Operational Complexity Underestimation — Azure Administrator (AZ-104)
The answer is correct but operationally expensive. The exam prefers managed services over self-managed when both meet functional requirements.
The elegant design that quietly multiplies your workload
The scenario describes a microservices migration and one answer offers a flexible multi-component solution using separate queues, custom retry logic, and manually coordinated deployments. That flexibility reads as thoroughness. What the exam is measuring is whether you recognize when distributed coordination overhead exceeds the operational team's capacity — and whether a managed, consolidated service would absorb that burden instead.
The Scenario
A company needs to deploy a .NET 8 REST API backend. You recommend Azure VMs in an Availability Set with a Load Balancer, VM Scale Sets for auto-scaling, and custom Azure Monitor dashboards. The correct answer is Azure App Service on a Standard tier plan. The scenario said "reduce management effort" and the workload is a standard web API with no special OS requirements. App Service gives you built-in auto-scaling, health monitoring, deployment slots, SSL termination, and managed patching. VMs require you to configure and maintain all of that yourself.
How to Spot It
- •Azure App Service, Azure Functions, and Azure Container Apps are the exam-preferred answers when scenarios mention operational simplicity. VMs and AKS are correct when the scenario explicitly needs custom OS configuration, GPU compute, or Kubernetes-specific orchestration features.
- •The operational complexity spectrum in Azure: VMs (everything is your job) > AKS (infrastructure is managed, orchestration is yours) > Container Apps (auto-scaling and infrastructure managed) > App Service (deployment and infrastructure managed) > Functions (only code is yours). The exam tests whether you pick the right level.
- •When you see "small team" or "minimize management," count the operational tasks your answer creates: patching, scaling configuration, certificate management, monitoring setup, backup configuration. If a PaaS service handles these automatically, it is the correct answer.
Decision Rules
Whether declarative simplicity—one Bicep file plus environment-specific parameter files—outweighs the apparent modularity benefit of nested or linked ARM templates for a deployment scope that does not require cross-team template reuse.
Whether to use a single Bicep file with environment-specific parameter files or a nested/linked ARM template set to satisfy repeatable, environment-separated deployment at the lowest ongoing maintenance cost.
Whether to use a single Bicep file with per-environment parameter files or a nested/linked ARM template hierarchy to satisfy idempotent, environment-separated deployment with minimal maintenance overhead.
Whether Bicep modules (compile-time local resolution, no external hosting required) or ARM linked templates (runtime HTTPS URL resolution, requires remotely hosted fragment storage) best satisfies the modularity-plus-no-new-infrastructure constraint.
Whether attribute-based dynamic group rules reduce net operational burden or transfer it to a hidden dependency chain of HR-attribute accuracy, sync pipeline reliability, evaluation latency, and Entra ID P1 licensing — each of which adds coordination cost absent from a scheduled batch script.
Whether to assign the Reader role once to a Microsoft Entra ID security group at subscription scope or to assign the Reader role individually to each user on each resource group, where the group-based single assignment satisfies least-privilege and eliminates per-rotation management burden.
Whether to use Entra ID dynamic group membership rules or a scripted assigned-group update approach to satisfy a free-tier license constraint for automated user lifecycle management.
Determine whether a custom RBAC role that explicitly excludes Key Vault secret and key read actions is necessary to satisfy least privilege, or whether the built-in Reader role at subscription scope already provides the required access boundary without exposing Key Vault data-plane content.
Whether Azure Files share snapshots alone satisfy the 14-day file-level recovery requirement at lower operational cost than coupling Azure Files to a Recovery Services Vault, given that the scenario constrains scope to a single-region SMB share with no VM-level or cross-region recovery need.
Whether the workload's event-driven scaling requirement and blue/green revision lifecycle are better satisfied by ACI with externally managed orchestration components or by Container Apps with those capabilities built in, given the team has no capacity to operate additional infrastructure.
Whether Azure Container Instances or Azure Container Apps is the right compute surface when the workload explicitly requires revision-based traffic splitting and scale-to-zero HTTP scaling, with operational overhead as the dominant tiebreaker.
Choose an internal Standard Load Balancer fronted by an Azure Private DNS zone rather than a public load balancer or a custom DNS server VM, because the internal LB + private zone pairing fully satisfies private-scope HA and name resolution with zero self-managed infrastructure overhead.
Whether the stated 4-hour RTO, 24-hour RPO, and granular file-restore requirement is fully satisfied by a periodic Azure Backup policy stored in a Recovery Services Vault, or whether it demands the continuous-replication overhead of Azure Site Recovery.
Whether geo-redundant storage (GRS) configured on a Recovery Services Vault backup policy satisfies the stated secondary-region durability, 24-hour RPO, and 8-hour RTO constraints, making continuous cross-region VM replication via Azure Site Recovery an over-engineered choice.
Domain Coverage
Difficulty Breakdown
Related Patterns