Azure Administrator AZ-104 Guide: What It Tests and How to Prepare

The Azure Administrator certification (AZ-104) is the most important technical Azure credential for engineers managing Azure infrastructure. It tests that you can deploy, configure, manage, and troubleshoot Azure resources — not just describe what they do.

This is the certification most commonly cited in job descriptions for Azure cloud engineer, Azure administrator, and cloud infrastructure roles. If you are building an Azure career, AZ-104 is where meaningful technical credibility starts.

What the exam actually tests#

AZ-104 is practical and configuration-specific. Where AZ-900 asks what services exist, AZ-104 asks how to configure them correctly for a given requirement.

A typical question might describe a scenario where a company needs to restrict access to a storage account to only resources within a specific VNet, while keeping the storage account accessible from a management VM in another subscription. You need to choose between private endpoints, service endpoints, network rules, and firewall configurations — and explain why.

Exam domains and weightings:

Format: 40–60 questions (mix of question types including case studies, hotspot questions, drag-and-drop, and multiple choice), approximately 120 minutes, passing score 700/1000, approximately $165. Requires annual renewal via free online assessment.

Key topics and what you need to know#

Manage Azure identities and governance#

Microsoft Entra ID (formerly Azure Active Directory):

• User accounts, group types (Security vs Microsoft 365, Assigned vs Dynamic)
• Azure AD join vs Hybrid Azure AD join vs Azure AD registered — what each means for device management
• Guest access: B2B collaboration, external user lifecycle
• Azure AD roles: Global Administrator, User Administrator, Billing Administrator — distinct from Azure RBAC roles

Azure Role-Based Access Control (RBAC):

• Built-in roles: Owner, Contributor, Reader, and resource-specific roles
• Custom role definitions: assignable scopes, actions, notActions
• Role assignment scope: management group, subscription, resource group, resource
• Managed identities: system-assigned vs user-assigned — when to use each

Azure Policy:

• Policy definitions, initiatives (groups of policies), assignments
• Effect types: Deny, Audit, Append, DeployIfNotExists, AuditIfNotExists, Modify
• Compliance evaluation: understanding remediation tasks for non-compliant resources
• Policy inheritance from management groups

Subscriptions and management groups:

• Azure subscription types and when to use multiple subscriptions
• Management group hierarchy: organising subscriptions for governance
• Moving resources between subscriptions and resource groups (what can and cannot be moved)

Resource locks:

• ReadOnly and CanNotDelete locks: what they prevent and inherit to child resources

Implement and manage storage#

Azure Storage accounts:

• Account types: Standard general-purpose v2, Premium (block blobs, file shares, page blobs) — performance and cost differences
• Replication options: LRS, ZRS, GRS, GZRS, RA-GRS — definitions and failure scenarios each protects against
• Access tiers: Hot, Cool, Cold, Archive — retrieval time and cost for each
• Lifecycle management rules: automating tier transitions and deletions based on time

Azure Blob Storage:

• Blob types: block blobs, append blobs, page blobs — use cases for each
• Blob versioning, soft delete, and change feed
• Shared Access Signatures (SAS): account SAS vs service SAS vs user delegation SAS
• Object replication between storage accounts

Azure Files:

• SMB and NFS file shares — Azure File Sync for extending to on-premises
• File share tiers: transaction-optimised, Hot, Cool
• Private endpoints for secure access

Azure storage security:

• Encryption at rest with Microsoft-managed keys vs customer-managed keys (Azure Key Vault)
• Storage account network rules: service endpoints vs private endpoints
• Azure Defender for Storage

Deploy and manage Azure compute resources#

Virtual Machines:

• VM sizes: general purpose (B, D, Dsv series), compute optimised (F series), memory optimised (E, M series), storage optimised (L series)
• Availability options: availability sets (fault domains and update domains), availability zones, Azure Site Recovery for DR
• VM scale sets: flexible orchestration vs uniform orchestration, scaling policies, scale-in policies
• Extensions: Custom Script Extension, Azure Monitor Agent, Desired State Configuration
• Azure Bastion: browser-based SSH/RDP without public IPs

Azure App Service:

• App Service Plans: pricing tiers (Shared, Basic, Standard, Premium, Isolated)
• Deployment slots: staging environments, slot swapping for zero-downtime deployments
• Scaling: manual vs autoscaling rules
• Custom domains and TLS certificates

Azure Container Instances vs Azure Kubernetes Service:

• Container Instances: simple container hosting, no orchestration, per-second billing
• AKS: managed Kubernetes for production workloads, node pool management
• Azure Container Registry: private image registry, geo-replication, webhooks

Azure Functions:

• Consumption plan vs Premium plan vs Dedicated (App Service) plan
• Triggers and bindings
• Durable Functions for stateful workflows

Implement and manage virtual networking#

Virtual Networks (VNets):

• Address space planning: CIDR notation, non-overlapping ranges
• Subnets: delegated subnets for specific services (App Service, ACI)
• VNet peering: local peering vs global peering, transitive peering not supported by default

Network security groups (NSGs):

• Inbound and outbound security rules: priority, source/destination, protocol, action
• NSG flow logs: enabling, viewing, and analysing
• Application security groups: grouping VMs logically for firewall rules

Azure Load Balancer vs Azure Application Gateway vs Azure Front Door:

• Load Balancer: Layer 4, internal and public, SKU differences
• Application Gateway: Layer 7, SSL termination, WAF integration
• Front Door: global load balancing, CDN, DDoS protection
• When to use each based on the scenario

DNS:

• Azure DNS: hosting DNS zones in Azure, private DNS zones for VNet name resolution
• Custom DNS servers on VNets

VPN and connectivity:

• Azure VPN Gateway: site-to-site VPN, point-to-site VPN, VNet-to-VNet
• ExpressRoute: private dedicated connection from on-premises
• Virtual WAN: managed hub-and-spoke networking

Service endpoints vs private endpoints:

• Service endpoints: extend VNet identity to Azure services, traffic stays on Microsoft backbone
• Private endpoints: private IP in your VNet for Azure services, eliminates public exposure entirely

Monitor and maintain Azure resources#

Azure Monitor:

• Metrics vs logs: types of data, where they are stored
• Log Analytics workspaces: centralising logs from multiple sources
• KQL (Kusto Query Language): basic queries for filtering and aggregating log data
• Alerts: metric alerts, log search alerts, activity log alerts — creating and managing action groups

Azure Backup:

• Recovery Services Vault: backing up VMs, files, SQL databases
• Backup policies: retention schedules, instant restore points
• Cross-region restore

Azure Site Recovery:

• Disaster recovery for VMs to a secondary Azure region
• Replication, failover, and failback processes

Azure Cost Management:

• Budget creation, cost alerts, spending breakdowns by resource
• Cost recommendations from Azure Advisor

What makes AZ-104 questions challenging#

AZ-104 questions include question types that many candidates find difficult:

Hotspot questions: You are shown a screenshot of an Azure portal configuration and must click on the part that has a problem or needs to be changed. These require familiarity with the actual portal interface.

Drag-and-drop: Order the steps in a process, or match services to descriptions.

Case studies: A multi-page scenario with several questions requiring you to reason across the entire case context.

Multiple-choice questions in AZ-104 often present four architecturally valid options — the challenge is identifying which one is correct for the specific combination of requirements in the scenario. Knowing what each service does is necessary but not sufficient; you need to reason through why one is better than the others given the constraints.

Preparation approach#

Hands-on in the portal and CLI: AZ-104 questions reflect real Azure workflows. Use the Azure portal and Azure CLI (az commands) to deploy VMs, configure NSGs, create storage accounts, set up VNet peering. The exam is significantly easier when you recognise the configurations from having done them.

Focus on networking: VNet design, NSGs, load balancers, VPN, private endpoints — this domain is concept-heavy and catches candidates who have only studied compute and storage. Budget extra time here.

Microsoft Learn is solid: The official Microsoft Learn paths for AZ-104 are comprehensive and free. Use them as your primary curriculum, then supplement with practice exams.

Practice under timed conditions: At 40–60 questions in 120 minutes, time management matters. The case study questions can consume significant time. Practice taking full-length timed exams before your real attempt.

Preparation time:

Annual renewal#

AZ-104 requires annual renewal through Microsoft Learn. The renewal assessment is 25–40 questions, free, online, no proctor, and open-book. It updates your certification for another year. Set a calendar reminder 60 days before your expiry date to avoid scrambling.

Summary#

• AZ-104 is the most broadly valuable technical Azure certification for engineers managing infrastructure
• It tests configuration-level knowledge: NSGs, VNet peering, storage accounts, RBAC, load balancers, and monitoring
• Hotspot and case study questions require familiarity with the Azure portal interface
• Hands-on practice in the portal and az CLI is essential — reading alone is insufficient
• Requires annual free online renewal — simpler than full re-examination
• 6–14 weeks of preparation depending on starting experience