AZ-104 Domain 2: Implement and manage storage (15-20%) - Complete Study Guide 2026

What Domain 2 Actually Covers

Domain 2-Implement and manage storage (15-20%)-is the AZ-104's compact but technically dense second pillar. It sits between the identity-heavy Domain 1 and the sprawling compute content of Domain 3, and candidates often underestimate it. A 15-20% weight on an exam where the passing threshold is a scaled score of 700 means a weak performance here can push you below the line even when you've nailed identities and virtual machines.

Unlike some vendor exams where storage is a peripheral topic, Microsoft treats storage administration as a genuine day-two operational skill. The exam tests whether you can not only create resources but also configure them correctly for performance, cost, security, and compliance requirements a real organization would demand. For a broader orientation on all five content areas, the AZ-104 Exam Domains 2026: Complete Guide to All 5 Content Areas gives you the full picture before you go deep on any single domain.

The four major storage skill clusters Microsoft measures in Domain 2 are:

• Configuring Azure Storage accounts
• Configuring Azure Blob Storage
• Configuring Azure Storage security
• Configuring Azure Files and Azure File Sync

Each cluster maps to real administrative tasks, and the exam will present them as scenario-based problems rather than trivia questions.

Storage Accounts: The Foundation You Must Master

Every storage service in Azure-blobs, files, queues, tables-lives inside a storage account. That makes storage account configuration the single most leveraged skill in this domain. Get it wrong in the exam scenario and every downstream answer is compromised.

Lifecycle Management Policies in Exam Scenarios

Lifecycle management is a favorite scenario topic because it combines cost optimization (a business driver) with technical configuration (an admin skill). A typical exam question might describe a company storing infrequently accessed compliance records that must be retained for seven years but queried rarely after 90 days. You need to know how to write a policy rule that moves blobs to Cool at 30 days, to Archive at 90 days, and deletes them at 2,555 days-and which JSON or portal settings achieve that.

Practice building these policies in the Azure portal and reviewing the JSON rule structure. Microsoft's lab-based or performance-based tasks, which may appear depending on your scheduled delivery, can ask you to create or modify a lifecycle rule directly in the environment.

Azure Blob Storage Deep Dive

Blob Storage is where Domain 2 gets most granular. Microsoft segments this into block blobs (general-purpose unstructured data), append blobs (log files), and page blobs (virtual machine disks). The exam expects you to know which type is created by which service-for instance, Azure VM managed disks use page blobs under the hood, even though you typically interact with them through the managed disk abstraction.

Container-Level Configuration

Within blob storage, container-level settings matter as much as account-level settings. Anonymous access at the container level (off by default, controllable per container) versus private access is a security-heavy topic that bleeds into Domain 2's security cluster. Immutability policies-time-based retention and legal holds-are often tested in compliance scenarios involving financial services or regulated industries.

Object Replication and Versioning

Object replication asynchronously copies block blobs between storage accounts across regions or subscriptions. It requires blob versioning to be enabled on both source and destination accounts, and it requires a replication policy with rules scoped to specific containers. This three-layer dependency (versioning → replication policy → container rules) is exactly the kind of configuration chain the exam loves to test with drag-and-drop or build-list question formats.

Azure Files and File Sync

Azure Files provides fully managed SMB and NFS file shares in the cloud. Azure File Sync extends those shares to Windows Server, allowing a hybrid model where the cloud is the source of truth and on-premises servers cache frequently accessed data locally (cloud tiering). The AZ-104 tests both services, but File Sync topology is disproportionately represented because it requires understanding multiple components working together.

SMB vs. NFS for Azure Files

Azure Files supports SMB 3.x for Windows and cross-platform clients, and NFS 4.1 for Linux workloads. NFS file shares require a Premium storage account (FileStorage kind) and cannot use the public endpoint over the internet-they require a private endpoint or service endpoint in a virtual network. This networking dependency makes NFS shares a cross-domain topic that touches both Domain 2 and Domain 4 (virtual networking).

Storage Security and Access Control

Storage security is where Domain 2 intersects most heavily with Domain 1's identity and governance content. Microsoft tests three distinct authorization models, and knowing when to recommend each is critical.

Storage Firewalls and Private Endpoints

Network-level security for storage accounts is tested through firewall rules (allow/deny by IP range or virtual network subnet) and private endpoints (exposing the storage account on a private IP in a VNet). The exam often presents a scenario where an application on a VM must access blob storage without traffic traversing the public internet, and you must identify whether a service endpoint or private endpoint is the right solution-and configure the storage firewall accordingly.

Encryption at Rest and in Transit

Azure Storage encrypts all data at rest by default using Microsoft-managed keys. The exam tests whether you know how to configure customer-managed keys (CMK) via Azure Key Vault, including the key vault access policy or RBAC model required. Infrastructure encryption (double encryption) adds a second layer and is configured at account creation-it cannot be enabled after the fact, making it a planning-phase decision that suits scenario questions well.

Redundancy, Replication, and Availability

Storage redundancy is one of the most formulaic topics in Domain 2-once you understand the model, questions become predictable. Microsoft offers four primary redundancy options, each with different geographic footprints and SLA characteristics.

• Locally Redundant Storage (LRS): Three synchronous copies within a single datacenter. Lowest cost, no zone or region protection.
• Zone-Redundant Storage (ZRS): Three synchronous copies across availability zones in one region. Survives datacenter failure.
• Geo-Redundant Storage (GRS): LRS in primary region plus asynchronous replication to a secondary region. Secondary is read-only only after failover.
• Geo-Zone-Redundant Storage (GZRS): ZRS in primary region plus asynchronous replication to secondary region. Highest durability.

The read-access variants (RA-GRS and RA-GZRS) allow reading from the secondary endpoint before a failover is initiated-at the cost of eventual consistency. Exam scenarios that mention "read during a regional outage without initiating failover" are pointing you toward RA-GRS or RA-GZRS.

How to Sequence Your Domain 2 Preparation

Domain 2 is best studied after Domain 1 (identities and governance) because storage security-particularly Entra ID RBAC for storage-builds on identity concepts. If you're following a focused study plan, allocate roughly one week to Domain 2, split across conceptual learning and hands-on practice. The AZ-104 Study Guide 2026: How to Pass on Your First Attempt provides a full-exam preparation roadmap if you want to map all five domains into a cohesive schedule.

Hands-on lab time is non-negotiable for Domain 2. Microsoft may include performance-based tasks in your exam delivery where you must configure a storage resource inside an actual Azure environment interface. Candidates who have only read about lifecycle policies and SAS tokens-but never built them-consistently report being caught off guard by these task types. Understanding how hard the AZ-104 exam actually is helps calibrate how much hands-on practice to prioritize.

How Domain 2 Questions Actually Appear on the Exam

The AZ-104 uses multiple-choice, case study, drag-and-drop, build-list, hot-area, and lab question types. Domain 2 content appears across all of them, but certain topics cluster in specific formats.

Scenario-Based Multiple Choice

The most common format presents a two-to-four paragraph business scenario followed by a single or multi-part question. Storage scenarios typically involve a compliance requirement (immutability, encryption), a cost optimization goal (lifecycle policies, access tiers), or an availability specification (redundancy selection). The distractor answers are usually plausible configurations that miss one specific detail-like selecting GRS instead of GZRS when the scenario explicitly mentions zone-level protection in the primary region.

Case Studies

Case studies present a detailed organizational scenario with multiple tabs (requirements, existing environment, issues) and then ask five to eight questions that reference different parts of the scenario. Domain 2 topics appear inside multi-domain case studies rather than storage-only cases. You might answer two storage questions, two networking questions, and two compute questions from the same organizational context. This is why understanding how storage integrates with virtual networks (private endpoints, service endpoints) and with identities (managed identities for storage access) is so important.

Drag-and-Drop and Build-List

Azure File Sync topology assembly is the Domain 2 topic most likely to appear in a drag-and-drop format. You'll be asked to sequence the steps to configure a File Sync deployment or to assign components (Storage Sync Service, sync group, server endpoint, cloud endpoint) to the correct positions in a diagram. Practice drawing the topology from memory until the relationships between components are automatic.

After you earn the Azure Administrator Associate certification, it remains valid for 12 months. Renewal is free through a Microsoft Learn online assessment-no retaking the full exam, no additional fee. Domain 2 storage content will be tested in renewal assessments, so the knowledge you build now has ongoing value. Employers hiring for Azure administrator roles consistently look for demonstrated storage configuration skills, and if you're curious about what those roles pay, the AZ-104 Salary Guide 2026 provides a qualitative analysis of how the certification affects compensation across different markets.

For additional domain-specific preparation, the companion guides for Domain 1: Manage Azure identities and governance and Domain 3: Deploy and manage Azure compute resources follow the same structure used here. Take full-length timed practice tests at AZ-104 Exam Prep once you've completed all domain reviews to simulate the real 100-minute exam pressure before your Pearson VUE appointment.

Frequently Asked Questions