Quick Summary: Stop relying on “happy path” tutorials for the AZ-104; here are three realistic practice strategies—from utilizing the official GitHub labs to engineering your own “broken” environments—that will actually prepare you for the exam’s troubleshooting curveballs.

Beyond the Docs: Building AZ-104 Practice Labs That Actually Break

I was browsing Reddit the other day and saw a thread that made my eye twitch. A junior engineer was asking for “AZ-104 Practice Examples” because they kept failing the practice tests despite memorizing the documentation. It brought back a vivid memory of a “War Room” incident I managed about four years ago.

I had a newly certified admin—let’s call him Kevin—staring at a screen where prod-web-01 had completely lost connectivity to prod-db-cluster. Kevin knew the theory of VNet peering. He knew the definition of a User Defined Route (UDR). But when staring at the actual Azure Portal with a CEO breathing down his neck, he couldn’t figure out that an NSG associated with the subnet was overriding the NSG on the NIC. He had the certification, but he didn’t have the scars. That’s the problem with most study materials: they teach you how to build things correctly, but the exam (and reality) tests your ability to fix things that are fundamentally broken.

The “Why”: Theory Doesn’t Cover Chaos

The root cause of this struggle is the “Happy Path” bias. Microsoft Learn modules act like bowling with bumpers; they guide you perfectly from point A to point B. However, the AZ-104 exam—and your future job at places like TechResolve—is entirely about troubleshooting. The exam questions often present a scenario where everything looks right on the surface (the VNet is peered, the VM is running), but traffic isn’t flowing.

You cannot learn this by reading. You have to build it, break it, and cry a little bit while fixing it. Here are three ways I advise my juniors to get their hands dirty.

Solution 1: The Quick Fix (The Microsoft GitHub Repo)

If you are short on time and need structured examples, ignore the random blog posts and go straight to the source. The Microsoft Learning GitHub repository is the “standard” for a reason, but most people use it wrong. They just copy-paste the commands.

The Strategy: Don’t just run the lab. Run the lab, verify it works, and then intentionally break it. If the lab asks you to implement a Load Balancer, go into the Health Probe settings and change the port from 80 to 8080. Watch the backend pool turn unhealthy. Now, try to fix it using only the Log Analytics workspace.

Pro Tip: Look for the labs titled “04 – Implement Virtual Networking.” This is the highest fail-rate category. If you can’t manually calculate a CIDR overlap in your head, do this lab three times.

Solution 2: The Permanent Fix ( The “DIY Disaster” Lab)

This is the method I use when mentoring new hires. We build a permanent “sandbox” resource group designed to fail. You need to create a scenario where IP addresses overlap or DNS resolution fails.

The Scenario: Create two VNets (vnet-hub-eastus and vnet-spoke-eastus). Peer them. Now, deploy a VM in each. Try to ping them. It will fail (ICMP is blocked by default). Now, instead of just allowing ICMP, try to configure a Network Security Group (NSG) that allows SSH from your home IP but denies everything else, and apply it to the subnet level, not the NIC level.

Here is a “hacky” but effective PowerShell snippet to quickly spin up a test VM that you can abuse for this lab:

$rgName = "rg-az104-practice-01"
$loc = "EastUS"
$vmName = "vm-troubleshoot-01"

# Create RG
New-AzResourceGroup -Name $rgName -Location $loc

# Create a quick VNet and Subnet
$subnet = New-AzVirtualNetworkSubnetConfig -Name "default" -AddressPrefix "10.0.1.0/24"
$vnet = New-AzVirtualNetwork -ResourceGroupName $rgName -Location $loc -Name "vnet-broken-01" -AddressPrefix "10.0.0.0/16" -Subnet $subnet

# Create a Public IP (Standard SKU required for some Load Balancer labs)
$pip = New-AzPublicIpAddress -ResourceGroupName $rgName -Name "$vmName-ip" -Location $loc -AllocationMethod Static -Sku Standard

# The "Trap": Create an NSG that blocks everything by default
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $rgName -Location $loc -Name "$vmName-nsg"
$nsgConfig = New-AzNetworkSecurityRuleConfig -Name "DenyAll" -Protocol "*" -Direction Inbound -Priority 100 -SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange "*" -Access Deny
$nsg | Add-AzNetworkSecurityRuleConfig -NetworkSecurityRuleConfig $nsgConfig | Set-AzNetworkSecurityGroup

Run that. Now, try to RDP into that machine. You can’t. Your job is to fix it without deleting the NSG. This mimics the exam’s “Administrative effort must be minimized” requirement.

Solution 3: The ‘Nuclear’ Option (The Cloud Shell Commando)

If you really want to pass AZ-104, you need to stop using the Azure Portal GUI entirely for a week. The exam loves to throw specific CLI or PowerShell syntax questions at you. The “Nuclear” option is forcing yourself to manage resources purely via Azure Cloud Shell.

I call this the “Blindfolded Architect” drill. You must resize a VM, reset a password, and attach a data disk without ever clicking a button in the GUI.

It’s painful. It’s annoying. But when you are sitting in the Pearson VUE center and question 45 asks about the specific syntax for VNet peering, you’ll thank me.

Darian Vance

Lead Cloud Architect & DevOps Strategist

With over 12 years in system architecture and automation, Darian specializes in simplifying complex cloud infrastructures. An advocate for open-source solutions, he founded TechResolve to provide engineers with actionable, battle-tested troubleshooting guides and robust software alternatives.

🤖 Frequently Asked Questions