AZ-104 Azure Administrator Training

Comprehensive, hands-on training materials for Microsoft Azure Administrator (AZ-104) certification

This repository provides structured learning paths combining conceptual lessons with practical labs, covering all five core domains of Azure administration.

📋 Repository Overview

Structure: Each module contains conceptual lessons and hands-on labs organized by topic

• Lessons: Theory, text-based architecture diagrams, and best practices
• Labs: Two tracks per module: labs/cli-arm/ and labs/portal/
• Parameterization: All labs use variables and .env files for portable, reusable configuration
• Cleanup: Every lab includes explicit cleanup steps (e.g., az group delete, rm -f .env)
• Portal Labs: All portal labs are written as detailed, step-by-step instructions (not just high-level)

Default Configuration:

• Region: australiaeast
• Environment: .env files for portable configuration

---

🎓 Training Modules

Module 01: Identity & Governance

Focus: Azure AD (Entra ID), RBAC, managed identities, and governance controls

📖 Lessons

• Entra ID Basics - Azure Active Directory fundamentals, users, groups, and authentication
• Role-Based Access Control (RBAC) - Permission management with built-in and custom roles
• Managed Identities - System and user-assigned identities for secure service authentication
• Azure Policy - Policy definitions, compliance evaluation, and enforcement for governance
• Resource Management: Locks & Tags - Resource protection with locks and organization with tags

🧪 Labs

• RBAC Role Assignment (CLI + ARM) | Portal - Assign Azure roles to users and service principals
• Managed Identity Storage Access (CLI + ARM) | Portal - Configure managed identity to access Azure Storage without credentials
• Tags, Locks & Policy (CLI + ARM) | Portal - Apply resource tags, deletion locks, and Azure Policy
• Entra Users, Groups & Group-Based RBAC (CLI + ARM) | Portal - Create Entra users/groups and assign RBAC through group membership

Module 02: Virtual Networking

Focus: VNets, subnets, NSGs, peering, routing, DNS, and load balancing

📖 Lessons

• VNet & Subnets - Virtual networks, address spaces, and subnet segmentation
• VNet Peering - Connect virtual networks with global and regional peering
• Network Security Groups (NSG) & ASG - Traffic filtering with security rules and application security groups
• Routing & User-Defined Routes (UDR) - Custom route tables and network virtual appliances
• Azure DNS - Public and private DNS zones for name resolution
• Private Endpoints - Secure PaaS services with private connectivity
• Load Balancing - Azure Load Balancer, Application Gateway, and Traffic Manager

🧪 Labs

• Create VNet, Subnets & NSG (CLI + ARM) | Portal - Build segmented VNet networking with NSG association and rule validation
• VNet Peering Connectivity (CLI + ARM) | Portal - Configure bidirectional peering and validate connected state
• UDR Routing Simulation (CLI + ARM) | Portal - Create route tables, custom routes, and subnet associations
• Private Endpoint for Storage with DNS (CLI + ARM) | Portal - Deploy private endpoint + private DNS integration for blob access
• Basic Load Balancer (CLI + ARM) | Portal - Build Standard public load balancer frontend, probe, rule, and backend pool setup

Module 02 lab quality baseline:

• CLI + ARM labs are fully parameterized with .env and include validation + cleanup.
• Portal labs are detailed step-by-step and aligned with equivalent CLI outcomes.
• Networking diagrams in labs are text-based (no Mermaid).

Module 03: Azure Storage

Focus: Storage account design, redundancy, blob lifecycle, Azure Files, and secure data access

📖 Lessons

• Storage Accounts & Redundancy - Storage account capabilities, performance models, and redundancy choices including LRS, ZRS, GRS, and GZRS variants
• Blob Storage & Lifecycle Management - Blob types, access tiers, lifecycle rules, and data protection controls
• Azure Files - Azure Files architecture, SMB/NFS considerations, share tiers, and hybrid file scenarios
• Storage Security: SAS vs RBAC - Data-plane authorization with Azure RBAC, SAS, and supporting network controls

🧪 Labs

• Storage Account & Blob Container (CLI + ARM) | Portal - Create a private blob container, upload content, and validate download flow
• Lifecycle Policy (CLI + ARM) | Portal - Configure and validate a lifecycle rule that moves block blobs to Cool storage
• Azure Files Share (CLI + ARM) | Portal - Create an SMB-based Azure file share, set quota, and validate file upload
• SAS vs RBAC (CLI + ARM) | Portal - Compare delegated SAS access with identity-based Azure RBAC authorization

Module 03 lab quality baseline:

• CLI + ARM labs are fully parameterized with .env and include validation + cleanup.
• Portal labs are detailed step-by-step and aligned with equivalent CLI outcomes.
• Storage lab diagrams are text-based (no Mermaid).

Module 04: Compute Resources

Focus: VM operations, availability design, scaling strategy, App Service administration, and container runtimes

📖 Lessons

• Virtual Machines - VM resource model, lifecycle states, dependency troubleshooting, and secure operations
• Availability Sets & Zones - Availability set versus zonal architecture and resilience trade-offs
• Scaling - Scale up/down versus out/in, VMSS autoscale policy design, and App Service plan scaling semantics
• App Service - Plan tiers, app configuration, deployment slots, and networking behavior
• Containers: ACR, ACI & ACA - Image registry workflows, runtime selection, and secure image pull patterns

🧪 Labs

• Deploy a Virtual Machine (CLI + ARM) | Portal - Deploy Linux VM with subnet-level NSG control and runtime/network validation
• VM Availability (CLI + ARM) | Portal - Deploy two VMs in one availability set and validate domain-aware placement
• VMSS Autoscale (CLI + ARM) | Portal - Configure bounded CPU-based autoscale policies for VM Scale Sets
• App Service Deploy (CLI + ARM) | Portal - Create App Service plan + web app and verify configuration/runtime endpoint behavior
• ACR & ACI Container (CLI + ARM) | Portal - Build in ACR and deploy to ACI with private image pull validation

Module 04 lab quality baseline:

• CLI + ARM labs are fully parameterized with .env and include validation + cleanup.
• Portal labs are detailed step-by-step and aligned with equivalent CLI outcomes.
• Compute lab diagrams are text-based (no Mermaid).

Module 05: Monitoring & Backup

Focus: Azure Monitor observability, operational alerting, backup recoverability, and resilience planning

📖 Lessons

• Azure Monitor Foundations - Signal taxonomy, data routing patterns, and troubleshooting workflow across metrics, activity logs, and resource logs
• Log Analytics & KQL - Workspace/table model, query design, and collection-path precision for operational investigation
• Alerts & Action Groups - Alert type selection, noise-control strategy, and action routing design for reliable response
• Azure Backup - Vault/policy/recovery-point behavior, restore paths, and governance practices
• Azure Site Recovery - Replication, failover/failback lifecycle, and DR validation expectations
• Availability & Resilience - SLA, RTO/RPO design reasoning and HA/Backup/DR decision alignment

🧪 Labs

• Enable VM Insights (CLI + ARM) | Portal - Build VM + Log Analytics pipeline, onboard VM Insights, and validate Heartbeat/KQL ingestion
• Create Alert & Action Group (CLI + ARM) | Portal - Create reusable Action Group and CPU metric alert with rule/action validation
• Backup & Restore VM (CLI + ARM) | Portal - Enable VM backup in Recovery Services vault and validate restore workflow safely
• Service Health + Resource Health Alerts (CLI + ARM) | Portal - Configure subscription-scope Activity Log alerts and shared health notification routing

Module 05 lab quality baseline:

• CLI + ARM labs are fully parameterized with .env and include explicit validation + cleanup.
• Portal labs are detailed step-by-step and aligned with equivalent CLI outcomes.
• Monitoring diagrams in lessons/labs are text-based (no Mermaid).

---

🚀 Getting Started

One-Time Setup

Run this script to install all required tools and authenticate with Azure:

./shared/scripts/az_login.sh

What it does:

• ✅ Installs Azure CLI (if not present)
• ✅ Installs Bicep CLI (for infrastructure as code)
• ✅ Installs jq (for JSON parsing)
• ✅ Logs you into Azure
• ✅ Displays your active subscription

Note: You only need to run this once per environment. If already logged in, just skip this step.

---

Best Practices

✅ Before starting: Run ./shared/scripts/az_login.sh to set up your environment
✅ Read first: Review Portal instructions before running CLI commands
✅ Understand: Know what each command does before executing
✅ Monitor costs: Check Azure Portal regularly to avoid unexpected charges ✅ Use .env files for portable lab configuration (add .env to .gitignore) ✅ Clean up: Always delete lab resources after completion (including the .env files)

Tip: To see all your lab resource groups, run:

az group list --query "[?starts_with(name,'az104-')].{Name:name,Location:location}" -o table

---

📁 Repository Structure

.
├── README.md
├── docs/
│   ├── cost-safety.md
│   ├── naming-standards.md
│   ├── prerequisites.md
│   └── toc.md
├── modules/
│   ├── 01-identity/
│   │   ├── README.md
│   │   ├── labs/
│   │   │   ├── cli-arm/
│   │   │   │   ├── 01-rbac-role-assignment.md
│   │   │   │   ├── 02-managed-identity-storage-access.md
│   │   │   │   ├── 03-tags-lock-policy.md
│   │   │   │   └── 04-entra-users-groups-rbac.md
│   │   │   └── portal/
│   │   │       ├── 01-rbac-role-assignment.md
│   │   │       ├── 02-managed-identity-storage-access.md
│   │   │       ├── 03-tags-lock-policy.md
│   │   │       └── 04-entra-users-groups-rbac.md
│   │   └── lessons/
│   │       ├── 01-entra-id-basics.md
│   │       ├── 02-rbac.md
│   │       ├── 03-managed-identities.md
│   │       ├── 04-azure-policy.md
│   │       └── 05-resource-management-locks-tags.md
│   ├── 02-networking/
│   │   ├── README.md
│   │   ├── labs/
│   │   │   ├── cli-arm/
│   │   │   │   ├── 01-create-vnet-subnets-nsg.md
│   │   │   │   ├── 02-vnet-peering-connectivity.md
│   │   │   │   ├── 03-udr-routing-simulation.md
│   │   │   │   ├── 04-private-endpoint-storage-dns.md
│   │   │   │   └── 05-basic-load-balancer.md
│   │   │   └── portal/
│   │   │       ├── 01-create-vnet-subnets-nsg.md
│   │   │       ├── 02-vnet-peering-connectivity.md
│   │   │       ├── 03-udr-routing-simulation.md
│   │   │       ├── 04-private-endpoint-storage-dns.md
│   │   │       └── 05-basic-load-balancer.md
│   │   └── lessons/
│   │       ├── 01-vnet-subnets.md
│   │       ├── 02-vnet-peering.md
│   │       ├── 03-nsg-asg.md
│   │       ├── 04-routing-udr.md
│   │       ├── 05-azure-dns.md
│   │       ├── 06-private-endpoints.md
│   │       └── 07-load-balancing.md
│   ├── 03-storage/
│   │   ├── README.md
│   │   ├── labs/
│   │   │   ├── cli-arm/
│   │   │   │   ├── 01-storage-account-blob-container.md
│   │   │   │   ├── 02-lifecycle-policy.md
│   │   │   │   ├── 03-azure-files-share.md
│   │   │   │   └── 04-sas-vs-rbac.md
│   │   │   └── portal/
│   │   │       ├── 01-storage-account-blob-container.md
│   │   │       ├── 02-lifecycle-policy.md
│   │   │       ├── 03-azure-files-share.md
│   │   │       └── 04-sas-vs-rbac.md
│   │   └── lessons/
│   │       ├── 01-storage-accounts-redundancy.md
│   │       ├── 02-blob-lifecycle.md
│   │       ├── 03-azure-files.md
│   │       └── 04-storage-security-sas-rbac.md
│   ├── 04-compute/
│   │   ├── README.md
│   │   ├── labs/
│   │   │   ├── cli-arm/
│   │   │   │   ├── 01-deploy-vm.md
│   │   │   │   ├── 02-vm-availability.md
│   │   │   │   ├── 03-vmss-autoscale.md
│   │   │   │   ├── 04-app-service-deploy.md
│   │   │   │   └── 05-acr-aci-container.md
│   │   │   └── portal/
│   │   │       ├── 01-deploy-vm.md
│   │   │       ├── 02-vm-availability.md
│   │   │       ├── 03-vmss-autoscale.md
│   │   │       ├── 04-app-service-deploy.md
│   │   │       └── 05-acr-aci-container.md
│   │   └── lessons/
│   │       ├── 01-virtual-machines.md
│   │       ├── 02-availability-sets-zones.md
│   │       ├── 03-scaling.md
│   │       ├── 04-app-service.md
│   │       └── 05-containers-acr-aci-aca.md
│   └── 05-monitoring/
│       ├── README.md
│       ├── labs/
│       │   ├── cli-arm/
│       │   │   ├── 01-enable-vm-insights.md
│       │   │   ├── 02-create-alert-action-group.md
│       │   │   ├── 03-backup-and-restore-vm.md
│       │   │   └── 04-service-health-resource-health-alerts.md
│       │   └── portal/
│       │       ├── 01-enable-vm-insights.md
│       │       ├── 02-create-alert-action-group.md
│       │       ├── 03-backup-and-restore-vm.md
│       │       └── 04-service-health-resource-health-alerts.md
│       └── lessons/
│           ├── 01-azure-monitor.md
│           ├── 02-log-analytics-kql.md
│           ├── 03-alerts-action-groups.md
│           ├── 04-azure-backup.md
│           ├── 05-azure-site-recovery.md
│           └── 06-availability-resilience.md
└── shared/
    └── scripts/
        └── az_login.sh

📊 5 modules • 27 lessons • 44 labs (22 CLI+ARM + 22 Portal) • 82 total files

---

🛡️ Cost Safety

All labs are designed with cost optimization:

• Small VM sizes (B1s tier)
• Short-lived resources
• Async deletion (--no-wait)
• Default to australiaeast region
• .env files excluded from version control

---

🎯 Exam Preparation

These materials align with the official AZ-104 exam domains:

• Identity & Governance (15-20%)
• Storage (15-20%)
• Compute (20-25%)
• Networking (25-30%)
• Monitoring & Backup (10-15%)

Good luck with your certification! 🎓

---

🧑‍🏫 Author: Georges Bou Ghantous

AZ-104 certification training materials with 27 lessons and 44 hands-on lab guides (22 CLI+ARM and 22 Portal) covering all five Azure Administrator exam domains.

---