Last-Minute Review
The 50 most-tested facts across AZ-104 — read this the morning of your exam
Identities & Governance · 10 facts
Contributor cannot assign roles — Only Owner and User Access Administrator can assign roles. Contributor has full resource management but zero access management.
RBAC is additive — If a user has Reader on subscription AND Contributor on a resource group, they have Contributor rights within that resource group.
Deny assignments take precedence — A deny assignment blocks access even if a role assignment grants it. Deny assignments are mostly created by Azure Blueprints and managed apps.
CanNotDelete vs ReadOnly locks — CanNotDelete: read and modify, but cannot delete. ReadOnly: read only — even Owners cannot modify or delete. Both block deletion.
ReadOnly lock on storage account — Prevents listing keys (because listing keys grants write access). This surprises many candidates.
Tags do NOT inherit — Tags on a resource group do not automatically apply to child resources. Use Azure Policy (Inherit a tag from the resource group) to enforce inheritance.
Azure Policy — Deny effect — Returns HTTP 403 immediately. The non-compliant resource is never created. DeployIfNotExists creates a remediation resource; it does not block the original.
Management group limits — Maximum 10,000 management groups per tenant. Maximum 6 levels of hierarchy depth (not counting the root). One root management group per tenant.
SSPR "Selected" = one group only — SSPR can be enabled for All users, or Selected (a single Entra group). It cannot target multiple groups — use a nested group.
Dynamic group membership delay — Dynamic group rule evaluation is asynchronous. Newly created users matching the rule may take up to 24 hours to appear in the group.
Storage · 10 facts
GRS vs RA-GRS — GRS replicates to a secondary region but secondary reads are NOT available. RA-GRS adds a secondary read endpoint (*.secondary.blob.core.windows.net).
Archive rehydration time — Standard priority: up to 15 hours. High priority: under 1 hour (for objects under 10 GB). You cannot read an archived blob without rehydrating first.
User delegation SAS — Signed with an Entra ID credential (not an account key). Most secure SAS type. Key rotation does NOT invalidate user delegation SAS — revoke the delegation key instead.
Stored access policy + service SAS — A stored access policy lets you revoke a service SAS without rotating the account key. Account SAS and user delegation SAS do NOT support stored access policies.
Object replication prerequisites — Both source and destination accounts must have blob versioning AND change feed enabled. Object replication is asynchronous — no RPO guarantee.
Soft delete is per feature — Blob soft delete, container soft delete, and Azure Files soft delete are THREE separate settings. Enabling one does not enable the others.
Lifecycle management cannot rehydrate — Lifecycle management rules can tier blobs DOWN (Hot→Cool→Cold→Archive) but cannot rehydrate blobs UP from Archive.
NFS Azure Files = Premium only — NFS 4.1 file shares require a Premium (FileStorage) storage account and must be accessed over a private network (no public endpoint for NFS).
Storage firewall default action — Adding VNet or IP rules does nothing until you change the default action to "Deny". Both settings must be configured for the firewall to take effect.
AzCopy sync is one-directional — AzCopy sync copies changed/new files from source to destination but does NOT delete destination files that no longer exist in source (unless --delete-destination=true).
Compute · 10 facts
Availability Set vs Availability Zone — Sets: fault domains (rack isolation) + update domains, 99.95% SLA. Zones: datacenter isolation, 99.99% SLA. Mutually exclusive — choose one at VM creation time.
Cannot add VM to availability set post-creation — The availability set must be selected when the VM is created. To change it, you must delete and recreate the VM.
Encryption at host ≠ Azure Disk Encryption — Encryption at host encrypts the VM host (temp disk + OS/data disk caches). ADE encrypts the disk itself using BitLocker/dm-crypt inside the VM. They serve different purposes.
VMSS Flexible is now recommended — Flexible orchestration supports heterogeneous VM sizes and mixes availability zones/sets. Uniform orchestration is legacy for stateless workloads.
App Service autoscale = Standard tier minimum — Free, Shared, and Basic tiers do NOT support autoscale. Standard (and above) is required for scale-out rules.
Deployment slots = Standard tier minimum — Staging slots (beyond the production slot) require Standard or above. Basic provides only the production slot.
Slot swap behavior — Swap exchanges the running code and configuration. Slot-sticky settings stay with their slot and are NOT swapped — useful for connection strings that differ per environment.
ACR geo-replication = Premium only — Basic and Standard ACR tiers do not support geo-replication. Only Premium supports multiple regional replicas.
ARM Complete mode is destructive — Complete mode deletes resources in Azure that are NOT in the template. Incremental mode (default) only adds/updates — it never deletes existing resources.
Bicep compiles to ARM — Bicep is a DSL that compiles down to ARM JSON. `az bicep decompile` converts ARM JSON to Bicep (best-effort). `az bicep build` converts Bicep to ARM JSON.
Virtual Networking · 10 facts
5 reserved addresses per subnet — .0 (network), .1 (gateway), .2 (DNS), .3 (DNS), .255 (broadcast). A /28 subnet has 16 addresses — only 11 are usable.
VNet peering is non-transitive — If A peers with B, and B peers with C, A cannot reach C via B without enabling "Use remote gateway" or adding a direct A↔C peer.
NSG lower number = higher priority — Rule 100 is evaluated before rule 200. The first matching rule wins. Default deny rules have priorities 65000+.
NSG health probe source IP = 168.63.129.16 — Azure Load Balancer health probes originate from 168.63.129.16. If an NSG blocks this, health probes fail and the backend is removed from the pool.
Service endpoint vs private endpoint — Service endpoint: traffic stays on Azure backbone, source IP = VNet IP, service stays public. Private endpoint: PaaS service gets a private IP in your VNet, accessible from on-premises.
Azure Bastion SKU differences — Developer: free, shared infrastructure, no custom VNet. Basic: deployed in your VNet, RDP/SSH. Standard: custom ports, IP-based connection. Premium: session recording.
Private endpoint DNS resolution — Private endpoints require a private DNS zone (e.g. privatelink.blob.core.windows.net). Without it, the FQDN resolves to the public IP, bypassing the private endpoint.
UDR Next Hop "None" = black hole — Setting next hop type to None drops all matching traffic silently. Used to prevent traffic from leaving a VNet for specific prefixes.
Standard LB is zone-redundant by default — Standard Load Balancer supports Availability Zones and HTTPS health probes. Basic LB does not support zones and does not support Standard public IPs.
Auto-registration: one VNet per private DNS zone — A private DNS zone supports auto-registration from only one VNet (the registration VNet). Multiple resolution VNets can be linked but only one can auto-register.
Monitor & Maintain · 10 facts
Platform metrics = automatic, 93-day retention — Collected for all Azure resources with no configuration. Retained for 93 days. No cost for standard platform metrics.
Logs require a diagnostic setting — Resource logs are NOT collected automatically. You must configure a diagnostic setting to route them to Log Analytics, Storage, Event Hub, or a partner solution.
Log Analytics default retention = 30 days — Configurable up to 730 days (2 years) at no extra charge within the workspace. Extended retention beyond 730 days requires archive tier.
IP Flow Verify vs Next Hop — IP Flow Verify tests if a packet is allowed or denied by NSG rules. Next Hop shows the routing decision (where the packet will be sent). Different tools for different problems.
Alert processing rules ≠ alert rules — Alert rules define when an alert fires. Alert processing rules modify what happens when an alert fires (suppress, reroute, add action group). They are separate resources.
VM Insights Map requires Dependency Agent — The Performance tab works with just the Azure Monitor Agent. The Map tab (showing connections between VMs and processes) requires the Dependency Agent as well.
Recovery Services vault vs Backup vault — RSV: VMs, SQL in VM, SAP HANA, Azure Files. Backup vault: Azure Blobs, Azure Disks, PostgreSQL. Use the newer Backup vault for blob and disk workloads.
RSV storage replication type locks after first backup — You can change LRS/GRS/ZRS on a Recovery Services vault before the first backup is registered. After the first backup, the setting is locked.
ASR test failover is non-disruptive — Test failover spins up VMs in an isolated network without affecting production. It does NOT affect the replication state. Always run a test failover before a real failover.
Reprotect before failback — After failing over to the secondary region, you MUST reprotect (reverse replication direction) before you can fail back. Reprotect is not optional.