Category: Microsoft Certifications

Exploring Certifications: Microsoft Azure Security Engineer Associate

November 26, 2024 / Mike Parker / 0 Comments

Who is this certification for?

This certification is for those who implement security measures in Azure. Unlike an architect certification, where a lot of the knowledge required is about planning and designing, the security engineer cert is more about getting in with the nuts and bolts of security.

We can think of someone who has gained the required knowledge to pass this exam can then be able to deploy and monitor in areas such as implementing security controls and set up identity and access permissions. Additionally, they will be able to safeguard data, applications, and networks across Azure, multi-cloud, and hybrid environments.

This exam and resulting qualification could therefore be described a security focused equivalent to the Azure Administrator certification.

Exam requirements

To obtain the Azure Security Engineer Associate certification, only one exam, AZ-500 is required. There are no prerequisites for taking the AZ-500 but if you haven’t already, passing AZ-900 and AZ-104 before attempting AZ-500 will give you a solid foundation and lot of confidence in knowing where to navigate to find features relevant to security posture.

Topics covered

The headline skills that make up the AZ-500 of expected knowledge areas are manage identity and access, secure networking, manage security operations and secure compute, storage, and databases. Each of them are roughly weighted around one quarter of the exam each. Let’s dive into each one individually and see what you can expect to see.

The manage identity and access topic unsurprisingly covers the various features and functionality of Microsoft Entra ID (formally Azure Active Directory). There is a section on managing identities which covers users management, groups, leveraging external identities and implementing Microsoft Entra Identity protection. The next section covered is manage authentication by using Microsoft Entra ID which includes the two methods for working with Active Directory identities – Entra connect and Entra cloud sync. This part also covers the methods used to authenticate the credentials between AD domain and an Entra tenant, namely password hash synchronisation, pass through authentication and Federation. The remainder of this important part covers technologies such as MFA, passwordless authentication, password protection, Entra ID single sign-on (SSO), Microsoft Entra Verified ID and modern authentication protocols. The final section of manage identity and access is Manage application access in Microsoft Entra ID – centred around Entra ID app registration, managed identities and service principals. This section, and the topic itself is concluded with Microsoft Entra Application Proxy.

*Entra ID is an important subject area for any Azure Security Engineer.*

The next topic in the AZ-500 learning path is a favourite of mine, networking. This is networking features in Azure with an emphasis on security. It is broken into 3 sections, the first of which is plan and implement security for virtual networks. For this part of the syllabus, the candidate is expected to know about Azure Virtual Networks, with a focus on Network Security Groups (NSGs), Application Security Groups (ASGs), User-Defined Routes (UDRs), Virtual Network peering, VPN gateways, Virtual WAN and ExpressRoute which includes demonstrating how to encrypt traffic over an ER circuit. This section is concluded with configuring firewall settings on PaaS resources and a describing each of the network monitoring and diagnostic tools and their use case. Next up is Plan and implement security for private access to Azure resources where we are looking at services including service endpoints, private link and private endpoints. Then the module looks at network integration for Azure App Service and Azure Functions before going on to look at network security configurations for an App Service Environment (ASE) and for Azure SQL Managed Instances. The subject of the final networking module is plan and implement security for public access to Azure resources. For this, we start with implementing Transport Layer Security (TLS) to applications, including Azure App Service and API Management followed by Azure Firewall, Azure Firewall Manager and firewall policies. The remainder of this module comprises of many of the Azure public facing load balancers and supporting services including Azure Application Gateway (including web application firewall (WAF) and Azure Front Door, (including Content Delivery Network (CDN). This module and networking as a whole, concludes by covering Azure DDoS Protection Standard.

The penultimate topic is Secure compute, storage, and databases and begins with a module entitled Plan and implement advanced security for compute. This contains security best practice for many Azure compute services. It discusses Azure Bastion and just-in-time (JIT) virtual machine (VM) access and then moves onto network isolation for Azure Kubernetes Service (AKS). Then there is coverage of securing Azure Kubernetes Service (AKS), Azure Container Instances (ACIs), Azure Container Apps (ACAs) and Azure Container Registry (ACR). The module is concluded with Azure Disk Encryption (ADE) and recommend security configurations for Azure API Management. The next module is Plan and implement security for storage. For this section, it describes securing the storage account itself, including account keys. Then it covers off selecting and configure an appropriate method for access to Azure files, blobs, tables and queues. Thereafter, the syllabus moves to methods for protecting against data security threats, including soft delete, backups, versioning and immutable storage followed by requiring the candidate has knowledge on brining your own key (BYOK). The storge section is concluded with enabling double encryption at the Azure Storage infrastructure level. Plan and implement security for Azure SQL Database and Azure SQL Managed Instance is the module that covers authentication, monitoring and auditing, some light coverage of Purview and wraps up with some key SQL DB security features; dynamic mask, transparent data encryption and Always Encrypted.

*Knowledge on the different Defender products will be useful for exam success*

Manage security operations concludes the topic headers for the current Microsoft Azure Security Engineer Associate syllabus. And to kick this off; the Plan, implement, and manage governance for security section begins with what is Azure governance, then covers core Azure services that provide guardrails against would-be compromised security posture. These include Azure Policy and Initiatives, Azure Blueprints, Azure Landing Zones and the largest topic for this part- Azure Key Vault. The second module is Manage security posture by using Microsoft Defender for Cloud. This gives us a high level overview of Defender for Cloud concepts such as secure score, adding industry and regulatory standards, custom initiatives, connecting hybrid cloud and multicloud environments and External Attack Surface Management (Defender EASM). If you made it this far, you have done well – just two more modules to go, starting with Configure and manage threat protection by using Microsoft Defender for Cloud. This one is a long one because of all the various components that make up Defender for cloud. They include enabling workload protection services, configuring Defender for servers and Defender for Azure SQL Database. A large part of this module pertains to setting up container security in Defender before moving on to sections that focus on Microsoft Defender Vulnerability Management, Defender for Storage, DevOps and GitHub security then concluding with security alerts, automation and evaluating vulnerability scans from Microsoft Defender for Server. The final module is configure and manage security monitoring and automation solutions which begins with Monitor security events by using Azure Monitor and concludes with the setup, alerting and automation of Microsoft Sentinel.

Exam hints and tips

Its worth knowing, that unlike many other tests you can take from any number of vendors, Microsoft exams are not there to trip you up. There are no trick questions so always go with the obvious answer, taking into account all parameters in the question. Whilst there are no trick questions, if you misread or skip a part of the question, this could alter what you think the answer is.

If you are new to cybersecurity or at least in the context of Azure and the Microsoft ecosystem, consider studying for and sitting the SC-900, Microsoft Certified: Security, Compliance, and Identity Fundamentals exam to ease you into this path. It gives a solid overview, builds confidence and if you take the exam and pass, you will have another certification to your name.

Microsoft exams test a candidate on services that are GA (generally available). They do not (should not) test on things that are in public or private preview. However, there have been a few exceptions to this rule where a product hasn’t technically left public preview but is a de facto solution now.

Be sure to check out more tips on the other certification posts. You can access them via the post archive.

Recommended resources

To start, please ensure you read through all the resources linked on the official Microsoft specific AZ-500 course.

You maybe unsurprised to know, that for excellent video learning, I will point you to John Savill’s AZ-500 playlist, which includes one of his famous crams, in this case, the AZ-500 study cram.

*Applied skills complement certifications.*
*Image Credit: Microsoft*

Be sure to try some of the security focused Microsoft Applied Skills. These lab based assessments will give you practical skills to solve security challenges you may encounter in real world scenarios.

Next steps

If you are working in cybersecurity or want to demonstrate a deeper knowledge of security matters that relate to the Microsoft stack, then consider the Microsoft Certified: Cybersecurity Architect Expert certification. This expert level exam will focus on designing the security infrastructure the engineers would roll out and maintain.
To obtain the Microsoft Certified: Cybersecurity Architect Expert cert, you need to pass the SC-100 exam plus one of the following:

Microsoft Certified: Azure Security Engineer Associate (exam AZ-500)
Microsoft Certified: Identity and Access Administrator Associate (exam SC-300)
Microsoft Certified: Security Operations Analyst Associate (SC-200)

You can take the SC-100 and AZ-500 for example in either order and once you have both, you will obtain the Microsoft Certified: Cybersecurity Architect Expert badge!

Exploring Certifications: Microsoft Azure Solutions Architect Expert

February 9, 2024 / Mike Parker / 0 Comments

Widely accepted as the pinnacle of Azure Certifications, many choose to aim for the Azure solutions architect certification after completing several fundamentals and associate level certifications in the Azure space. It is an expert level certification and covers the architecture design of cloud computing in Azure. Whilst one of the required exams is relates to administration, the principal of an architect is in the planning of the infrastructure and choosing best services for a given workload, factoring in customer and regulatory requirements.

Let’s look at this certification in more detail.

Who is this certification for?

Being an expert level certification, it would assume some knowledge and experience in IT already, and more specifically in the Azure cloud environment. You could be gaining knowledge through learning, through practice or a combination of the two. Someone who is in an Azure administrator or helpdesk role may consider this certification to move up into becoming a cloud architect. A cloud architect, specifically an Azure cloud architect will help organisations transitioning to the cloud or improve existing cloud assets by rearchitecting into cloud native solutions, potentially adding ability to scale and/or design redundancy into their applications.

*Considering a career in cloud architecture*

Internally at Microsoft, there are Azure customer success managers (CSMs), who can move into a Azure cloud solution architect (CSA) role, and obtaining this certification is highly advantageous for the CSA position, or potentially join the company as a CSA if Microsoft are recruiting externally. Azure has many partners and end user customers, many of them who will be recruiting for cloud architects.

Exam requirements

Previously, this certification was achieved by passing two exams one regarding the technology and one regarding the design – AZ-303 and AZ-304 were the last iterations of this format. Now, we find there are still two exams to pass but one is a certification in itself and it is likely already in many Azure professional’s portfolio, the AZ-104, Microsoft Azure Administrator. The other exam is the AZ-305, Microsoft Azure Architect Design. You can take the exams in either order but the Microsoft Certified: Azure Solutions Architect Expert certification is not awarded until both exams have been passed.

The certification is valid for 1 year and you can revalidate your certification to extend year on year by passing an assessment. You can take the assessment 180 days before expiry right up to the expiry date. You don’t have to renew the Azure administrator certification to keep the Azure architect certification, but it would be nice to think you would renew all the certifications as they become eligible to do so.

In a previous blog post, we have gone through the AZ-104 exam and related certification, so in this post we will cover the AZ-305.

Topics covered

If we follow along Microsoft’s own learning path material, starting with a perquisite set of modules they provide, which includes core architectural components of Azure, describing compute, networking and storage services. There is a module on identity, access and security and another on the Microsoft cloud adoption framework for Azure. The prerequisites modules conclude with an introduction to the Microsoft Azure well-architected framework. Depending on your experience and how recently you have covered these areas will determine if you want to work through these or not. Now, let’s continue with the actual modules that are part of the AZ-305 and should cover the skills measured.

*Role-based access control is a central feature of identity and governance*

The first learning path is titled design identity, governance, and monitor solutions. Most of this should be familiar to those who have already completed the Azure administrator certification. The first module in this learning path is design governance, which deals with the management group > subscription > resource group hierarchy as well as tags, policies, role-based access control (RBAC) and landing zones. This is followed by design authentication and authorization solutions, which is very Entra ID heavy, including business-to-business (b2b), business-to-consumer (b2c), conditional access, identity protection, access reviews, service principals and managed identities. There is also a section on Azure key vault. The last module in this learning path is design a solution to log and monitor Azure resources, which covers Azure monitor, log analytics workspace and Azure Data Explorer.

Next learning path in the series is the design business continuity solutions, which covers describe high availability (HA) and disaster recovery (DR) strategies module, which includes HA and DR for PaaS and IaaS resources, Recovery Time Objective (RTO), Recovery Point Objective (RPO) considerations, and what to plan for in hybrid (cloud and on prem) scenarios. The other module in this learning path is design a solution for backup and disaster recovery which focuses on Azure backup, specifically for Azure blob, Azure files, Azure virtual machine, Azure SQL backup and recovery. Lastly for this module, designing for Azure site recovery is included.

The third AZ-305 learning path is design data storage solutions which begins with a module on designing a data storage solution for non-relational data. This will be all things storage accounts and specifically blob storage and Azure files. Also covered are Azure managed disks, data redundancy and storage security. The next module is not surprisingly design a data storage solution for relational data, covering Azure SQL database, Azure SQL managed instance, SQL Server on Azure virtual machines and Azure SQL edge. Items you are asked to consider include database scalability, availability and security for data in rest, in transit and in use. To conclude the module, we have table storage and the Cosmos DB Table API. The third and final storage solutions module is design data integration where the candidate will be asked to consider solutions that involve Azure data factory, Azure data lake, Azure databricks, Azure synapse analytics and Azure stream analytics. An important part of this data integration section is designing strategies for hot, warm, and cold data paths.

*Azure Migrate is a suite of tools to aid cloud onboarding*

The largest section in the skills measured, some 30-35% of the exam score is designing infrastructure solutions and so we will go through what is required in this subject area now. The first module is design an Azure compute solution and covers a large number of Azure compute services including virtual machines, Azure batch, Azure app service, Azure container instances (ACI), Azure Kubernetes service (AKS), Azure functions and Azure logic apps. Choosing the right compute service is a key part of cloud architecture so it is important to have these down pat. Next is design an application architecture, which mostly covers Azure event and messaging solutions, namely Azure queue storage, Azure service bus, Azure event hubs, and Azure event grid. There is a section on designing an automated app deployment solution using ARM templates or BICEP. Also covered in the apps section is Azure Cache for Redis, Azure API management and Azure app configuration. The number of components mentioned in the design network solutions learning path is considerable. It begins with general networking considerations, thinking about IP addressing, selecting a region, and choosing a topology; hub-and-spoke is the most popular so expect this to be featured in the exam. Azure virtual network NAT and route tables (system and user defined routes (UDR) are included also. The section in the module on on-premises connectivity to Azure virtual networks expects a knowledge of when to use Azure VPN Gateway or Azure ExpressRoute (with optional VPN failover) and when Azure virtual WAN maybe appropriate. Staying with networking, a section is dedicated to application delivery services, which mainly deals with load balancing solutions, namely Azure Front Door, Azure Traffic Manager, Azure Load Balancer and Azure Application Gateway. You are expected to know when to use a given solution depending on regional or global requirement, working on OSI layer 4 or 7 and if the workload is internal or public facing. Also you should know when to use the Azure Content Delivery Network (CDN). Then to wrap up networking there’s the section on designing application protection services which again contains a lot of services including Azure DDoS Protection, Azure Private Link, Azure Web Application Firewall, Azure Firewall, virtual network security groups (NSGs), Service endpoints, Azure Bastion and JIT network access. Design migrations is the final module of the infrastructure learning path. It begins with understanding the Azure migration framework as part of the wider Cloud Adoption Framework. This module then develops into leveraging tools that assist with the migration journey, including Service Map, Azure Total Cost of Ownership (TCO) Calculator, Azure Migrate, Data Migration Assistant (DMA), Database Migration Service, Azure Cosmos DB Data Migration tool and Azure Resource Mover. The migration section concludes with the various methods to get data in and out of Azure. Azure Storage Migration Service, Azure File Sync, Azure Import/Export service, AzCopy, Azure Storage Explorer and Azure Data Box are are services that are used to migrate your data. That is a lot but remember, this is design, so you won’t be going into these services in any great detail, only knowing when to use a solution for a given scenario.

The penultimate learning path for the AZ-305 exam is build great solutions with the Microsoft Azure Well-Architected Framework. This is an established process to follow to give a project in the cloud a great chance of success. The Microsoft Azure Well-Architected Framework consists of five pillars:

Cost optimization
Operational excellence
Performance efficiency
Reliability
Security

Each of these pillars will be understood by the candidate to ensure the opportunity to architect a solution has these important factors taken into account. To help with learning, each pillar has it’s own module within the learning path.

*Considering SQL DB as a service instead of SQL on VMs*

The final learning path is accelerate cloud adoption with the Microsoft Cloud Adoption Framework for Azure. The concept here is to understand the goals, evaluate the project from an IT, financial and operational perspective and bring along stakeholders to champion the cloud adoption through it’s various stages. There is a whole module on using Azure landing zones to support your requirements for cloud operations as well as other modules on migration best practice, building in resilience and designing with security in mind. As part of the adoption journey, there needs to be consideration regarding minimum viable product and measuring project effectiveness and what success looks like.

Exam hints and tips

The first advice whether seasoned in Azure or not would be to complete the fundamentals and administrator certs before attempting this exam. There is a fair bit of crossover and keeping the broad topics fresh is a good way to build up to the more complex concepts. Also, if possible, try not to leave too much of a gap between taking them. Keeping the momentum going is a good way of not forgetting things already learned.

In many Azure certifications, it is often recommended to have hands on practice with the different types of resources as well as learning the theory. The design infrastructure solutions exam however is just that, design. The implementation comes in the administrator exam so this one is much more high level and plays to describing best practice solutions, not the nuts and bolts of creating a resource and so forth. In a way, this exam has a lot in common with the Azure fundamentals exam – although of course it is markedly more difficult.

*Following some hints and tips from others can help*

Life is busy and this is a big exam and a big deal for your career and professional recognition. As such, if you can, reserve more time for study just before exam date, so you can have a bulk of recently stored knowledge to walk into the exam with. Make provisions with home and/or work to have more time to give yourself a last push, but keep it balanced. After several hours a day, it will become counter-productive to try to endure even more learning. Also don’t cram on the day of the test. By then the adrenaline will be blocking the ability to properly concentrate. My advice is also, don’t book the exam for the evening unless you are generally asleep in the daytime. These exams are long and take stamina. Early to mid-afternoon works well for me.

It’s always worth booking the exam before you are fully ready, to try and set a learning pace. If it gets close to the date and you feel are still miles off, you can reschedule (or even cancel for a refund), so long as it is more than 24 hours before the exam start time. A lot of these exams is down to confidence, if you aren’t sure if you’ll pass or not, give it a go anyway. If you don’t pass as least you will have some understanding on how far off the pass mark you are and what troubled you the most, so you can pass on the next attempt. I have often practiced with a real exam in this way, sometimes I pass to my surprise, sometimes not, and that is ok also.

There is more exam advice, much of which applies to this certification as well on the Azure administrator and Azure fundamentals posts.

Recommended resources

This section is going to seem like a stuck record if you have read the AZ-900 and AZ-104 posts, but it has to be said, regardless of what 3rd party resources you decide to assist with your learning, you should consume the official Microsoft AZ-305 exam learning paths. It is curated to cover all aspects of the skills measured, so if its not on this content, its unlikely to be on the exam. There are some exercises in the prerequisite modules but the rest of the learning path is information only (being a design, not administrator exam, that makes sense, right?)

John Savill must be mentioned again. As discussed in previous posts, John’s YouTube content equals or surpasses much of the commercially available courses out there. Not only John gives up his free time to produce this huge body of work, he refuses to monetise his YouTube channel, so you don’t even see ads! For this exam John provides an entire playlist of videos relevant to the exam including his hugely popular AZ-305 study cram.

*John Savill’s AZ-305 is essential viewing before taking the exam*

Beyond those two free resources, there is plenty of other free material online as well as many popular websites such as Pluralsight, Udemy, LinkedIn Learning and Cloud Academy offering a dedicated AZ-305 course. I haven’t reviewed any of these so cannot comment on their quality, so check out what is on offer with any paid subscriptions you already have or ask others who have recently certified what courses they used.

Next steps

Once you have achieved the Microsoft Certified: Azure solutions architect expert certification, you really do have so many options on what to choose next, we could almost list every Azure certification here. What you do next in terms of certification will depend a lot on your strengths, your interests and perhaps some influencing factors such as encouragement by your current employer to follow a certain path that is compatible with a skill shortage they have identified. Or perhaps you have been reading articles in the IT industry press about an overall shortage of skilled people in a certain IT category and you think a good career move would be to be qualified in that area of expertise.

Now you have one expert level certification, there are a couple of others in the Azure space – DevOps engineer expert & Cybersecurity architect expert, both of which require a couple of exams to get the qualification, but in some cases, you may already have one of these when working towards other goals. For example, the AZ-104 is one of the two exams required for the Azure solutions architect expert exam, but it also can be used along with the AZ-400 to obtain the DevOps engineer expert certification.

There are plenty of associate level certifications in all sorts of areas of Azure cloud such as data engineering, networking, security, AI, Developer and so on. There are also speciality certifications in subjects such as Cosmos DB, Azure virtual desktop and Azure for SAP workloads.

Exploring Certifications: Microsoft Azure Administrator Associate

December 22, 2023 / Mike Parker / 1 Comment

For many Azure learners, the next logical certification to train for after completing Azure Fundamentals is Azure Administrator Associate. Whereas Fundamentals will provide an overview of cloud concepts and a broad insight into Azure services at a very high level, the Administrator certification is more in the nuts and bolts of popular Azure services covering compute, storage, networking, security, governance and backup.

Let’s look at this certification in more detail.

Who is this certification for?

As the name may suggest, the Azure Administrator certification is for those who want to demonstrate practical skills in using Azure. Moving away from the conceptual view that Azure Fundamentals provides.

A candidate may have been using Azure for some time and wants to validate their skills. Alternatively, if someone is an IT professional working with on premises technology or has existing skills with another cloud provider, then gaining skills on Azure provides them and their organisation with options to move workloads into the cloud or devising a multi cloud strategy.

*A cloud administrator is a hands-on role so practice using the services*

Passing the AZ-104 exam is also one of two exams you need to pass to gain your Microsoft Certified: Azure Solutions Architect Expert and Microsoft Certified: DevOps Engineer Expert badges, once you have also passed the AZ-305 and AZ-400 respectively. Whilst the latter can also be obtained by passing the AZ-204 (Azure Developer) instead, the fact you can unlock two expert level certifications with this one associate level cert, it makes strong choice to give yourself the most future opportunities, depending on your interests.

Exam requirements

To obtain the Microsoft Certified: Azure Administrator Associate certification, you have to pass a single exam, AZ-104: Microsoft Azure Administrator. There are no prerequisite exam or certification but if you haven’t already, why not attempt the AZ-900, Azure Fundamentals exam first? Whilst at a higher level, the fundamental learning path has some crossover and would enhance your understanding.

Microsoft associate level certifications expire after one year, so they will require a yearly renewal assessment which can be completed as soon as six months before expiry. The renewal assessment is free and there is usually some modules Microsoft presents for you to study before taking the assessment. It is recommended to go through the modules as the idea of the certification renewal is to be up to date with your knowledge, and Microsoft shapes the content to cover new features and concepts. Be sure to take the assessment in plenty of time, so if you fail, you can take it again before it expires – you can take it as many times as you need.

Microsoft role-based (associate, speciality and expert, not fundamentals) exams are now open book, meaning you will have access to the Microsoft Lean website for the exam. There isn’t extra time given for using it, which forces the candidate to use it sparingly, but it may help on a question such as help recalling some CLI or PowerShell syntax for a given task.

Topics covered

As well as some perquisite subjects including Azure Resource Manager, ARM Templates, CLI and PowerShell, the five header learning path topics for the Azure Administrator Learning Path are Manage identities and governance in Azure, Implement and manage storage in Azure, Deploy and manage Azure compute resources, Configure and manage virtual networks for Azure administrators and Monitor and back up Azure resources. Let’s look at each section in more detail.

The first topic is Manage identities and governance in Azure which has a big emphasis on Microsoft Entra ID (formally Azure Active Directory). Entra ID is Microsoft’s Directory and Identity Management service in the Azure cloud, part of the wider Entra Identity and Access Management (IAM) solution. Moving into the practical parts of this section, the candidate is expected to know about user and group management, including administrative units there is also a need to understand guest accounts via Entra B2B. The learning path then moves onto Azure subscriptions and covers cost management and resource tagging. To implement guardrails, Azure policy is used to set what is allowed to help with cost and compliance considerations and can be set at management group, subscription or resource group level and are hierarchical. There is a big emphasis on role-based access control (RBAC) which generally is the best practice method of assigning permissions to resources. Lastly for this section there is self-service password reset which allows users to initiate their own password reset to cut down on administrator burden.

Next up is Implement and manage storage in Azure, in which the candidate will need to know about storage accounts and how they are used and secured. The first module in this learning path is configuring storage accounts, having a knowledge of blobs, queues, files and tables and their use cases. An important part in this section is storage replication strategies – it is highly likely to feature in the exam as will public and private network access considerations. Blob storage is a major part in all public cloud offerings so it’s no surprise there’s a whole module in the learning path and another high probability of being in the exam. Being able to understand and implement the different blob access tiers, including using lifecycle management rules is important. This is followed by deploying and managing Azure Files for NFS/SMB file sharing and using Azure File Sync for using as a file cache via prem or cloud-based Windows servers. The major security focus for storage is on Shared Access Signatures (SAS). To conclude the storage path, there’s a section tools and services, namely Azure Storage Explorer, Azure Import/Export service and AZcopy.

Azure Shared Access Signatures — *Creating a Shared Access Signature token in the Azure portal*

A big subject area is the next topic, Deploy and manage Azure compute resources which currently makes up 20-25% of the exam. Beginning with creating and managing a Virtual Machine in the portal and CLI, with an emphasis on ensuring the candidate knows about correctly sizing and choosing the correct storage performance for your requirements. There are sections on availability. This includes availability sets (update domains and fault domains), availability zones, scaling up and out (vertical and horizontal scaling) with a focus on VM scale sets and autoscaling. Moving away from VMs, the learning path includes Azure App Service. On the Microsoft Learn content, it talks about the concept of the App Service Plan – which is the best for your application workload. What is interesting is they list the features and capacity of each of the plans. This may be a tough one to memorise so if there is a question on this, it would be a perfect use of the open book feature of the exam if you got a question for example on what plan gives you the ability to run up to 30 instances and you cannot recall. Other areas in the App Service section are scaling, DevOps best practice including the use of deployment slots, security, custom domains, backing up and restoring, and monitoring your App Service using application insights. The last area covered is Azure Container Instances (ACI) to run Docker images in Azure.

The cornerstone of any cloud project is networking. Whether surfacing an internal application or hosting a publicly accessible website, networking configuration will need to be considered and deployed. Configure and manage virtual networks for Azure administrators is the learning path that covers all things networking. There are many services that fall under the networking umbrella, so there’s a lot to cover in this section. To begin, the virtual network (VNet). The VNet is the focal point for planning many Azure projects. The candidate will need to know about IP addressing and subnetting when building their VNets. Expanding on VNets themselves, virtual network peering is a service to connect virtual networks regionally or globally, even across different Azure tenants. Another area of focus is Network Security Groups (NSGs) which provides IP and port allow and deny rules (OSI layer 3 and 4) at subnet or NIC level. There is a fair amount of DNS items to know about such as DNS zones including private DNS zones to manage and resolve domain names in your virtual network and hosting your domain on Azure DNS. Routing and endpoints are on the skills path, with user defined routes (UDF) and service and private endpoints being essential items to know about as it is highly unlikely one or more of those won’t have at least one question on. To conclude this section, there are two of the Azure load balancing solutions; Azure Load Balancer which works at OSI layer 4 and Azure Application Gateway which is an OSI layer 7 load balancer, making it able to do smart stuff like URL path or multi-site routing and offering the optional Azure Web Application Firewall (WAF) to defend against multiple threats.

*Azure Backup Centre overview – a dashboard to check on backup health*

Monitor and back up Azure resources is the final learning path for this certification. To kick off, Azure backup provides robust, scalable and secure backup solutions for VMs (including SQL and SAP HANA in virtual machines), Azure files, Azure blob storage, Azure managed disks and Azure Database for PostgreSQL server. Azure backup can also backup on premises machines and virtual machines using the Microsoft Azure Recovery Services (MARS) agent. Next, we move to monitoring, and the central hub for monitoring in Azure is Azure Monitor. The candidate is expected to know about logs and metrics that are generated from various Azure services, with a focus on using this data to create alerts when certain thresholds are exceeded. The Log Analytics workspace is generally where the logs and data are stored for Azure monitor. For querying the data, Azure Log Analytics supports the Kusto Query Language (KQL) which is SQL-like and provides fast powerful queries for examining events and exceptions. There are many KQL queries built in to get you started or you can write your own.

Exam hints and tips

This is an associate level exam so it is going to require more detailed knowledge of the subject matter then say a fundamentals exam, which is a broad overview, or expert, which is usually conceptual in nature (think design and planning). As such it going to test your in-depth knowledge on many Azure components. So practice using, or at least watching a demonstration video of the services covered being deployed and administered will give a significant advantage over a mere overview of the product.

Expanding on the previous point, there are often questions regarding putting a set of steps in the correct order, so knowing the sequence in how something is deployed will aid answering this type of question correctly.

Another popular exam format is the case study. A case study section of the exam typically describes the existing and planned status of a fictious organisation’s Azure and wider IT landscape. It will then ask around 4-5 questions that you will look through the information given to determine the correct course of action. Beware, these can burn up time if you aren’t careful. The best way to approach these is skim the info quickly then look at the first question. There is far more detail in the case study then there are questions so looking at the questions soon, you can refer to the most appropriate section to get the answer.

Microsoft exams tend not to ask about detailed facts and figures, such as how much a service costs but there may be questions such as knowing what is the most cost efficient SKU that will unlock a certain feature or level of performance. Sometimes this is hard to train for as it invariably means memorising fine grained details. For this, remember that an associate level exam is open book, allowing you access to the Microsoft Learn website. It could make all the difference to exam success if used correctly – just remember the clock is still ticking down whilst you are looking up and reading content. Expert and specialist exams also are open book – not fundamentals.

At the time of writing, the MS Learn website search isn’t always good at bringing up the best result to the top of the list, so a practice at search terms or learning to swiftly navigate the website via links could be helpful before taking an exam. You cannot go out to an external search engine to help narrow down a page you require – no other websites including other Microsoft website resources are accessible from the exam.

There are more exam hints and tips on the Azure Fundamentals Certification post which also apply to this exam.

Recommended resources

It is a good idea to include Microsoft’s own content for the AZ-104 exam as part of your learning toolkit. Being Microsoft’s official content, they have been careful to cover all areas of the exam skills measured. For some, the official content and some hands-on experience is likely enough to pass the exam, however having a couple of different learning materials broadens coverage and gives the learning process a fresh dynamic.

*John Savill’s Azure training on YouTube is essential viewing*

Becoming a regular mention on the blog, John Savill has an AZ-104 course on YouTube. He knows Azure inside and out and has excellent presentation skills. The study cram itself is incredible and now there is a v2 with updated information. John works for Microsoft and his John Savill’s Technical Training YouTube channel has many useful videos, often organised into playlists for various certifications. This free content is as good if not better than many paid for courses.

Beyond that, there are tons of comprehensive AZ-104 courses on YouTube. It really is incredible what people offer for free and the quality of some of the content. It is worth trying one or two and seeing if you favour a particular presentation style and if it is helping your understanding. When I took the AZ-104 back in 2021, I used a course by Mike Pfeiffer and Tim Warner, which was on Mike’s training website, cloudskills.io but that has since been bought by the training company, INE so I have spent some time looking at what is on offer commercially with a view to knowing something about the provider or presenter. There is a comprehensive course on LinkedIn Learning presented by T Ray Humphrey in conjunction with Microsoft Press. I haven’t done the course, but being a LinkedIn premium subscriber, I have access to LinkedIn Learning and have found the content high quality when studying for other exams. Chase Dov e y presents an AZ-104 course on Pluralsight, which again I haven’t done but I have done other courses with Pluralsight and have consumed learning content with Chase in the past.

Next steps

The Azure Administrator Associate certification is arguably the most useful Azure certification there is. It is heavy on process and the nuts and bolts of using Azure. Therefore, if someone wants to be proficient in creating and maintaining Azure services, this is certainly unbeatable in that respect.

After passing the AZ-104 exam, the candidate could pass just one more exam (AZ-305) to unlock the Microsoft Certified: Azure Solutions Architect Expert certification. Additionally, passing the AZ-400 exam in addition to passing the AZ-104, the candidate will be awarded the Microsoft Certified: DevOps Engineer Expert certification*. These two certifications should therefore be a consideration as a next step.

Beyond that, there are role-based certifications in areas such as Data, Networking, AI and Security which may appeal to those who would like to specialise.

*You can also pass the AZ-204: Developing Solutions for Microsoft Azure exam alongside the AZ-400 to obtain the DevOps Engineer Expert certification instead of the AZ-104.