AZ-104 Study Guide – Part 1 – Manage Azure subscriptions and resources

This AZ-104 Study Guide links to most relevant documentation on Microsoft Docs. It was supposed to be for myself, but then I thought: why not share it with the world :)
It covers all objectives / skills measured in AZ-104 exam and is meant to be a 80% complete study guide. 20% should come from experience, watching video’s and tutorials. Exam AZ-104: Microsoft Azure Administrator grants the title Microsoft Certified: Azure Administrator Associate

This is part 1 of 5.

Manage Azure subscriptions and resources (15-20%)

Manage Azure subscriptions

assign administrator permissions

To assign a role to a user, sign in to the Azure Portal, navigate to the user, select Directory Role and select Add Role. Only Global Administrators (sometimes referred as Company Administrators) or Privileged Role Administrators can delegate administrator roles.

Assign with Powershell:

For  example:

Get-AzureADDirectoryRole    #to list the roles that you can assign with PowerShell
$userName="sign-in name of the account"
$roleName="role name"
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | Where {$_.DisplayName -eq $roleName}).ObjectID -RefObjectId (Get-AzureADUser | Where {$_.UserPrincipalName -eq $userName}).ObjectID

To increase security, you should minimize the number of people with administrative rights. Azure AD Privileged Identity Management (PIM) essentially helps you manage the who, what, when, where, and why for resources that you care about. You need Azure AD Premium P2 or Enterprise Mobility + Security (EMS) E5 for this functionality

configure cost center quotas and tagging

Microsoft Azure limits are sometimes called quotas.
Use tags to group billing data for supported services. For example, if you run several VMs for different teams, then you can use tags to categorize costs by cost center (HR, marketing, finance) or environment (production, pre-production, test).

To apply tags on resources:

You can add tags using

  • Azure Policies
  • Powershell , i.e.:
    • Set-AzResourceGroup -Name examplegroup -Tag @{ Dept=”IT”; Environment=”Test” }
  • Azure CLI, i.e.:
    • az group update -n examplegroup –set tags.Environment=Test tags.Dept=IT
  • Templates
  • Azure Portal (GUI)

To review usage and costs, Microsoft recommends Cloudyn. Cloudyn shows you usage and costs so that you can track trends, detect inefficiencies, and create alerts

configure Azure subscription policies at Azure subscription level

Azure Policy begins with creating a policy definition. Every policy definition has conditions under which it’s enforced.  For example: only allow D1 VM’s to be created, or validate SQL Servers to have version 12 or later installed. To implement these policy definitions, you’ll need to assign them to a scope using Policy Assignments. A scope can be a Management group, Subscription or Resource group. You can assign policies through the Azure portal, PowerShell, or Azure CLI. Policy evaluation happens with several different actions, such as policy assignment or policy updates


Policy parameters help simplify your policy management by reducing the number of policy definitions. Think of parameters like the fields on a form – name, address, city, state. These parameters always stay the same, however their values change based on the individual filling out the form. Parameters work the same way when building policies. By including parameters in a policy definition, you can reuse that policy for different scenarios by using different values.

An initiative definition is a collection of policy definitions. They simplify by grouping a set of policies as one single item.

Analyze resource utilization and consumption

configure diagnostic settings on resources

Azure Monitor diagnostic logs (formerly named Log Analytics) are logs emitted by an Azure service that provide rich, frequent data about the operation of that service. These logs can come from tenant-level resources (like Azure Active Directory) or resources within the subscription (like a Network Security Group or a Storage Account)

To configure diagnostic settings , you need to set

  • Where diagnostic logs and metrics are sent (Storage Account, Event Hubs, and/or Azure Monitor).
  • Which log categories are sent and whether metric data is also sent.
  • How long each log category should be retained in a storage account
  • To enable storage of diagnostic logs in a storage account with

Set-AzDiagnosticSetting -ResourceId [your resource id] -StorageAccountId [your storage account id] -Enabled $true

Azure CLI:
az monitor diagnostic-settings create ……

create baseline for resources

This seems to be related to Configuration Management, and can be done by using DSC.

create and rest alerts

Alerts only support two metrics signals, or one log search signal or one activity signal. To be alerted when event 4654 or event 3245 occurs, you have to create two alerts, because in each alert you can only add one condition.

analyze alerts across subscription

Use the All Alerts page to view a list of alerts created within a selected time window.  Click through to Alert Detail Page to get more information, and to change its alert state. Use Smart Groups to filter noise in alerts.

Smart groups are automatically created by using machine learning algorithms to combine related alerts that represent a single issue. When an alert is created, the algorithm adds it to a new smart group or an existing smart group based on information such as historical patterns, similar properties, and similar structure. For example, if % CPU on several virtual machines in a subscription simultaneously spikes leading to many individual alerts, and if such alerts have occurred together anytime in the past, these alerts will likely be grouped into a single Smart Group, suggesting a potential common root cause.

analyze metrics across subscription

Metrics are collected every minute by default. They are stored for 93 days. Copy them to logs for long term trending.

create action groups

An action may contain multiple actions (like Send SMS and execute Runbook).

monitor for unused resources

Use Cloudyn to improve efficiency. I.e. use the Optimizer to identify idle VM’s and unattached disks.

monitor spend

report on spend

Use Budgets to keep track on your expenses. Use Alerting to get notified on costs and usage budgets. Monthly budgets are evaluated every 4 hours. When an alert condition is met (i.e. costs have reached 80% of monthly budget), you can alert someone by email, but you can also trigger an action group. (i.e. at 80%, shutdown all non-critical VM’s)

Cloudyn is also an option to report and alert on spending.

utilize Log Search query functions

view alerts in Log Analytics

Logs Analytics repository can collect alerts from multiple sources

  • Log Analytics
  • Nagios and Zabbix
  • System Center Operations Manager

Then, add the Alert Management Solution to your Logs Analytics workspace to start analyzing.

Manage resource groups

use Azure policies for resource groups

Seems overlapping with 1.1.3.
I guess this objective demands you to know how you assign them to a Resource Group.

configure resource locks

Locks can have 2 values: CanNotDelete and ReadOnly. All resources within a parent scope inherit the setting. The most restrictive setting take precedence.

Locks only apply to operations at management plane level. For example, a ReadOnly lock on a SQL Database prevents you from deleting or modifying the database, but it doesn’t prevent you from creating, updating, or deleting data in the database.

configure resource policies

Not sure how this differs from 1.3.1, beside the scope (Resource vs Resource group)

identify auditing requirements (new since AZ-100)

Not sure, since this objective is placed in “Manage Resource Groups”. “Identify” feels like a soft-skill.

implement and set tagging on resource groups

Overlaps with 1.1.2

move resources across resource groups

The majority of services can be moved. However, there are still a lost of services that can’t.
Both the source group and the target group are locked during the move operation. Write and delete operations are blocked on the resource groups until the move completes. However, there is no downtime on the particular service.

remove resource groups

Managed role based access control (RBAC) (new since AZ-100)

create a custom role

configure access to Azure resources by assigning roles

In Powershell
New-AzRoleAssignment -SignInName <email, userprincipalname> -RoleDefinitionName <role name in quotes> -ResourceGroupName <resource group name>

configure management access to Azure, troubleshoot RBAC, implement RBAC policies, assign RBAC Roles

Generally, this means you need to know every basic action for managing RBAC. A good start would be

Configure Management Access to Azure:

troubleshoot RBAC:

implement RBAC policies (needs you to understand basics and best practices):

assign RBAC Roles:

Continue to part 2:
AZ-104 Study Guide – Part 2 – Implement and manage storage

7 thoughts on “AZ-104 Study Guide – Part 1 – Manage Azure subscriptions and resources”

    • Hi pkota, checkout the introduction of this Study Guide:

      You can get a free 7 day trial from CBT Nuggets. That should be enough for some this course.
      But I had most benefits from LinkedIn Premium. Premium includes LinkedIn Learning which gives you access to the videos of Sharon Bennett. She focuses on the items that help you pass your exam, without the blah-blah of CBTNuggets :)
      You should be able to get a free trial for 30 days somewhere. Search for it on the internet. There are several ways to obtain. I got it from my Visual Studio subscription.


Leave a Comment