Skip to main content
FluentFlash

Azure Administrator Storage: Complete AZ-104 Study Guide

·

Azure Storage is a core component of the Azure Administrator certification (AZ-104). You need to understand blob containers, table storage, queue management, and storage account configuration.

Mastering this topic means learning how to create, configure, and manage different storage account types. You must implement access controls, optimize performance, and make critical decisions about redundancy and security.

Flashcards excel for Azure Storage because this topic has many decision points. You'll memorize service characteristics, pricing models, and configuration options while building skills for real-world scenarios.

With multiple storage service types and configuration options, breaking concepts into bite-sized questions helps you retain critical details needed for both the exam and professional practice.

Azure administrator storage - study with AI flashcards and spaced repetition

Azure Storage Account

Azure Storage provides four primary service types you must understand for the AZ-104 exam.

Blob Storage and Access Tiers

Blob Storage handles unstructured data like images, videos, and backups. It offers three access tiers that affect cost and performance.

  • Hot tier provides frequent access with low retrieval costs
  • Cool tier suits infrequent access (30+ days) with lower storage costs
  • Archive tier offers lowest storage costs for long-term compliance data

Each tier has different pricing and minimum storage duration requirements.

Other Storage Service Types

Table Storage stores NoSQL structured data in key-value pairs. This service works well for applications requiring flexible schemas.

Queue Storage enables asynchronous messaging between application components. Messages can be up to 64 KB each, making this ideal for decoupling services.

File Shares provide SMB and NFS protocol access. Use these for legacy application integration and on-premises connectivity.

Storage Account Tiers

Storage accounts come in different types with different capabilities.

  • Standard accounts support all services with magnetic storage and lower costs
  • Premium accounts use solid-state drives for specific services like blobs and file shares
  • BlockBlobStorage accounts optimize specifically for block blob operations

GPv2 (General Purpose v2) is the most versatile option, supporting all services. Use this for most scenarios. Specialized accounts like FileStorage or BlockBlobStorage optimize for specific workloads when you need maximum performance.

Flashcards help you quickly recall which service suits different scenarios. For example, choose Queue Storage for decoupling application components or select Blob Storage with Archive tier for compliance data retention.

Security, Access Control, and Authentication Methods

Security in Azure Storage involves multiple layers that Azure Administrators must master. You need to understand each method and when to use it.

Storage Account Keys and Shared Access Signatures

Storage account keys provide full access to all data in the storage account. Treat these like database admin passwords. Rotate them regularly as part of security best practices.

Shared Access Signatures (SAS) enable granular, time-limited access without sharing full keys. SAS tokens include expiration times, authorized resources, and specific permissions.

  • Account-level SAS controls service-level operations
  • Service-level SAS controls resource-level access

Use SAS for temporary access to external partners. Never share storage account keys with external parties.

Azure AD and Role-Based Access Control

Azure Active Directory (AAD) integration allows role-based access control through Azure RBAC. You assign roles like Storage Blob Data Contributor or Storage Queue Data Reader at different scopes.

Managed identities provide another secure authentication method. These allow Azure services to authenticate without storing credentials anywhere.

Network and Encryption Security

Storage account firewalls restrict access to specific IP ranges. Virtual Network Service Endpoints enable secure access from VNets without internet exposure.

Encryption at rest is automatically enabled using Microsoft-managed keys by default. You can implement customer-managed keys through Azure Key Vault for additional control.

Transport Layer Security (TLS) encrypts data in transit. Use TLS 1.2 minimum for all connections.

Azure Defender for Storage provides threat detection and monitoring. Enable this to catch unusual access patterns.

Choosing the Right Authentication Method

Use SAS tokens for temporary access to external partners. Use AAD for internal Azure applications. Use managed identities for serverless scenarios where you cannot store credentials. Flashcards help you remember the specific permissions available for each SAS type and the security implications of different access methods.

Storage Account Configuration, Replication, and Redundancy

Configuring Azure Storage accounts for reliability requires understanding redundancy options. Each option protects against different failure scenarios.

Understanding Redundancy Options

Locally Redundant Storage (LRS) replicates data three times within a single data center. This provides the lowest cost but no protection against data center failures.

Zone-Redundant Storage (ZRS) replicates across three availability zones within the same region. This protects against zone-level outages with 99.99% availability.

Geo-Redundant Storage (GRS) maintains a primary copy in one region with asynchronous replication to a secondary region 300+ miles away. Failover is possible if the primary region becomes unavailable.

Read-Access Geo-Redundant Storage (RA-GRS) adds read access to the secondary region during normal operations. This improves availability but requires managing consistency.

Geo-Zone-Redundant Storage (GZRS) combines ZRS and GRS benefits. RA-GZRS includes read access to the secondary.

Data Protection Features

Storage accounts support immutable storage policies that prevent data modification or deletion. Use this for compliance requirements like WORM (Write Once Read Many).

Blob versioning tracks historical versions of blobs automatically. Soft delete capabilities allow recovery of deleted data within a retention period.

Cost Optimization Through Lifecycle Management

Lifecycle management automates tiering by moving data between Hot, Cool, and Archive tiers based on age. This can reduce storage costs significantly.

Minimum storage durations matter for cost calculations. Cool tier requires 30-day minimum storage. Archive tier requires 90-day minimum. Moving data too frequently defeats the cost benefits.

Performance Tiers

Performance tiers include Standard (HDD-based, cost-effective) and Premium (SSD-based, high-performance). Each supports different scale limits. Each has different pricing models you must understand.

Use flashcards to memorize redundancy characteristics, failover procedures, and cost-benefit analyses of different configurations. This accelerates your exam preparation.

Managing Blob Storage, File Shares, and Data Movement

Blob Storage management involves understanding container organization, blob types, and access patterns. Different blob types serve different purposes.

Blob Types and Storage

Block blobs store files up to 190.7 TB using blocks that can be uploaded in parallel. This makes them ideal for large files and concurrent uploads.

Append blobs optimize for append-only scenarios like logging. These prevent modification of existing data.

Page blobs support random read/write operations and back virtual machine disks. These are less common but essential for specific workloads.

Blob snapshots create read-only point-in-time copies for backup and recovery. Understand that snapshots are manual while versioning is automatic.

Container Organization and Access

Containers provide the first level of organization within a storage account. You can configure anonymous access at the container or blob level.

Azure File Shares provide SMB 3.0 protocol access. These support both cloud-only and hybrid scenarios with Azure File Sync.

Premium File Shares offer higher performance but limited capacity compared to standard shares.

Scale Limits and Data Movement

Storage accounts have scale limits you must know. Blob operations handle 20,000 transactions per second. File shares support 3,000 IOPS by default.

Data movement options include Storage Account Copy for server-side copying between accounts, Blob Upload for uploading local files, and Azure Data Box for offline migration of large datasets up to 1 PB.

Import/Export service uses physical disks for massive data transfers when network bandwidth is limited.

Backup and Recovery Strategies

Understand the difference between blob snapshots and versioning. Versioning maintains all versions automatically, while snapshots require manual creation. Each strategy has different cost and recovery implications.

Tiering strategies automatically move aged data from Hot to Cool to Archive tiers. Flashcards help you quickly recall the four IOPS throttling levels based on storage account type and partition key selection for optimal performance distribution.

Monitoring, Troubleshooting, and Study Strategies for Azure Storage

Monitoring Azure Storage requires familiarity with Azure Monitor, Storage Analytics, and diagnostic logging. These tools provide visibility into performance and security.

Monitoring Tools and Metrics

Azure Monitor metrics track request volume, latency, availability, and error rates. This enables performance trending and alerting.

Diagnostic logs capture detailed information about read, write, and delete operations. Use these for security auditing and troubleshooting.

Azure Storage Analytics provides visibility into application performance patterns and capacity planning.

Key Metrics to Track

Key metrics include average latency, percentage errors, server-side request throttling (HTTP 503/500 errors), and geographic distribution of requests.

Alerts help identify issues like unusual activity patterns or quota approaching limits. Set up alerts for critical thresholds.

Flashcard Study Strategies

For exam preparation, use flashcards to memorize these critical items:

  • The four redundancy options and their geographic distribution
  • Specific permission sets for different SAS token types
  • Pricing differences between access tiers and redundancy options
  • Scale limits per storage account
  • Minimum storage durations that affect cost optimization
  • Authentication method selection criteria

Creating Effective Flashcards

Create flashcards using spaced repetition. Review frequently missed items more often. Front-side questions should describe scenarios. For example, "An organization needs 99.99% availability in a single region." Back-side answers include the solution like RA-GRS or GZRS.

Include practical scenarios: configuring lifecycle policies to reduce costs, implementing security controls, and designing disaster recovery strategies.

Study Session Structure

Study in focused sessions covering one service type per session. Then review cross-cutting concepts like security and monitoring.

Flashcards excel for Azure Storage because the topic contains many decision trees. Given a scenario, you must choose which storage type, redundancy option, and authentication method best fits. Active recall through flashcards builds the pattern recognition skills needed for exam success and professional competency.

Start Studying Azure Administrator Storage

Master Azure Storage services, security controls, redundancy options, and real-world configuration scenarios with interactive flashcards. Build confidence for the AZ-104 exam through active recall practice and scenario-based learning.

Create Free Flashcards

Frequently Asked Questions

What is the difference between Blob Storage access tiers, and when should I use each one?

Azure Blob Storage offers three access tiers that affect both performance and cost. Hot tier is designed for frequently accessed data. Retrieval costs are high, but access latency is low. Use this for active workloads and short-term storage.

Cool tier suits data accessed infrequently, at least once per 30 days. Storage costs are lower, but retrieval costs are higher. This works well for backup and occasional analysis.

Archive tier provides the lowest storage costs but highest retrieval latency (several hours). This tier requires 90-day minimum storage duration. Use this for compliance archives and long-term retention.

Your choice depends on your access patterns and budget constraints. For cost optimization, use lifecycle policies to automatically transition data between tiers based on age. Start data in Hot tier and automatically move it to Cool then Archive as it gets older.

How do Shared Access Signatures differ from Storage Account Keys, and which should I use?

Storage Account Keys provide complete administrative access to all data in the storage account. Treat these like database admin passwords. You get two keys, allowing rotation for zero-downtime security updates.

Shared Access Signatures (SAS) provide time-limited, granular access to specific resources and operations. You expose no full account keys. SAS tokens include an expiration time, authorized services, resource types, and permissions.

Use Storage Account Keys only for administrative operations and internal trusted applications that need complete access. Use SAS tokens when granting external partners temporary access, embedding in client applications, or providing access to specific containers or blobs.

Account-level SAS controls service-level operations like service properties changes. Service-level SAS controls specific resource access. For maximum security, never hardcode keys or SAS tokens in application code. Instead, use Azure Key Vault or managed identities.

What redundancy option should I choose for different business requirements?

Your redundancy choice depends on required availability and disaster recovery objectives. Each option has different costs and capabilities.

Locally Redundant Storage (LRS) replicates three times within one data center. This provides cost-effective protection against hardware failures but not data center outages.

Zone-Redundant Storage (ZRS) replicates across three availability zones in one region. This provides 99.99% availability against zone-level failures.

Geo-Redundant Storage (GRS) replicates to a secondary region 300+ miles away with automatic failover capability. This protects against regional disasters but prevents reads of secondary data during normal operations.

Read-Access GRS (RA-GRS) enables reading from the secondary region. This improves availability but requires considering consistency implications.

Geo-Zone-Redundant Storage (GZRS) combines ZRS within each region for best protection.

For high-availability applications in a single region, use ZRS. For disaster recovery across regions, use RA-GRS or GZRS. For cost-sensitive non-critical data, use LRS. Each option has different pricing and failover characteristics you should understand.

How do I implement security controls and prevent unauthorized access to storage accounts?

Implement multi-layered security controls starting with storage account firewalls. These restrict access to specific IP addresses and Virtual Networks.

Use Virtual Network Service Endpoints or Private Endpoints to route traffic privately without internet exposure.

For authentication, leverage Azure Active Directory (AAD) with RBAC. Assign roles like Storage Blob Data Contributor or Storage Account Contributor at appropriate scopes.

Use Managed Identities for Azure services to authenticate without storing credentials.

Implement Shared Access Signatures for temporary, granular access to external partners. Do not share account keys.

Enable encryption at rest using Microsoft-managed keys by default. Use customer-managed keys through Azure Key Vault for compliance requirements.

Encrypt data in transit using TLS 1.2 minimum.

Enable Storage Account Key rotation policies to regularly refresh credentials.

Use Azure Defender for Storage to detect unusual access patterns and potential threats.

Apply immutable storage policies for compliance workloads to prevent deletion or modification.

Enable diagnostic logging to audit all access and detect unauthorized activities. Review failed authentication attempts and unusual geographic access patterns.

Why are flashcards particularly effective for studying Azure Storage concepts?

Flashcards excel for Azure Storage because the topic involves numerous decision points and configuration options. These benefit from active recall practice.

Azure Storage requires remembering specific characteristics of four service types, six redundancy options, authentication method selection criteria, and pricing models across different dimensions.

Flashcards using spaced repetition force your brain to retrieve information. This strengthens memory more effectively than passive reading.

Scenario-based flashcards that describe business requirements mirror actual exam questions and real-world decision-making. You select the appropriate storage type, redundancy option, and authentication method.

The compartmentalization of flashcards prevents cognitive overload when learning complex topics with many related concepts.

Creating your own flashcards deepens learning through active encoding. You reinforce knowledge by generating the answers.

Flashcards enable efficient review sessions focused on problem areas. This makes studying more effective and less time-consuming.

For Azure Storage specifically, flashcard formats like feature-matching (match storage services to use cases) and calculation-based cards (determining cost optimization strategies) maximize retention of practical knowledge.