AZ-104 Microsoft Azure Administrator Associate - Cheat Sheet

justyy (84)in #blog • 13 hours ago

Good lucks to me!

Azure RBAC permissions are additive and the most permissive effective access applies across scopes.
Deny assignments override any allow permissions in Azure RBAC.
Management group → subscription → resource group → resource is the Azure scope hierarchy.
Azure Policy enforces governance rules while RBAC controls access permissions.
Tags cannot be applied to classic resources.
Azure Resource Manager templates deploy infrastructure declaratively using JSON.
A resource can only exist in one resource group at a time.
Resources can be moved between resource groups but must remain in the same subscription (except certain supported scenarios).
Azure locks include CanNotDelete and ReadOnly to protect resources.
A system-assigned managed identity is tied to the lifecycle of the resource.
A user-assigned managed identity can be reused across multiple resources.
Azure Storage replication options include LRS, ZRS, GRS, and RA-GRS.
ZRS replicates data across availability zones in a region.
GRS replicates data to a secondary paired region.
RA-GRS allows read access to the secondary region.
Standard storage accounts support GPv2 which is the recommended account type.
Storage account firewall rules allow public IP ranges but not private IP ranges.
Azure Storage access tiers are Hot, Cool, and Archive.
Archive tier requires rehydration before data can be accessed.
Azure AD authentication is preferred over storage account keys.
Azure Key Vault stores secrets, certificates, and encryption keys securely.
Soft delete protects deleted Key Vault objects from permanent deletion.
Azure Virtual Networks provide isolated private networking for Azure resources.
Each subnet must belong to only one VNet.
Azure reserves 5 IP addresses per subnet.
The first IP address in a subnet is the network address.
The last IP address in a subnet is the broadcast address (not usable).
Three additional Azure reserved addresses exist in each subnet.
Network Security Groups filter traffic using allow/deny rules with priorities.
NSG rules are evaluated from lowest priority number to highest.
Default NSG rules allow VNet traffic and deny inbound internet traffic.
Application Security Groups simplify NSG rule management for groups of VMs.
Azure Bastion enables secure RDP/SSH access without public IPs.
Azure Bastion requires a dedicated subnet named AzureBastionSubnet.
The minimum subnet size for AzureBastionSubnet is /26.
Service Endpoints allow private connectivity from a VNet to Azure PaaS services.
Private Endpoints provide a private IP in your VNet for a PaaS resource.
Private DNS zones enable name resolution for private endpoints.
Azure Load Balancer operates at Layer 4 (TCP/UDP).
Application Gateway operates at Layer 7 (HTTP/HTTPS).
Azure Front Door provides global load balancing and application acceleration.
Availability Sets protect VMs from hardware failures within a datacenter.
Availability Zones protect against datacenter-level failures.
VM Scale Sets provide automatic scaling and high availability.
VMSS default maximum instances per placement group is 100.
Azure Backup protects VMs using Recovery Services Vault.
VM backups must be in the same region as the Recovery Services Vault.
Azure Site Recovery provides disaster recovery for VMs across regions.
Connection Monitor in Azure Network Watcher tests connectivity between endpoints.
Log Analytics uses KQL for querying monitoring data.
Table-based queries are more efficient than search-based queries in Log Analytics.
Azure Monitor collects metrics, logs, and alerts for resources.
Self-Service Password Reset requires Azure AD Premium P1 or higher.
Guest users are added through Azure AD B2B invitation.
Effective permissions result from the union of all assigned roles.