responsibility to any person or entity with
respect to any loss or damages arising from the information contained in this
book or from the use of the programs accompanying it.
SPECIAL SALES
For information about buying this title in bulk quantities, or for special sales
opportunities (which may include electronic versions; custom cover designs;
and content particular to your business, training goals, marketing focus, or
branding interests), please contact our corporate sales department at
corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact
governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact
intlcs@pearson.com.
CREDITS
EDITOR-IN-CHIEF
Brett Bartow
EXECUTIVE EDITOR
Loretta Yates
ASSOCIATE EDITOR
Shourav Bose
DEVELOPMENT EDITOR
Songlin Qiu
MANAGING EDITOR
Sandra Schroeder
Loading page 5...
SENIOR PROJECT EDITOR
Tracey Croom
COPY EDITOR
Brie Gyncild
INDEXER
Timothy Wright
PROOFREADER
Charlotte Kughen
TECHNICAL EDITOR
Jim Cheshire
EDITORIAL ASSISTANT
Cindy Teeters
COVER DESIGNER
Twist Creative, Seattle
COMPOSITOR
codeMantra
GRAPHICS
codeMantra
Tracey Croom
COPY EDITOR
Brie Gyncild
INDEXER
Timothy Wright
PROOFREADER
Charlotte Kughen
TECHNICAL EDITOR
Jim Cheshire
EDITORIAL ASSISTANT
Cindy Teeters
COVER DESIGNER
Twist Creative, Seattle
COMPOSITOR
codeMantra
GRAPHICS
codeMantra
Loading page 6...
Contents at a glance
Acknowledgments
About the author
Introduction
CHAPTER 1 Manage Azure identities and governance
CHAPTER 2 Implement and manage storage
CHAPTER 3 Deploy and manage Azure compute resources
CHAPTER 4 Configure and manage virtual networking
CHAPTER 5 Monitor and back up Azure resources
CHAPTER 6 Exam Ref AZ-104 Microsoft Azure Administrator
exam updates
Index
Acknowledgments
About the author
Introduction
CHAPTER 1 Manage Azure identities and governance
CHAPTER 2 Implement and manage storage
CHAPTER 3 Deploy and manage Azure compute resources
CHAPTER 4 Configure and manage virtual networking
CHAPTER 5 Monitor and back up Azure resources
CHAPTER 6 Exam Ref AZ-104 Microsoft Azure Administrator
exam updates
Index
Loading page 7...
Contents
Introduction
Organization of this book
Preparing for the exam
Microsoft certifications
Access the exam updates chapter and online references
Errata, updates & book support
Stay in touch
Chapter 1 Manage Azure identities and governance
Skill 1.1: Manage Microsoft Entra users and groups
Create users and groups
Manage user and group properties
Manage licenses in Microsoft Entra ID
Manage external users
Configure Microsoft Entra Join
Configure self-service password reset
Skill 1.2: Manage access to Azure resources
Understand how RBAC works
Create a custom role
Interpret access assignments
Manage multiple directories
Skill 1.3: Manage Azure subscriptions and governance
Configure Azure policies
Configure resource locks
Introduction
Organization of this book
Preparing for the exam
Microsoft certifications
Access the exam updates chapter and online references
Errata, updates & book support
Stay in touch
Chapter 1 Manage Azure identities and governance
Skill 1.1: Manage Microsoft Entra users and groups
Create users and groups
Manage user and group properties
Manage licenses in Microsoft Entra ID
Manage external users
Configure Microsoft Entra Join
Configure self-service password reset
Skill 1.2: Manage access to Azure resources
Understand how RBAC works
Create a custom role
Interpret access assignments
Manage multiple directories
Skill 1.3: Manage Azure subscriptions and governance
Configure Azure policies
Configure resource locks
Loading page 8...
Apply and manage tags on resources
Manage resource groups
Manage Azure subscriptions
Configure management groups
Configure cost management
Chapter summary
Thought experiment
Thought experiment answers
Chapter 2 Implement and manage storage
Skill 2.1: Configure access to storage
Create and configure storage accounts
Configure Azure Storage firewalls and virtual networks
Create and use shared access signature (SAS) tokens
Configure stored access policies
Manage access keys
Configure identity-based access
Skill 2.2: Configure and manage storage accounts
Configure Azure storage redundancy
Configure object replication
Configure storage account encryption
Manage data using Azure Storage Explorer
Manage data by using AzCopy
Skill 2.3: Configure Azure Files and Azure Blob Storage
Create and configure a file share in Azure Storage
Configure Azure Blob Storage
Configure storage tiers
Configure soft delete, versioning, and snapshots
Configure blob lifecycle management
Manage resource groups
Manage Azure subscriptions
Configure management groups
Configure cost management
Chapter summary
Thought experiment
Thought experiment answers
Chapter 2 Implement and manage storage
Skill 2.1: Configure access to storage
Create and configure storage accounts
Configure Azure Storage firewalls and virtual networks
Create and use shared access signature (SAS) tokens
Configure stored access policies
Manage access keys
Configure identity-based access
Skill 2.2: Configure and manage storage accounts
Configure Azure storage redundancy
Configure object replication
Configure storage account encryption
Manage data using Azure Storage Explorer
Manage data by using AzCopy
Skill 2.3: Configure Azure Files and Azure Blob Storage
Create and configure a file share in Azure Storage
Configure Azure Blob Storage
Configure storage tiers
Configure soft delete, versioning, and snapshots
Configure blob lifecycle management
Loading page 9...
Chapter summary
Thought experiment
Thought experiment answers
Chapter 3 Deploy and manage Azure compute resources
Skill 3.1: Automate deployment of resources
Interpret an Azure Resource Manager template
Modify an existing ARM template
Deploy resources from a template
Export a deployment template
Interpret and modify a Bicep file
Skill 3.2: Create and configure virtual machines
Create a virtual machine
Configure Azure Disk Encryption
Move VMs from one resource group or subscription to
another
Manage VM sizes
Manage VM disks
Deploy VMs to availability sets and zones
Deploy and configure Virtual Machine Scale Sets
Skill 3.3: Provision and manage containers
Create and manage an Azure Container Registry
Provision a container using Azure Container Instances
Provision a container using Azure Container Apps
Manage sizing and scaling for containers
Skill 3.4: Create and configure Azure App Service
Provision an App Service plan
Configure scaling for an App Service plan
Create an App Service
Thought experiment
Thought experiment answers
Chapter 3 Deploy and manage Azure compute resources
Skill 3.1: Automate deployment of resources
Interpret an Azure Resource Manager template
Modify an existing ARM template
Deploy resources from a template
Export a deployment template
Interpret and modify a Bicep file
Skill 3.2: Create and configure virtual machines
Create a virtual machine
Configure Azure Disk Encryption
Move VMs from one resource group or subscription to
another
Manage VM sizes
Manage VM disks
Deploy VMs to availability sets and zones
Deploy and configure Virtual Machine Scale Sets
Skill 3.3: Provision and manage containers
Create and manage an Azure Container Registry
Provision a container using Azure Container Instances
Provision a container using Azure Container Apps
Manage sizing and scaling for containers
Skill 3.4: Create and configure Azure App Service
Provision an App Service plan
Configure scaling for an App Service plan
Create an App Service
Loading page 10...
Map an existing custom DNS name to an App Service
Configure certificates and TLS for an App Service
Configure backup for an App Service
Configure networking settings for an App Service
Configure deployment slots for an App Service
Chapter summary
Thought experiment
Thought experiment answers
Chapter 4 Configure and manage virtual networking
Skill 4.1: Configure and manage virtual networks in Azure
Create and configure virtual networks and subnets
Create and configure virtual network peering
Configure public IP addresses
Configure user-defined network routes
Troubleshoot network connectivity
Skill 4.2: Configure secure access to virtual networks
Create and configure network security groups and
application security groups
Evaluate effective security rules
Deploy and configure Azure Bastion Service
Configure service endpoints for Azure services
Configure private endpoints for Azure services
Skill 4.3: Configure name resolution and load balancing
Configure Azure DNS
Configure load balancing
Troubleshoot load balancing
Chapter summary
Configure certificates and TLS for an App Service
Configure backup for an App Service
Configure networking settings for an App Service
Configure deployment slots for an App Service
Chapter summary
Thought experiment
Thought experiment answers
Chapter 4 Configure and manage virtual networking
Skill 4.1: Configure and manage virtual networks in Azure
Create and configure virtual networks and subnets
Create and configure virtual network peering
Configure public IP addresses
Configure user-defined network routes
Troubleshoot network connectivity
Skill 4.2: Configure secure access to virtual networks
Create and configure network security groups and
application security groups
Evaluate effective security rules
Deploy and configure Azure Bastion Service
Configure service endpoints for Azure services
Configure private endpoints for Azure services
Skill 4.3: Configure name resolution and load balancing
Configure Azure DNS
Configure load balancing
Troubleshoot load balancing
Chapter summary
Loading page 11...
Thought experiment
Thought experiment answers
Chapter 5 Monitor and back up Azure resources
Skill 5.1: Monitor resources in Azure
Interpret metrics in Azure Monitor
Configure log settings in Azure Monitor
Query and analyze logs in Azure Monitor
Set up alert rules, action groups, and alert processing rules
in Azure Monitor
Configure Application Insights
Configure and interpret monitoring of VMs, storage
accounts, and networks using Azure Monitor Insights
Use Azure Network Watcher and Connection Monitor
Skill 5.2: Implement backup and recovery
Create and manage a Recovery Services vault
Configure Azure Site Recovery
Create an Azure Backup vault
Create and configure backup policy
Configure and review backup reports
Chapter summary
Thought experiment
Thought experiment answers
Chapter 6 Exam Ref AZ-104 Microsoft Azure Administrator exam
updates
The purpose of this chapter
About possible exam updates
Impact on you and your study plan
Thought experiment answers
Chapter 5 Monitor and back up Azure resources
Skill 5.1: Monitor resources in Azure
Interpret metrics in Azure Monitor
Configure log settings in Azure Monitor
Query and analyze logs in Azure Monitor
Set up alert rules, action groups, and alert processing rules
in Azure Monitor
Configure Application Insights
Configure and interpret monitoring of VMs, storage
accounts, and networks using Azure Monitor Insights
Use Azure Network Watcher and Connection Monitor
Skill 5.2: Implement backup and recovery
Create and manage a Recovery Services vault
Configure Azure Site Recovery
Create an Azure Backup vault
Create and configure backup policy
Configure and review backup reports
Chapter summary
Thought experiment
Thought experiment answers
Chapter 6 Exam Ref AZ-104 Microsoft Azure Administrator exam
updates
The purpose of this chapter
About possible exam updates
Impact on you and your study plan
Loading page 12...
News and commentary about the exam objective updates
Updated technical content
Objective mapping
Index
Updated technical content
Objective mapping
Index
Loading page 13...
Acknowledgments
I would like to acknowledge my wife, Jennifer, who has supported the
unusual hours for projects such as this for over a decade now. I would also
like to acknowledge my best friends and colleagues who allow me to bounce
ideas off them, provide guidance to them, and share laughs with them: Elias
Mereb, Joshua Waddell, Ed Gale, and Aaron Lines. Finally, I have to thank
my manager, Julia Nathan, who has been an exemplary coach and role model
and continues to support my work on projects such as this book.
I would like to acknowledge my wife, Jennifer, who has supported the
unusual hours for projects such as this for over a decade now. I would also
like to acknowledge my best friends and colleagues who allow me to bounce
ideas off them, provide guidance to them, and share laughs with them: Elias
Mereb, Joshua Waddell, Ed Gale, and Aaron Lines. Finally, I have to thank
my manager, Julia Nathan, who has been an exemplary coach and role model
and continues to support my work on projects such as this book.
Loading page 14...
About the Author
CHARLES PLUTA is a technical consultant and Microsoft Certified Trainer
(MCT) who has authored several certification exams, lab guides, and learner
guides for various technology vendors. As a technical consultant, Charles has
assisted small, medium, and large organizations by deploying and
maintaining their IT infrastructure. He is also a speaker, a staff member, or a
trainer at several large annual industry conferences. Charles has a degree in
Computer Networking, and holds over 15 industry certifications. He makes a
point to leave the United States to travel to a different country every year.
When not working or traveling, he plays pool in Augusta, Georgia.
CHARLES PLUTA is a technical consultant and Microsoft Certified Trainer
(MCT) who has authored several certification exams, lab guides, and learner
guides for various technology vendors. As a technical consultant, Charles has
assisted small, medium, and large organizations by deploying and
maintaining their IT infrastructure. He is also a speaker, a staff member, or a
trainer at several large annual industry conferences. Charles has a degree in
Computer Networking, and holds over 15 industry certifications. He makes a
point to leave the United States to travel to a different country every year.
When not working or traveling, he plays pool in Augusta, Georgia.
Loading page 15...
Introduction
Some books take a very low-level approach, teaching you how to use
individual classes and accomplish fine-grained tasks. Like the Microsoft AZ-
104 certification exam, this book takes a high-level approach, building on
your foundational knowledge of Microsoft Azure and common administrative
actions to take in an Azure environment. We provide walk-throughs using the
Azure portal; however, the exam might also include questions that use
PowerShell or the Azure Command Line Interface (CLI) to perform the same
task. You might encounter questions on the exam focused on these additional
areas that are not specifically included in this Exam Ref.
This book covers every major topic area found on the exam, but it does
not cover every exam question. Only the Microsoft exam team has access to
the exam questions, and Microsoft regularly adds new questions to the exam,
making it impossible to cover specific questions. You should consider this
book a supplement to your relevant real-world experience and other study
materials. If you encounter a topic in this book that you do not feel
completely comfortable with, use the “Need more review?” links you’ll find
in the text to find more information and take the time to research and study
the topic.
Organization of this book
This book is organized by the “Skills measured” list published for the exam.
The “Skills measured” list is available for each exam on the Microsoft Learn
website: microsoft.com/learn. Each chapter in this book corresponds to a
major topic area in the list, and the technical tasks in each topic area
determine a chapter’s organization. If an exam covers six major topic areas,
Some books take a very low-level approach, teaching you how to use
individual classes and accomplish fine-grained tasks. Like the Microsoft AZ-
104 certification exam, this book takes a high-level approach, building on
your foundational knowledge of Microsoft Azure and common administrative
actions to take in an Azure environment. We provide walk-throughs using the
Azure portal; however, the exam might also include questions that use
PowerShell or the Azure Command Line Interface (CLI) to perform the same
task. You might encounter questions on the exam focused on these additional
areas that are not specifically included in this Exam Ref.
This book covers every major topic area found on the exam, but it does
not cover every exam question. Only the Microsoft exam team has access to
the exam questions, and Microsoft regularly adds new questions to the exam,
making it impossible to cover specific questions. You should consider this
book a supplement to your relevant real-world experience and other study
materials. If you encounter a topic in this book that you do not feel
completely comfortable with, use the “Need more review?” links you’ll find
in the text to find more information and take the time to research and study
the topic.
Organization of this book
This book is organized by the “Skills measured” list published for the exam.
The “Skills measured” list is available for each exam on the Microsoft Learn
website: microsoft.com/learn. Each chapter in this book corresponds to a
major topic area in the list, and the technical tasks in each topic area
determine a chapter’s organization. If an exam covers six major topic areas,
Loading page 16...
for example, the book will contain six chapters.
Preparing for the exam
Microsoft certification exams are a great way to build your resume and let the
world know about your level of expertise. Certification exams validate your
on-the-job experience and product knowledge. Although there is no substitute
for on-the-job experience, preparation through study and hands-on practice
can help you prepare for the exam. This book is not designed to teach you
new skills.
We recommend that you augment your exam preparation plan by using a
combination of available study materials and courses. For example, you
might use the Exam Ref and another study guide for your at-home preparation
and take a Microsoft Official Curriculum course for the classroom
experience. Choose the combination that you think works best for you. Learn
more about available classroom training, online courses, and live events at
microsoft.com/learn.
Note that this Exam Ref is based on publicly available information about
the exam and the author’s experience. To safeguard the integrity of the exam,
authors do not have access to the live exam.
Microsoft certifications
Microsoft certifications distinguish you by proving your command of a broad
set of skills and experience with current Microsoft products and technologies.
The exams and corresponding certifications are developed to validate your
mastery of critical competencies as you design and develop, or implement
and support, solutions with Microsoft products and technologies both on-
premises and in the cloud. Certification brings a variety of benefits to the
individual and to employers and organizations.
More Info All Microsoft Certifications
For information about Microsoft certifications, including a full list of
Preparing for the exam
Microsoft certification exams are a great way to build your resume and let the
world know about your level of expertise. Certification exams validate your
on-the-job experience and product knowledge. Although there is no substitute
for on-the-job experience, preparation through study and hands-on practice
can help you prepare for the exam. This book is not designed to teach you
new skills.
We recommend that you augment your exam preparation plan by using a
combination of available study materials and courses. For example, you
might use the Exam Ref and another study guide for your at-home preparation
and take a Microsoft Official Curriculum course for the classroom
experience. Choose the combination that you think works best for you. Learn
more about available classroom training, online courses, and live events at
microsoft.com/learn.
Note that this Exam Ref is based on publicly available information about
the exam and the author’s experience. To safeguard the integrity of the exam,
authors do not have access to the live exam.
Microsoft certifications
Microsoft certifications distinguish you by proving your command of a broad
set of skills and experience with current Microsoft products and technologies.
The exams and corresponding certifications are developed to validate your
mastery of critical competencies as you design and develop, or implement
and support, solutions with Microsoft products and technologies both on-
premises and in the cloud. Certification brings a variety of benefits to the
individual and to employers and organizations.
More Info All Microsoft Certifications
For information about Microsoft certifications, including a full list of
Loading page 17...
available certifications, go to microsoft.com/learn.
Access the exam updates chapter and online
references
The final chapter of this book, “AZ-104 Azure Administrator exam updates,”
will be used to provide information about new content per new exam topics,
content that has been removed from the exam objectives, and revised
mapping of exam objectives to chapter content. The chapter will be made
available from the link at the end of this section as exam updates are released.
Throughout this book are addresses to webpages that the author has
recommended you visit for more information. We’ve compiled them into a
single list that readers of the print edition can refer to while they read.
The URLs are organized by chapter and heading. Every time you come
across a URL in the book, find the hyperlink in the list to go directly to the
webpage.
Download the exam updates chapter and the URL list at
MicrosoftPressStore.com/ERAZ1042e/downloads.
Errata, updates & book support
We’ve made every effort to ensure the accuracy of this book and its
companion content. You can access updates to this book—in the form of a
list of submitted errata and their related corrections—at
MicrosoftPressStore.com/ERAZ1042e/errata
If you discover an error that is not already listed, please submit it to us at
the same page.
For additional book support and information, please visit
MicrosoftPressStore.com/Support.
Please note that product support for Microsoft software and hardware is
not offered through the previous addresses. For help with Microsoft software
Access the exam updates chapter and online
references
The final chapter of this book, “AZ-104 Azure Administrator exam updates,”
will be used to provide information about new content per new exam topics,
content that has been removed from the exam objectives, and revised
mapping of exam objectives to chapter content. The chapter will be made
available from the link at the end of this section as exam updates are released.
Throughout this book are addresses to webpages that the author has
recommended you visit for more information. We’ve compiled them into a
single list that readers of the print edition can refer to while they read.
The URLs are organized by chapter and heading. Every time you come
across a URL in the book, find the hyperlink in the list to go directly to the
webpage.
Download the exam updates chapter and the URL list at
MicrosoftPressStore.com/ERAZ1042e/downloads.
Errata, updates & book support
We’ve made every effort to ensure the accuracy of this book and its
companion content. You can access updates to this book—in the form of a
list of submitted errata and their related corrections—at
MicrosoftPressStore.com/ERAZ1042e/errata
If you discover an error that is not already listed, please submit it to us at
the same page.
For additional book support and information, please visit
MicrosoftPressStore.com/Support.
Please note that product support for Microsoft software and hardware is
not offered through the previous addresses. For help with Microsoft software
Loading page 18...
or hardware, go to support.microsoft.com.
Stay in touch
Let's keep the conversation going! We're on X/Twitter:
twitter.com/MicrosoftPress.
Stay in touch
Let's keep the conversation going! We're on X/Twitter:
twitter.com/MicrosoftPress.
Loading page 19...
Chapter 1
Manage Azure identities and
governance
Microsoft has long been a leader in the identity space. This leadership goes
back to the introduction of Active Directory (AD) with Windows 2000 before
the cloud even existed. Microsoft moved into cloud identity with the
introduction of Azure Active Directory (Azure AD), now Microsoft Entra ID,
which is used by more than 5 million companies around the world. The
adoption of Microsoft 365 led to this extended use of Entra ID. These two
technologies, however, have very different purposes, with AD primarily used
on-premises and Entra ID primarily used for the cloud.
Microsoft has poured resources into making on-premises AD and Entra ID
work together. The concept is to extend the identity that lives on-premises to
the cloud by synchronizing the identities. This ability is provided by
Microsoft Entra Connect and Microsoft Entra Connect Sync. Microsoft has
also invested in extending those identities to enable scenarios such as single
sign-on by using Active Directory Federation Services (ADFS), which is
deployed in many large enterprises. (Note that Entra Connect and Entra
Connect Sync are not covered on the AZ-104 exam.)
Microsoft has continued pushing forward by developing options for
developers to leverage Entra ID for their applications. Microsoft provides the
ability for developers to extend a company’s identity provider to users
outside of the organization. The first option is known as Microsoft Entra
External ID. This allows customers to sign in to applications using their
social media accounts, such as a Facebook ID. A complementary technology
—Entra ID B2B (Business to Business)—extends Entra ID to business
partners.
Manage Azure identities and
governance
Microsoft has long been a leader in the identity space. This leadership goes
back to the introduction of Active Directory (AD) with Windows 2000 before
the cloud even existed. Microsoft moved into cloud identity with the
introduction of Azure Active Directory (Azure AD), now Microsoft Entra ID,
which is used by more than 5 million companies around the world. The
adoption of Microsoft 365 led to this extended use of Entra ID. These two
technologies, however, have very different purposes, with AD primarily used
on-premises and Entra ID primarily used for the cloud.
Microsoft has poured resources into making on-premises AD and Entra ID
work together. The concept is to extend the identity that lives on-premises to
the cloud by synchronizing the identities. This ability is provided by
Microsoft Entra Connect and Microsoft Entra Connect Sync. Microsoft has
also invested in extending those identities to enable scenarios such as single
sign-on by using Active Directory Federation Services (ADFS), which is
deployed in many large enterprises. (Note that Entra Connect and Entra
Connect Sync are not covered on the AZ-104 exam.)
Microsoft has continued pushing forward by developing options for
developers to leverage Entra ID for their applications. Microsoft provides the
ability for developers to extend a company’s identity provider to users
outside of the organization. The first option is known as Microsoft Entra
External ID. This allows customers to sign in to applications using their
social media accounts, such as a Facebook ID. A complementary technology
—Entra ID B2B (Business to Business)—extends Entra ID to business
partners.
Loading page 20...
This area of the AZ-104 exam is focused on the management of identities
using Entra ID.
In the latter part of this chapter, you will also learn how to manage role-
based access control (RBAC) for Azure resources, including the following
topics:
Understand how RBAC works
Create a custom role assignment
Provide access to Azure resources using different roles
Interpret access assignment
Manage multiple directories
Finally, you will learn how to manage Azure subscriptions and other
resources. This includes how to
Configure Azure Policy to ensure your Azure environment is governed
in an effective way while maintaining the agility of the cloud
Apply governance to Azure resource groups and their child resources
through Azure Policy
Create and manage resource locks
Apply tags to Azure resources
Manage the lifecycle of the resources that reside in resource groups
Manage Azure subscriptions
Configure management groups
Govern cost management through quotas and resource tags
By understanding the controls that are available in Azure for subscription
and resource management, you enable your organization for success across
your Azure estate.
Skills covered in this chapter:
using Entra ID.
In the latter part of this chapter, you will also learn how to manage role-
based access control (RBAC) for Azure resources, including the following
topics:
Understand how RBAC works
Create a custom role assignment
Provide access to Azure resources using different roles
Interpret access assignment
Manage multiple directories
Finally, you will learn how to manage Azure subscriptions and other
resources. This includes how to
Configure Azure Policy to ensure your Azure environment is governed
in an effective way while maintaining the agility of the cloud
Apply governance to Azure resource groups and their child resources
through Azure Policy
Create and manage resource locks
Apply tags to Azure resources
Manage the lifecycle of the resources that reside in resource groups
Manage Azure subscriptions
Configure management groups
Govern cost management through quotas and resource tags
By understanding the controls that are available in Azure for subscription
and resource management, you enable your organization for success across
your Azure estate.
Skills covered in this chapter:
Loading page 21...
Skill 1.1: Manage Microsoft Entra users and groups
Skill 1.2: Manage access to Azure resources
Skill 1.3: Manage Azure subscriptions and governance
Skill 1.1: Manage Microsoft Entra users and groups
In a Microsoft Entra tenant, there are users, groups, and devices that are
controlled through the features of Entra discussed in this section. This section
focuses on managing users and groups throughout their lifecycles, how to
manage device settings, how to perform bulk updates to users using
automation tooling such as PowerShell, and how to manage guest accounts.
The latter part of this section discusses how to manage Entra joined
devices and how to configure user experience controls, such as self-service
password reset (SSPR).
This skill covers how to:
Create users and groups
Manage user and group properties
Manage licenses in Microsoft Entra ID
Manage external users
Configure Microsoft Entra ID Join
Configure self-service password reset
Create users and groups
There are primarily two types of users in Entra ID—cloud-only users and
users synchronized from an on-premises directory. Cloud-only users are
created and managed exclusively in Entra ID, and their attributes can be
updated directly in Entra ID.
Skill 1.2: Manage access to Azure resources
Skill 1.3: Manage Azure subscriptions and governance
Skill 1.1: Manage Microsoft Entra users and groups
In a Microsoft Entra tenant, there are users, groups, and devices that are
controlled through the features of Entra discussed in this section. This section
focuses on managing users and groups throughout their lifecycles, how to
manage device settings, how to perform bulk updates to users using
automation tooling such as PowerShell, and how to manage guest accounts.
The latter part of this section discusses how to manage Entra joined
devices and how to configure user experience controls, such as self-service
password reset (SSPR).
This skill covers how to:
Create users and groups
Manage user and group properties
Manage licenses in Microsoft Entra ID
Manage external users
Configure Microsoft Entra ID Join
Configure self-service password reset
Create users and groups
There are primarily two types of users in Entra ID—cloud-only users and
users synchronized from an on-premises directory. Cloud-only users are
created and managed exclusively in Entra ID, and their attributes can be
updated directly in Entra ID.
Loading page 22...
You can create cloud-only users through the Azure portal, Azure
PowerShell, Azure command-line interface (CLI), or the Microsoft Entra
Admin Center or by using the Microsoft Graph. When creating new users,
you must be assigned to the Global Administrator or User Administrator role.
See Skill 1.2 for more details about various roles and their assignments.
To create users from the Azure portal, type Microsoft Entra ID in the
search box, or browse to All Azure Services and select Microsoft Entra ID as
a user with rights to create users, click Users to open the Users blade, click
New User, and click Create A New User. An example of this blade is shown
in Figure 1-1. Note that you can also invite users (guest users) to your
directory through the Azure portal.
FIGURE 1-1 Create New User blade in the Azure portal
When creating a new user, the User Principal Name (username), Display
Name (the user’s given name and surname), and Password fields are
mandatory. You can configure additional settings, such as assigning specific
groups and roles, blocking sign-ins from a specific location, and so on.
PowerShell, Azure command-line interface (CLI), or the Microsoft Entra
Admin Center or by using the Microsoft Graph. When creating new users,
you must be assigned to the Global Administrator or User Administrator role.
See Skill 1.2 for more details about various roles and their assignments.
To create users from the Azure portal, type Microsoft Entra ID in the
search box, or browse to All Azure Services and select Microsoft Entra ID as
a user with rights to create users, click Users to open the Users blade, click
New User, and click Create A New User. An example of this blade is shown
in Figure 1-1. Note that you can also invite users (guest users) to your
directory through the Azure portal.
FIGURE 1-1 Create New User blade in the Azure portal
When creating a new user, the User Principal Name (username), Display
Name (the user’s given name and surname), and Password fields are
mandatory. You can configure additional settings, such as assigning specific
groups and roles, blocking sign-ins from a specific location, and so on.
Loading page 23...
Need More Review? Managing Users
For more information on managing user accounts, see
https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-
delete-users.
Groups are groups of objects that make role assignments and access
permissions easier to manage. A group can contain groups, users, devices, or
service principals. When using groups, you eliminate the need to individually
assign roles or permissions. Creating groups is a similar experience to
creating user accounts and can be performed from the Azure portal, Azure
PowerShell, the Azure CLI, Microsoft Entra Admin Center, and Microsoft
Graph. To create a group in the Azure portal, type Microsoft Entra ID in the
Search field or browse to All Azure Services, select Microsoft Entra ID, click
Groups to open the Groups blade, and click New Group. The New Group
blade is shown in Figure 1-2.
FIGURE 1-2 New Group blade in the Azure portal
For more information on managing user accounts, see
https://learn.microsoft.com/en-us/entra/fundamentals/how-to-create-
delete-users.
Groups are groups of objects that make role assignments and access
permissions easier to manage. A group can contain groups, users, devices, or
service principals. When using groups, you eliminate the need to individually
assign roles or permissions. Creating groups is a similar experience to
creating user accounts and can be performed from the Azure portal, Azure
PowerShell, the Azure CLI, Microsoft Entra Admin Center, and Microsoft
Graph. To create a group in the Azure portal, type Microsoft Entra ID in the
Search field or browse to All Azure Services, select Microsoft Entra ID, click
Groups to open the Groups blade, and click New Group. The New Group
blade is shown in Figure 1-2.
FIGURE 1-2 New Group blade in the Azure portal
Loading page 24...
When you create a new group, there are several factors that dictate the
type of group that is created and how that group behaves in Entra and
associated workloads, such as Microsoft 365.
Need More Review? Microsoft 365 Branding
In 2020, Office 365 was renamed Microsoft 365. You can find details
on how Microsoft 365 is integrated with Azure at
https://learn.microsoft.com/en-us/microsoft-365/enterprise/azure-
integration?view=o365-worldwide.
First, you must select the type of group you are creating. You have two
options: Security and Microsoft 365. Security groups allow you to share
Azure resources access to a group of users, devices, or service principals. A
Microsoft 365 group allows access to a shared mailbox, calendar, SharePoint
site, and so on. Note that even if you are creating groups in an Entra tenant
that is not associated with a Microsoft 365 subscription, you will still see the
option to create a Microsoft 365 group.
Also, Group Name is a required field. While filling in a Group
Description is not required, it is recommended that you include a group
description to make it easier to find and identify the purpose of a group later.
The Membership Type drop-down menu provides three options:
Assigned Use this option to select one or more users and add them to
the group. Adding and removing users is performed manually.
Dynamic User Select this option to use dynamic group rules to
automatically add and remove members.
Dynamic Device Select this option to use dynamic group rules to
automatically add and remove devices.
Important Dynamic Group Requirement
You can create a dynamic group only if you have a Microsoft Entra ID
P1 or P2 license. Otherwise, the Membership Type option is
type of group that is created and how that group behaves in Entra and
associated workloads, such as Microsoft 365.
Need More Review? Microsoft 365 Branding
In 2020, Office 365 was renamed Microsoft 365. You can find details
on how Microsoft 365 is integrated with Azure at
https://learn.microsoft.com/en-us/microsoft-365/enterprise/azure-
integration?view=o365-worldwide.
First, you must select the type of group you are creating. You have two
options: Security and Microsoft 365. Security groups allow you to share
Azure resources access to a group of users, devices, or service principals. A
Microsoft 365 group allows access to a shared mailbox, calendar, SharePoint
site, and so on. Note that even if you are creating groups in an Entra tenant
that is not associated with a Microsoft 365 subscription, you will still see the
option to create a Microsoft 365 group.
Also, Group Name is a required field. While filling in a Group
Description is not required, it is recommended that you include a group
description to make it easier to find and identify the purpose of a group later.
The Membership Type drop-down menu provides three options:
Assigned Use this option to select one or more users and add them to
the group. Adding and removing users is performed manually.
Dynamic User Select this option to use dynamic group rules to
automatically add and remove members.
Dynamic Device Select this option to use dynamic group rules to
automatically add and remove devices.
Important Dynamic Group Requirement
You can create a dynamic group only if you have a Microsoft Entra ID
P1 or P2 license. Otherwise, the Membership Type option is
Loading page 25...
unavailable and is set to Assigned.
For both dynamic user and dynamic device-based groups, the rules
associated with the group are evaluated on an ongoing basis. If a user or
device has an attribute that matches the rule, that user or device is added to
the group. If an attribute changes and the user or device no longer matches
the criteria for group membership, the entity will be removed. Membership
processing is not immediate. If an error occurs while processing a
membership rule, an error is surfaced on the Group blade in the Azure portal.
You can always view the current processing status from the Group blade.
It is important to note that you can create a dynamic group for users or
devices, but you cannot create both at the same time. You also cannot use
user attributes in a device-based rule. It is possible to change the membership
type of a group after it has been created, which provides an opportunity to
transition from a static (or assigned) membership model to a dynamic
membership model or vice-versa.
When creating dynamic groups, rules can be edited in the simple rule
format, where you will build the query and conditions in the rule builder,
where you can build complex rules with conditional logic. In the example
shown in Figure 1-3, a dynamic user group is being created, which will
automatically update its membership based on the department attribute and its
value in Entra ID.
FIGURE 1-3 Dynamic membership rules
Dynamic groups require an Entra ID Premium P1 or Premium P2 license.
For both dynamic user and dynamic device-based groups, the rules
associated with the group are evaluated on an ongoing basis. If a user or
device has an attribute that matches the rule, that user or device is added to
the group. If an attribute changes and the user or device no longer matches
the criteria for group membership, the entity will be removed. Membership
processing is not immediate. If an error occurs while processing a
membership rule, an error is surfaced on the Group blade in the Azure portal.
You can always view the current processing status from the Group blade.
It is important to note that you can create a dynamic group for users or
devices, but you cannot create both at the same time. You also cannot use
user attributes in a device-based rule. It is possible to change the membership
type of a group after it has been created, which provides an opportunity to
transition from a static (or assigned) membership model to a dynamic
membership model or vice-versa.
When creating dynamic groups, rules can be edited in the simple rule
format, where you will build the query and conditions in the rule builder,
where you can build complex rules with conditional logic. In the example
shown in Figure 1-3, a dynamic user group is being created, which will
automatically update its membership based on the department attribute and its
value in Entra ID.
FIGURE 1-3 Dynamic membership rules
Dynamic groups require an Entra ID Premium P1 or Premium P2 license.
Loading page 26...
Manage user and group properties
As users and groups are used, they might need updates to their attributes (or
properties). For example, you might need to change a user’s job title, or you
might need to add or remove members from an existing group.
Users and groups can be updated using management tools such as the
Azure portal, Azure PowerShell, Azure CLI, and Microsoft Graph. Figure 1-
4 shows an example of the user profile in the Azure portal that can be
accessed by browsing to your Entra tenant, selecting Users, choosing a user,
and clicking Edit Properties.
FIGURE 1-4 A user profile in the Azure portal
Groups can be managed through the Azure portal by browsing to your
Entra tenant, selecting Groups, choosing a specific group, and then clicking
Properties, Members, or Owners, depending on the type of update you want
to make. When editing a group, you will not be able to change the Group
Type (such as changing a Security group to a Microsoft 365 group), but you
will be able to update the Group Name, Group Description, and the
As users and groups are used, they might need updates to their attributes (or
properties). For example, you might need to change a user’s job title, or you
might need to add or remove members from an existing group.
Users and groups can be updated using management tools such as the
Azure portal, Azure PowerShell, Azure CLI, and Microsoft Graph. Figure 1-
4 shows an example of the user profile in the Azure portal that can be
accessed by browsing to your Entra tenant, selecting Users, choosing a user,
and clicking Edit Properties.
FIGURE 1-4 A user profile in the Azure portal
Groups can be managed through the Azure portal by browsing to your
Entra tenant, selecting Groups, choosing a specific group, and then clicking
Properties, Members, or Owners, depending on the type of update you want
to make. When editing a group, you will not be able to change the Group
Type (such as changing a Security group to a Microsoft 365 group), but you
will be able to update the Group Name, Group Description, and the
Loading page 27...
Membership Type, as shown in Figure 1-5. Changing a static group to
dynamic group will remove all the members from the static group and apply
dynamic membership rules. This change will also affect the access to the
resources if the static group has any previously assigned access for its
members.
FIGURE 1-5 Group properties in the Azure portal
Registered and joined devices in Entra ID can be managed in two areas in
the Azure portal:
Browse to your Entra tenant in the Azure portal, and select Devices.
Overview is the default view, but you can also choose other views, such
as All Devices, Device Settings, BitLocker Keys, and so on.
Open the Devices blade for an individual user.
With either option, you will be able to search for devices using the device
name as a filter, view a detailed overview of any registered and joined
devices, and perform common device-management tasks.
To enable and disable devices, you must be a Global Administrator,
dynamic group will remove all the members from the static group and apply
dynamic membership rules. This change will also affect the access to the
resources if the static group has any previously assigned access for its
members.
FIGURE 1-5 Group properties in the Azure portal
Registered and joined devices in Entra ID can be managed in two areas in
the Azure portal:
Browse to your Entra tenant in the Azure portal, and select Devices.
Overview is the default view, but you can also choose other views, such
as All Devices, Device Settings, BitLocker Keys, and so on.
Open the Devices blade for an individual user.
With either option, you will be able to search for devices using the device
name as a filter, view a detailed overview of any registered and joined
devices, and perform common device-management tasks.
To enable and disable devices, you must be a Global Administrator,
Loading page 28...
Intune Administrator, or Cloud Device Administrator. Disabling a device
prevents it from accessing Entra ID resources. Note that this does not prevent
the user from accessing resources in general; it only prevents the user from
accessing resources from that disabled device. Figure 1-6 shows the Disable
option.
FIGURE 1-6 Disable option in the All Devices blade in the Azure portal
Deleting devices is similar to enabling or disabling a device. Again, the
user performing the update must be a Global Administrator, Intune
Administrator, or Cloud Device Administrator. Deleting a device prevents a
device from accessing your Entra ID resources and removes all details that
are attached to the device (including BitLocker keys for Windows devices).
Deleting a device represents a non-recoverable activity and is not
recommended unless it is required for an activity such as device
decommissioning.
Previously, the Azure portal was only helpful for single updates to users,
which meant you had to rely on custom automation solutions (mostly using
PowerShell) for updating users in bulk. Because of recent updates, you can
now perform bulk operations (such as creating, inviting, and deleting users in
batches) using the Azure portal as well as the Entra admin center at
https://entra.microsoft.com.
prevents it from accessing Entra ID resources. Note that this does not prevent
the user from accessing resources in general; it only prevents the user from
accessing resources from that disabled device. Figure 1-6 shows the Disable
option.
FIGURE 1-6 Disable option in the All Devices blade in the Azure portal
Deleting devices is similar to enabling or disabling a device. Again, the
user performing the update must be a Global Administrator, Intune
Administrator, or Cloud Device Administrator. Deleting a device prevents a
device from accessing your Entra ID resources and removes all details that
are attached to the device (including BitLocker keys for Windows devices).
Deleting a device represents a non-recoverable activity and is not
recommended unless it is required for an activity such as device
decommissioning.
Previously, the Azure portal was only helpful for single updates to users,
which meant you had to rely on custom automation solutions (mostly using
PowerShell) for updating users in bulk. Because of recent updates, you can
now perform bulk operations (such as creating, inviting, and deleting users in
batches) using the Azure portal as well as the Entra admin center at
https://entra.microsoft.com.
Loading page 29...
You can access this functionality by navigating to your Entra tenant in the
Azure portal and then clicking Users. You will see these options at the top of
the blade, as shown in Figure 1-7.
FIGURE 1-7 Bulk update options in the Users blade in the Azure portal
Clicking Bulk Create opens the Bulk Create User blade, which is shown in
Figure 1-8.
FIGURE 1-8 Bulk Create Users blade in the Azure portal
Azure portal and then clicking Users. You will see these options at the top of
the blade, as shown in Figure 1-7.
FIGURE 1-7 Bulk update options in the Users blade in the Azure portal
Clicking Bulk Create opens the Bulk Create User blade, which is shown in
Figure 1-8.
FIGURE 1-8 Bulk Create Users blade in the Azure portal
Loading page 30...
Bulk user creation is a three-step process:
1. Click Download on the Bulk Create User blade to download a CSV
(comma-separated values or comma-delimited) template
(UserCreateTemplate.csv). This is a standard template with mandatory
attributes, such as Name, User Name, Initial Password, and Block Sign
In. You can also specify optional attributes such as First Name, Last
Name, Job Title, and so on.
2. Edit the CSV file with bulk update values. You just need to update
appropriate values and save the changes. The sample mandatory values
are already included in the template for reference.
3. Upload the updated CSV file and submit the operation.
After submitting the operation, you can check the status of the bulk
operation by navigating to Bulk Operation Results under the Activity section
of the Users blade (see Figure 1-9).
FIGURE 1-9 Bulk Operation Results blade in the Azure portal
Manage licenses in Microsoft Entra ID
1. Click Download on the Bulk Create User blade to download a CSV
(comma-separated values or comma-delimited) template
(UserCreateTemplate.csv). This is a standard template with mandatory
attributes, such as Name, User Name, Initial Password, and Block Sign
In. You can also specify optional attributes such as First Name, Last
Name, Job Title, and so on.
2. Edit the CSV file with bulk update values. You just need to update
appropriate values and save the changes. The sample mandatory values
are already included in the template for reference.
3. Upload the updated CSV file and submit the operation.
After submitting the operation, you can check the status of the bulk
operation by navigating to Bulk Operation Results under the Activity section
of the Users blade (see Figure 1-9).
FIGURE 1-9 Bulk Operation Results blade in the Azure portal
Manage licenses in Microsoft Entra ID
Loading page 31...
30 more pages available. Scroll down to load them.
Preview Mode
Sign in to access the full document!
100%
Study Now!
XY-Copilot AI
Unlimited Access
Secure Payment
Instant Access
24/7 Support
AI Assistant
Document Details
Subject
Azure Networking Practice Exam