Avoiding Critical Errors: A Guide to Common AZ-104 Exam Mistakes

Achieving the Microsoft Certified: Azure Administrator Associate credential requires more than just a surface-level understanding of cloud services. Candidates must demonstrate technical proficiency across identity, governance, storage, compute, and virtual networking. However, many well-prepared students struggle due to common mistakes on AZ-104 exam sessions, often stemming from subtle conceptual overlaps or misinterpreting the specific constraints of a scenario. The exam is designed to test your ability to select the most efficient solution, not just a functional one. This guide analyzes the architectural and strategic pitfalls that lead to lost points, providing the technical clarity needed to navigate complex question stems. By identifying these errors early in your preparation, you can shift from memorizing facts to mastering the logic Microsoft expects from a professional administrator.

Common Mistakes on the AZ-104 Exam: Networking Misconfigurations

Confusing NSGs with Azure Firewall Use Cases

A frequent source of AZ-104 errors to avoid is the inability to distinguish between the filtering capabilities of Network Security Groups (NSGs) and Azure Firewall. Candidates often assume that because both can block traffic, they are interchangeable. In reality, an NSG operates at Layers 3 and 4, filtering traffic based on IP addresses, ports, and protocols. It lacks the deep packet inspection and FQDN filtering capabilities inherent in a stateful, managed firewall service. On the exam, if a requirement specifies filtering based on a specific URL (e.g., allow traffic only to *.microsoft.com), an NSG is insufficient. You must recognize that Azure Firewall provides the centralized, high-availability protection required for such tasks. Furthermore, candidates often forget that NSGs are processed using a priority-based system where lower numbers have higher precedence. Failing to account for the default AllowVnetInBound or AllowAzureLoadBalancerInBound rules can lead to incorrect predictions of traffic flow in complex simulation questions.

Misunderstanding VNet Peering and Service Endpoints

In the realm of misunderstood AZ-104 topics, Virtual Network (VNet) peering and Service Endpoints often cause confusion regarding transit and connectivity. A common error is assuming that peering is transitive by default. If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C unless a direct peering is established or a VPN Gateway/Azure Firewall is used as a transit hub. Candidates also frequently miss the requirement for Allow Gateway Transit and Use Remote Gateways settings when connecting spoke networks to a hub. Similarly, Service Endpoints are often confused with Private Links. While a Service Endpoint provides a secure path to Azure services over the Microsoft backbone by adding the VNet's identity to the service, it does not provide a private IP address for the service within the VNet. Misidentifying this distinction usually results in failing questions related to secure service access and DNS resolution.

Incorrectly Configuring Routes and Subnet Delegation

User-Defined Routes (UDRs) are a high-stakes area where simple logic errors result in incorrect answers. The exam frequently tests the Longest Prefix Match rule, where the most specific route in the routing table is chosen. Candidates often fail to realize that a UDR with a more specific prefix will always override a System Route, such as the default 0.0.0.0/0 route. Another common pitfall involves Subnet Delegation. Certain Azure services, such as Azure SQL Managed Instance or App Service Environments, require a dedicated subnet. Attempting to deploy other resources into a delegated subnet, or failing to delegate a subnet before service deployment, is a classic scenario-based error. You must be able to calculate valid CIDR blocks and ensure that subnets do not overlap when planning for VNet peering or VPN Gateway integration, as address space exhaustion is a recurring theme in troubleshooting questions.

Storage and Compute Configuration Pitfalls

Mixing Up Storage Account Types and Redundancy

Storage questions often hinge on the "least cost" or "highest availability" requirement. One of the primary AZ-104 study mistakes is failing to memorize the specific capabilities of General Purpose v2 (GPv2) versus Premium storage. For instance, GPv2 supports all redundancy options, including Geo-Zone-Redundant Storage (GZRS), whereas legacy accounts do not. Candidates frequently struggle with the behavior of Read-Access Geo-Redundant Storage (RA-GRS). They may incorrectly assume that a failover is automatic for the primary endpoint, whereas RA-GRS specifically provides a secondary read-only endpoint that applications must be configured to use. Understanding the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) differences between LRS (Local), ZRS (Zone), and GRS (Geo) is essential for selecting the correct redundancy level based on the business continuity requirements presented in the exam stem.

Virtual Machine SKU and Disk Type Selection Errors

When configuring compute resources, candidates often overlook the limitations of specific Virtual Machine (VM) series. For example, not all VM sizes support Premium SSD or Ultra Disk storage. A common error is selecting a Standard_D series VM for a workload that requires high IOPS, failing to recognize that the disk throughput is capped by both the disk type and the VM's internal limits. Furthermore, the exam often tests the concept of Availability Sets versus Availability Zones. An Availability Set protects against hardware failure within a data center by distributing VMs across Update Domains (UD) and Fault Domains (FD), but it does not protect against a total data center outage. Candidates who fail to recommend Availability Zones for 99.99% SLA requirements often lose points on high-availability architecture questions. Additionally, the distinction between managed and unmanaged disks is now largely a legacy concept, yet understanding the benefits of Managed Disks for scaling and reliability remains a core competency.

Overlooking Backup and Recovery Configuration Steps

Backup and site recovery questions are frequently missed because candidates focus on the "how" rather than the "where." A critical rule in Azure Backup is that the Recovery Services Vault must reside in the same region as the resources being backed up (for VMs). However, for Cross Region Restore (CRR) capabilities, specific vault settings must be enabled. Many students also fail to understand the requirements for the Azure Backup Agent (MARS) versus the Azure Backup Server (MABS). MARS is file/folder level and does not require a local database, while MABS is required for application-aware backups like SQL Server or Exchange. Misidentifying these requirements leads to incorrect architectural choices. Furthermore, in Azure Site Recovery (ASR) scenarios, candidates often forget to account for the "Configuration Server" and "Process Server" components required when migrating or protecting on-premises VMware environments compared to native Azure-to-Azure replication.

Identity, Governance, and Cost Management Errors

Misapplying Azure RBAC Roles and Scopes

Identity management is a cornerstone of the AZ-104, yet failing AZ-104 pitfalls often involve the confusion between Azure AD (Entra ID) roles and Azure RBAC roles. Azure AD roles control access to identity-level resources (users, groups, domains), while RBAC roles control access to Azure resources (VMs, VNets, Storage). A common mistake is assigning a "Global Administrator" role to a user when they only need to manage virtual machines in a specific subscription. This violates the Principle of Least Privilege. Candidates must also master the hierarchy of Management Groups, Subscriptions, Resource Groups, and Resources. They often incorrectly assume that a permission denied at a lower scope can be "overridden" by a permission at a higher scope; in reality, RBAC is additive, but an explicit "Deny Assignment" (used in Blueprints or Managed Applications) takes precedence over any "Allow" assignment.

Azure Policy vs. Resource Lock Misunderstandings

Governance questions often present scenarios where a resource must be protected from accidental deletion or must meet compliance standards. A frequent error is using an Azure Policy when a Resource Lock is required. A "ReadOnly" or "CanNotDelete" lock is a preventative measure applied directly to a resource or scope to stop specific actions. In contrast, Azure Policy is used for enforcement and auditing—such as ensuring all VMs have a specific tag or preventing the deployment of G-series VMs. Candidates also struggle with the effect of policy inheritance. Unlike RBAC, which is additive, Azure Policy evaluates all policies in the hierarchy. If a Management Group has a "Deny" policy for a specific resource type, a "Modify" or "Append" policy at the Resource Group level cannot bypass that restriction. Understanding the "Evaluation Sequence" is vital for answering multi-layered governance questions.

Ignoring Cost Management Tools and Tagging Strategies

Cost management errors AZ-104 candidates make usually involve the practical application of Azure Advisor and Cost Analysis. Many overlook the fact that tags do not inherently apply to resources within a group if the tag is only placed on the Resource Group itself. To enforce tagging for cost tracking, an Azure Policy must be used to inherit or require tags during deployment. Another common mistake is failing to identify the most cost-effective solution for long-term workloads. For example, if a question specifies a VM will run for three years, a Reserved Instance (RI) is almost always the correct answer over "Pay-As-You-Go." Additionally, candidates often confuse the purpose of "Azure Budgets" (which provide alerts) with "Azure Quotas" (which limit resource instantiation). Misunderstanding how to use the Pricing Calculator versus the Total Cost of Ownership (TCO) tool is another area where easy points are lost.

Strategic Exam-Taking and Time Management Blunders

Misreading Question Stems and Key Requirements

The AZ-104 exam is notorious for including "distractor" information. A common blunder is failing to identify the primary constraint, such as "minimize costs," "minimize administrative effort," or "ensure the fastest recovery." For instance, a question might ask for a way to connect two VNets. While a VPN Gateway works, if the requirement is "highest throughput and lowest latency," VNet Peering is the only correct choice. Candidates often rush and miss the word "NOT" in a question (e.g., "Which of the following is NOT a requirement..."). To avoid this, use the "Read Twice" method: identify the technical goal first, then identify the constraints. If the goal is storage redundancy but the constraint is "lowest cost," your answer will change from GRS to LRS. Ignoring these subtle cues is one of the most frequent reasons for failing by a narrow margin.

Poor Time Allocation Across Questions and Case Studies

Time management is a technical skill in its own right. The AZ-104 typically consists of 40–60 questions, including one or more Case Studies. A major mistake is spending ten minutes on a single complex drag-and-drop question, leaving insufficient time for the case study at the end. Note that once you exit a case study section or a "Yes/No" series of questions (where you cannot go back), those points are locked. Candidates often find themselves rushing through the case study, which contains dense documentation and multiple tabs of requirements. The correct strategy is to allocate roughly 1.5 minutes per standard question, allowing at least 15–20 minutes for the case studies. Using the "Flag for Review" feature is helpful, but candidates must remember that "Yes/No" sequence questions cannot be flagged for later—you must answer them decisively the first time.

Second-Guessing Initial Instincts on Known Material

Psychologically, the AZ-104 can be draining, leading candidates to change correct answers during the final review. This is often due to a misunderstanding of how Microsoft scores. Most questions are independent, and there is no penalty for guessing. However, changing an answer often happens when a candidate sees a similar concept in a later question and doubts their earlier logic. Unless you have discovered a specific piece of information in a later question that directly invalidates your first choice (which is rare, as questions are vetted for independence), your first instinct—based on your initial reading of the constraints—is usually the most accurate. Trust your preparation in Azure Administration and avoid over-analyzing the "simplicity" of a question; if it looks straightforward and you know the service limits, it likely is.

How to Actively Correct These Mistakes in Your Study

Implementing Scenario-Based Practice with Labs

To move beyond the common errors, you must engage in active learning through hands-on labs. Simply reading documentation is insufficient for the AZ-104. You should use the Azure Sandbox or a trial subscription to build out the scenarios described in your study materials. For example, instead of just reading about NSG rules, create two subnets, place a VM in each, and attempt to block SSH while allowing HTTP. Observe the "Effective Security Rules" in the Azure Portal to see how the platform calculates the final permission set. This practical application solidifies the "Why" behind the "How." When you see a question about "Network Watcher" or "IP Flow Verify," you will recall the actual interface and the data it provides, making it much harder to fall for distractor answers.

Creating Comparison Charts for Similar Services

One effective way to combat the confusion between similar services is to create a "Service Matrix." Map out services that perform similar functions but have different use cases. For instance, compare Azure Load Balancer (Layer 4, regional), Application Gateway (Layer 7, regional, WAF support), and Front Door (Layer 7, global, CDN capabilities). By defining the "Trigger Word" for each (e.g., "SSL Termination" for App Gateway or "Global" for Front Door), you create a mental shortcut that bypasses confusion during the exam. Do the same for storage redundancy (LRS vs. ZRS vs. GRS) and identity (Azure AD Roles vs. RBAC). This comparative approach forces you to identify the unique "Value Proposition" of each service, which is exactly what the exam tests.

Conducting Regular Review of Incorrect Practice Test Answers

The final step in a successful study plan is the "Error Audit." When taking practice exams, the most valuable data is not your score, but the explanation for the questions you missed. Do not just look at the correct answer; analyze the logic of the distractors. Why was "Premium Storage" wrong? Because the scenario mentioned "cost-effective" and the workload didn't require high IOPS. Why was "Azure Policy" wrong? Because the goal was to prevent deletion, not to enforce a configuration. By deconstructing the question logic, you become familiar with the "Microsoft way" of thinking. This habit turns every mistake into a learning milestone, ensuring that by the time you sit for the actual AZ-104, you are no longer just a student of the material, but a practitioner of the platform.