πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-104 Domain 2
Domain 2 β€” Module 1 of 5 20%
7 of 27 overall

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery
Domain 2: Implement and Manage Storage Premium ⏱ ~14 min read

Storage Accounts & Redundancy

Every byte in Azure starts with a storage account. Learn how to create and configure them, choose the right redundancy option, manage encryption, and use tools like Storage Explorer and AzCopy to move data around.

What is a storage account?

β˜• Simple explanation

A storage account is like renting a storage unit β€” except it can hold files, databases, queues, and more.

On-prem, you had file servers with NTFS shares. In Azure, a storage account is your general-purpose container for data. Inside one storage account, you can have blob containers (like folders for large files), file shares (like SMB network shares), tables (simple databases), and queues (message pipelines).

When you create a storage account, you choose: the name (globally unique), the region, the performance tier (Standard or Premium), and how many copies of your data Azure keeps (redundancy).

An Azure Storage account is a resource that provides a unique namespace for Azure Storage data. It supports four data services: Blob Storage (unstructured data), Azure Files (SMB/NFS file shares), Table Storage (NoSQL key-value), and Queue Storage (message queuing). All data is accessible via HTTP/HTTPS endpoints.

Key configuration decisions at creation: performance tier (Standard HDD vs Premium SSD), account kind (StorageV2 is recommended), redundancy (LRS/ZRS/GRS/RA-GRS/GZRS/RA-GZRS), access tier default (Hot/Cool), and networking (public endpoint, selected networks, or private endpoint).

Storage account types

Account KindSupported ServicesPerformanceUse Case
StorageV2 (general-purpose v2)Blob, Files, Table, QueueStandard or PremiumRecommended for most scenarios
BlobStorageBlob onlyStandardLegacy β€” use StorageV2 instead
BlockBlobStorageBlock blobs, append blobsPremiumHigh-transaction blob workloads
FileStorageAzure Files onlyPremiumEnterprise file shares, high IOPS
πŸ’‘ Exam tip: Always pick StorageV2

Unless the question specifically asks for premium block blob or premium file performance, StorageV2 (general-purpose v2) is the correct answer. It supports all storage services and both Standard and Premium tiers. Microsoft recommends it for almost all scenarios.

Redundancy options

This is one of the most heavily tested topics. Azure stores multiple copies of your data to protect against failures.

Azure Storage redundancy options β€” from least to most resilient
OptionCopiesRegion ScopeRead Access During Outage?
LRS (Locally Redundant)3 copies in one datacenterSingle regionNo
ZRS (Zone-Redundant)3 copies across 3 availability zonesSingle regionNo
GRS (Geo-Redundant)6 copies (3 local + 3 in paired region)Two regionsNo (secondary is not readable)
RA-GRS (Read-Access Geo)6 copies (3 local + 3 in paired region)Two regionsYes β€” read from secondary
GZRS (Geo-Zone-Redundant)6 copies (3 zones primary + 3 secondary)Two regionsNo
RA-GZRS (Read-Access Geo-Zone)6 copies (3 zones primary + 3 secondary)Two regionsYes β€” read from secondary
Real-world: How to choose redundancy
  • CloudFirst Labs uses LRS for dev/test environments β€” cheapest, and data loss in dev is acceptable
  • TechCorp Solutions uses ZRS for production web assets β€” survives a datacenter failure within the region
  • Meridian Financial uses RA-GZRS for critical financial data β€” maximum resilience with read access during regional outage

The exam pattern: Match the business requirement (cost, availability, compliance) to the correct redundancy option. If they mention β€œregional disaster recovery,” think GRS/GZRS. If they mention β€œread access during outage,” think RA-GRS or RA-GZRS.

Encryption

All data in Azure Storage is encrypted at rest using 256-bit AES encryption. This is enabled by default and cannot be disabled.

Two key management options:

  • Microsoft-managed keys (default) β€” Azure handles key rotation automatically
  • Customer-managed keys (CMK) β€” you manage keys in Azure Key Vault

Infrastructure encryption adds a second layer of encryption at the infrastructure level (double encryption). This is for organisations with extreme compliance requirements.

Storage Explorer and AzCopy

Azure Storage Explorer is a desktop application (Windows, macOS, Linux) for managing storage accounts visually. Think of it as a file manager for Azure Storage β€” drag and drop blobs, browse containers, manage file shares.

AzCopy is a command-line tool for high-performance data transfer:

# Copy a local file to blob storage
azcopy copy "C:\data\report.csv" "https://mystorageaccount.blob.core.windows.net/mycontainer/report.csv?SAS_TOKEN"

# Sync a local folder to blob storage
azcopy sync "C:\data" "https://mystorageaccount.blob.core.windows.net/mycontainer?SAS_TOKEN"
Storage Explorer vs AzCopy
FeatureStorage ExplorerAzCopy
InterfaceGUI (desktop app)CLI (command line)
Best forBrowsing, small transfers, visual managementLarge transfers, scripting, automation
AuthenticationEntra ID, SAS, account keyEntra ID, SAS
PerformanceGood for small to mediumOptimised for large-scale parallel transfers
Question

What is the difference between LRS and ZRS?

Click or press Enter to reveal answer

Answer

LRS stores 3 copies within a single datacenter (cheapest, protects against disk/rack failure). ZRS stores 3 copies across 3 different availability zones in the same region (costs more, protects against an entire datacenter failure).

Click to flip back
Question

What does the 'RA' in RA-GRS stand for, and what does it enable?

Click or press Enter to reveal answer

Answer

RA = Read Access. RA-GRS allows read-only access to data in the secondary (paired) region. Standard GRS replicates to the secondary but you can't read from it unless Microsoft initiates a failover. RA-GRS lets you read from the secondary endpoint at any time.

Click to flip back
Question

Is Azure Storage encryption at rest optional?

Click or press Enter to reveal answer

Answer

No. All data in Azure Storage is encrypted at rest with 256-bit AES by default. This cannot be disabled. The choice is only between Microsoft-managed keys (default) and customer-managed keys (via Key Vault).

Click to flip back

Knowledge check

Knowledge Check

Meridian Financial needs to store critical financial records that must remain accessible even if an entire Azure region goes down. They also need to read data from the secondary region for reporting during normal operations. Which redundancy option should Alex recommend?
Knowledge Check

CloudFirst Labs needs to copy 500 GB of log files from an on-premises server to Azure Blob Storage as part of a nightly automated job. Which tool should they use?

🎬 Video coming soon

← Previous

Tags, Cost Management & Azure Advisor

Next β†’

Securing Storage: Keys, SAS & Firewalls

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.