AZ-104 Glossary — Core Terms Azure Administrators Should Not Mix Up

Use this glossary when AZ-104 terms start sounding similar. The exam often tests the boundary between related controls rather than the name alone.

Identity and governance

• Management group: A governance scope above subscriptions. Use it when policy or RBAC needs to span multiple subscriptions.
• Resource group: A logical container for Azure resources that share lifecycle, ownership, or access boundaries.
• Azure RBAC: The authorization system that decides which Azure actions a principal can perform at a given scope.
• Microsoft Entra role: A directory-administration role used for identity and tenant-management tasks rather than Azure resource actions.
• Azure Policy: A governance engine that audits, denies, appends, or remediates configuration choices.
• Resource lock: A control that blocks deletion or modification even when RBAC would otherwise allow it.

Storage

• Shared access signature (SAS): A time-bound token that delegates limited access to storage data.
• Stored access policy: A policy attached to a blob container or queue that lets you centrally manage SAS constraints.
• Private endpoint: A private IP address in your VNet for reaching an Azure PaaS service over Private Link.
• Service endpoint: A way to extend VNet identity to an Azure PaaS service while the service still keeps a public endpoint.
• Object replication: Blob replication between storage accounts for selected containers and rules.
• Azure Files identity-based access: A way to control file-share access with identity rather than only with storage keys.

Compute

• Bicep: Microsoft’s higher-level language for Azure Resource Manager deployments.
• Availability set: A way to distribute VMs across fault and update domains inside one datacenter setup.
• Availability zone: A physically separate zone within a region that improves resilience when supported by the workload and SKU.
• Virtual Machine Scale Set (VMSS): A managed group of identical VMs that supports scale and coordinated updates.
• App Service plan: The compute boundary that defines pricing tier, scale, and region for one or more App Services.
• Deployment slot: An App Service deployment target such as staging or production that helps reduce release risk before a swap.

Networking and operations

• User-defined route (UDR): A custom route that changes next-hop behavior inside a virtual network.
• Application security group (ASG): A logical grouping of NICs used as source or destination targets in NSG rules.
• Effective security rules: The resulting network-allow or deny posture after Azure evaluates the applicable rules on a resource.
• Action group: The notification and automation target used by Azure Monitor alerts.
• Activity Log: The Azure control-plane event history for operations such as create, delete, policy, and administrative actions.
• Recovery Services vault: A vault type used for Azure Backup and parts of disaster recovery workflows.
• Backup vault: Another Azure Backup vault type used for some newer backup workloads.
• Connection Monitor: A Network Watcher capability that tracks reachability and network path behavior between endpoints.

Commonly confused pairs

When two terms overlap, ask which layer they control: identity, governance, data access, network path, monitoring signal, or recovery. That framing usually resolves the exam question faster than memorizing names alone.