๐งช Identity & Governance Labs โ
Exam Coverage: AZ-104 (20-25% of exam)
Approach: Portal-first, validate-as-you-go
Lab Structure โ
Each lab folder contains:
| File | Purpose |
|---|---|
README.md | Lab tasks - Objectives, what to do, validation criteria |
solution.md | Portal walkthrough - Step-by-step Azure Portal instructions |
solution-cli.md | CLI alternative - Azure CLI / PowerShell commands |
questions.md | Practice questions - Scenario-based exam preparation |
Workflow:
- Read README.md (tasks)
- Try to complete without looking at solutions
- Validate using the criteria
- Check solution.md if stuck
- Test yourself with questions.md
Core Labs (AZ-104 Exam Focus) โ
| # | Lab | Difficulty | Time | Key Skills |
|---|---|---|---|---|
| 01 | Users & Groups | Beginner | 45 min | User creation, security groups, M365 groups, group types |
| 02 | RBAC | Intermediate | 60 min | Role assignments, scopes, custom roles, inheritance |
| 03 | Conditional Access | Intermediate | 45 min | Policies, MFA, named locations, report-only mode |
| 04 | Managed Identities | Intermediate | 60 min | System-assigned, user-assigned, Key Vault, Storage |
| 05 | B2B Guests | Intermediate | 45 min | Guest invites, collaboration settings, guest RBAC |
| 06 | SSPR (Self-Service Password Reset) | Intermediate | 45 min | Password reset policies, auth methods, writeback |
| 07 | PIM (Privileged Identity Management) | Advanced | 60 min | Just-in-time access, eligible roles, approval workflows |
Total Core Labs Time: ~6-7 hours
Extras (Extended Learning) โ
These topics may appear on AZ-104 but are not primary focus areas:
| Topic | File | Notes |
|---|---|---|
| Administrative Units | extras/administrative-units.md | Scoped administration, P1 feature |
| Bulk Operations | extras/bulk-operations.md | CSV import/export, bulk user management |
| PIM | extras/pim.md | Just-in-time access, P2 feature (conceptual only) |
Prerequisites โ
Required โ
- [ ] Azure subscription (free tier works for most labs)
- [ ] Global Administrator OR User Administrator role
- [ ] Access to Azure Portal
For Conditional Access Lab โ
- [ ] Entra ID P1 license (free trial available)
- [ ] Activate trial: Entra ID > Licenses > Try/Buy
For SSPR Lab (Lab 06) โ
- [ ] Entra ID P1 license (P2 for full features)
- [ ] Test user accounts for password reset testing
For PIM Lab (Lab 07) โ
- [ ] Entra ID P2 license (free trial available)
- [ ] Eligible role to activate
For B2B Lab โ
- [ ] External email address (personal email works for testing)
Study Tips โ
Before the Exam โ
- Complete all 7 core labs
- Can you do each task WITHOUT looking at solutions?
- Review questions.md - understand WHY each answer is correct
- Review extras for conceptual understanding
Key Concepts to Master โ
- RBAC inheritance: Management Group โ Subscription โ Resource Group โ Resource
- Deny vs Allow: Deny assignments override Allow
- Guest vs Member: Different directory permissions, same RBAC capability
- System vs User-assigned: Lifecycle and sharing differences
- Conditional Access: Grant vs Session controls
- SSPR: Auth methods, writeback requirements, P1/P2 features
- PIM: Eligible vs Active, Just-in-time, approval workflows
Quick Reference โ
| Concept | Remember |
|---|---|
| RBAC Scope | Narrow scope = least privilege |
| Custom Roles | NotActions don't deny, just exclude from Actions |
| Managed Identity | No secrets, Azure manages everything |
| Guest Users | #EXT# in UPN indicates external |
| Conditional Access | Report-only mode for testing |
| MFA | Grant control, not session control |
| SSPR | Requires P1 minimum, writeback needs P2 |
| PIM | Just-in-time, eligible โ active, approval for sensitive roles |