Complete Study Guide for AZ-104: Microsoft Azure Administrator
The Microsoft Azure certification ecosystem spans dozens of examinations covering everything from fundamental cloud concepts to highly specialized workloads. Within this ecosystem, the AZ-104 Microsoft Azure Administrator certification occupies a uniquely central position. Unlike specialized certifications that validate expertise in a narrow domain, the AZ-104 validates broad, practical competence across the full range of administrative tasks that keeping an Azure environment healthy, secure, and operationally sound requires. It is the certification that proves a professional can be trusted to manage real Azure environments where mistakes have real consequences.
Organizations hiring Azure administrators are looking for professionals who can handle the daily operational realities of cloud infrastructure management without constant guidance. They need people who understand how identity and access management works in practice, who can configure and troubleshoot networking, who can manage storage and compute resources effectively, and who can monitor environments and respond to problems intelligently. The AZ-104 examination was designed specifically to validate these capabilities, which is why it has become one of the most sought-after and respected credentials in the cloud computing job market.
Before investing time in studying, understanding exactly what the AZ-104 examination covers and how different topics are weighted helps candidates allocate their preparation time strategically. Microsoft publishes a detailed skills measured document for the AZ-104 that outlines every major topic area and its approximate weight in the examination. Candidates who ignore this document and study topics uniformly regardless of their weight frequently find themselves well prepared in areas that contribute relatively few questions while underprepared in areas that dominate the examination.
The examination covers five major domain areas. Managing Azure identities and governance encompasses identity management through Microsoft Entra ID, role-based access control, subscriptions, management groups, and governance policies. Implementing and managing storage covers storage account configuration, data management, and access control for Azure storage services. Deploying and managing Azure compute resources addresses virtual machines, containers, and serverless compute options. Implementing and managing virtual networking covers the networking fundamentals required for Azure administrators. Monitoring and maintaining Azure resources encompasses the observability and operational maintenance capabilities administrators need daily. Each domain deserves study proportional to its weight, and candidates should verify current weights against Microsoft’s official skills measured document since examination content evolves periodically.
Identity management sits at the foundation of everything an Azure administrator does, because every interaction with Azure resources is mediated through the identity and access management system. Microsoft Entra ID, previously known as Azure Active Directory, is the cloud-based identity service that Azure uses to authenticate users and service principals and to authorize their access to resources. Understanding Entra ID thoroughly is not optional for AZ-104 success. It is prerequisite knowledge that everything else builds upon.
The examination tests Entra ID knowledge across several dimensions. Tenant management including creating and managing users, groups, and external guest identities appears consistently. Understanding the different license tiers of Entra ID and which features each tier provides matters because certain administrative capabilities require premium licensing. Hybrid identity scenarios where on-premises Active Directory identities are synchronized to Entra ID through Microsoft Entra Connect are important because most enterprise environments involve this hybrid configuration rather than purely cloud-native identity. Self-service password reset, multi-factor authentication configuration, and conditional access policies represent the security capabilities that administrators must understand both to configure them correctly and to troubleshoot them when users encounter authentication issues.
Role-based access control is the mechanism through which Azure administrators control who can perform which operations on which resources. The AZ-104 examination tests RBAC knowledge extensively because access control mistakes in production environments can have serious security consequences, and administrators who do not understand RBAC thoroughly will inevitably make mistakes that either expose resources to unauthorized access or prevent authorized users from doing their work.
Azure RBAC operates through role assignments that grant a security principal, which can be a user, group, service principal, or managed identity, a specific role at a specific scope. Understanding the scope hierarchy, where management groups contain subscriptions, subscriptions contain resource groups, and resource groups contain individual resources, is fundamental because permissions assigned at higher scopes inherit down to lower scopes. Built-in roles including Owner, Contributor, Reader, and the many service-specific built-in roles cover most common scenarios, but administrators must understand when custom roles are necessary and how to create them. The examination frequently presents scenarios requiring candidates to identify the minimum permissions necessary to accomplish a task, which tests genuine understanding of the principle of least privilege rather than just familiarity with role names.
Enterprise Azure environments rarely consist of a single subscription. Organizations typically use multiple subscriptions to separate concerns like production and non-production environments, to manage costs and billing boundaries, to implement security isolation between different business units, and to stay within service limits that apply at the subscription level. Azure management groups provide a hierarchy above subscriptions that allows governance policies, RBAC assignments, and other controls to be applied consistently across groups of subscriptions rather than requiring configuration in each subscription individually.
Understanding how to design and manage subscription and management group structures is genuine administrative knowledge that the AZ-104 tests. Azure Policy is the governance service that allows organizations to enforce rules across their Azure environment, ensuring that resources are deployed only in approved regions, that required tags are present on resources, that certain resource configurations are enforced or prevented, and that compliance with organizational standards can be audited and reported. Azure Blueprints provide a mechanism for packaging governance artifacts including policies, role assignments, and resource templates into reusable definitions that can be applied consistently when creating new environments. Administrators must understand how these governance tools work together to create environments that remain compliant as they evolve.
Azure storage is a vast topic that the AZ-104 examination addresses with considerable depth. Storage accounts are the top-level resource that contains Azure’s storage services including Blob Storage for unstructured object data, Azure Files for managed file shares, Queue Storage for message queuing, and Table Storage for structured NoSQL data. Understanding how to configure storage accounts correctly involves decisions about redundancy options, access tiers, networking controls, and security settings that have significant implications for cost, performance, availability, and security.
Storage redundancy options span from locally redundant storage that replicates data three times within a single datacenter through geo-redundant storage that replicates to a paired region and zone-redundant storage that replicates across availability zones. The examination tests candidates’ ability to recommend appropriate redundancy options for given availability requirements. Access tiers for Blob Storage including Hot, Cool, Cold, and Archive tiers have different storage cost and access cost tradeoffs that make each appropriate for different data access patterns. Lifecycle management policies allow automatic transitioning of blobs between tiers or deletion based on age and other criteria, enabling cost optimization without manual intervention. Candidates must understand both the mechanics of configuring these features and the reasoning for choosing among them in given scenarios.
Controlling access to Azure storage resources requires understanding several overlapping security mechanisms, and the AZ-104 examination tests this understanding in scenarios that require selecting the appropriate mechanism for given requirements. Storage account keys provide full administrative access to all data in a storage account and should be treated with the same care as root credentials. Shared Access Signatures provide time-limited, scope-limited tokens that grant specific permissions without exposing account keys, making them appropriate for granting temporary access to external parties or service components.
Microsoft Entra ID integration for storage access allows users and service principals to be granted access to storage resources through RBAC assignments rather than through keys or signatures, which is generally preferable for internal service access because it integrates with the same identity management system used for everything else in Azure. Storage firewall and virtual network rules restrict which networks can access storage account endpoints, providing network-level access control in addition to authentication-based control. Private Endpoints extend private network access to storage services, allowing access without traversing public networks. Understanding how to layer these mechanisms to achieve required security postures while maintaining necessary accessibility is practical administrative knowledge that appears throughout the examination.
Azure virtual machines represent one of the most commonly administered resource types in enterprise Azure environments, and the AZ-104 examination covers VM management in considerable depth. Deploying virtual machines involves decisions about VM size and series selection for appropriate compute resources, operating system image selection, disk configuration including OS disk and data disk sizing and types, availability configuration using availability sets or availability zones for resilience, and networking configuration connecting the VM to appropriate virtual networks and applying appropriate security controls.
Beyond initial deployment, ongoing VM management includes tasks that administrators perform regularly. Resizing virtual machines when workload requirements change requires understanding which size changes can be performed without downtime and which require deallocating the VM. Managing VM extensions allows automated configuration management and monitoring agent deployment. Azure Automation and Azure Policy guest configuration provide mechanisms for ensuring VMs remain configured correctly over time rather than drifting from desired states. Understanding backup configuration for VMs through Azure Backup connects VM management to the broader topic of data protection that administrators must handle. The examination tests both the mechanics of these operations and the judgment about when each approach is appropriate.
Virtual machine storage performance is a topic that separates administrators who understand Azure infrastructure deeply from those with only surface familiarity. Azure managed disks come in several types including Standard HDD, Standard SSD, Premium SSD, Premium SSD v2, and Ultra Disk, each with different performance characteristics and cost profiles. Selecting the appropriate disk type for a given workload requires understanding both the performance requirements of the application and the capabilities and limitations of each disk type.
Disk caching settings on Azure VMs significantly affect storage performance and should be configured based on the workload characteristics. Read-only caching is typically appropriate for OS disks and read-heavy data disks. Read-write caching suits disks where the combination of reads and writes benefits from caching. No caching is required for certain workloads like SQL Server data and log files where caching could compromise data integrity guarantees. Understanding how to size and configure disk configurations to meet performance requirements, how to expand disks without downtime for supported scenarios, and how to use temporary storage appropriately while understanding its non-persistent nature are all topics the examination addresses.
Azure administrators in modern environments are not limited to managing virtual machines. Platform-as-a-service compute options including Azure App Service for web applications and APIs, Azure Container Instances for simple containerized workloads, and Azure Kubernetes Service for orchestrated container environments represent an increasingly large portion of what Azure administrators manage. The AZ-104 examination reflects this reality by including these services in the compute domain.
Azure App Service is particularly important for examination preparation because it is widely used and has several administrative characteristics that require genuine understanding. App Service plans define the underlying compute resources that applications run on, and selecting appropriate plan tiers based on feature requirements and performance needs is an administrative decision with both cost and capability implications. Deployment slots allow staging environments within the same App Service plan with the ability to swap traffic between slots for zero-downtime deployments. Custom domain configuration and SSL certificate management are common administrative tasks. Scaling configuration including manual scaling and autoscaling rules based on metrics allows App Service applications to handle variable load appropriately. Each of these topics appears in examination scenarios.
Containerized applications have become mainstream in enterprise environments, and Azure administrators increasingly need to understand how to manage container infrastructure. Azure Container Instances provides the simplest container hosting option, suitable for simple or isolated container workloads that do not require orchestration. Azure Kubernetes Service provides managed Kubernetes cluster hosting for organizations running containerized applications at scale with requirements for orchestration, service discovery, and automated scaling.
The AZ-104 examination does not require deep Kubernetes expertise, but candidates must understand the administrative aspects of AKS clusters. This includes creating and configuring AKS clusters, understanding node pools and how they relate to the underlying virtual machine infrastructure, configuring cluster autoscaling, integrating AKS with Azure Container Registry for private image hosting, managing cluster upgrades, and implementing appropriate access controls using Kubernetes RBAC and its integration with Microsoft Entra ID. Azure Container Registry as a managed private registry for container images requires understanding of access control, georeplications, and webhook configuration for build automation. Candidates should be able to reason about when different container hosting options are appropriate for described scenarios.
Networking knowledge is essential for Azure administrators even though the AZ-700 covers networking at far greater depth. The AZ-104 expects administrators to be competent with the networking tasks that come up in daily Azure administration without necessarily having the specialized expertise of a dedicated network engineer. Virtual network creation and address space planning, subnet design and configuration, network security group creation and rule management, and virtual network peering configuration are all topics that appear in AZ-104 examination content.
Network security groups are particularly important because administrators configure them constantly when deploying new resources and troubleshoot them when connectivity problems arise. Understanding how NSG rules are evaluated, how priority determines which rule applies when multiple rules match, and how to diagnose connectivity issues caused by NSG rules are practical skills the examination tests. Azure DNS configuration including creating DNS zones, managing DNS records, and configuring virtual network DNS settings is another topic that administrators encounter regularly. Load balancing with Azure Load Balancer for layer four scenarios and Application Gateway for layer seven web application scenarios requires sufficient understanding to configure basic deployments and troubleshoot common issues.
Azure Monitor is the unified monitoring platform that collects, analyzes, and responds to telemetry from Azure resources, and administrator competence with monitoring tools is a genuine examination domain. Understanding the different components of Azure Monitor helps candidates reason about which monitoring capability addresses a given scenario. Metrics provide numerical time-series data about resource performance and health. Logs collected in Log Analytics workspaces provide detailed event and diagnostic information that can be queried using Kusto Query Language. Alerts provide notification and automated response when monitored conditions are met or exceeded.
Log Analytics and the Kusto Query Language used to query log data deserve meaningful study attention because the examination includes scenarios requiring candidates to understand what kinds of queries would surface specific information. This does not require becoming a KQL expert, but candidates should understand the basic structure of KQL queries, how to filter, aggregate, and project data, and how common diagnostic scenarios translate into query approaches. Azure Monitor Workbooks provide visualization and reporting capabilities. VM Insights and Container Insights provide specialized monitoring for those resource types. Application Insights provides application performance monitoring for application code. Understanding which monitoring tool addresses which scenario is the core knowledge the examination tests in this domain.
Monitoring without alerting provides visibility but not operational responsiveness, and configuring Azure alerts and action groups to notify and respond to important conditions is a core administrative capability. Azure alerts evaluate conditions against monitored data and trigger responses when those conditions are met. Alert rules specify what is monitored, what condition triggers the alert, and which action group handles the response. Understanding the different alert types including metric alerts, log search alerts, and activity log alerts, and knowing which alert type is appropriate for different monitoring scenarios, is examination content.
Action groups define the notifications and actions that execute when an alert fires. Notification options include email, SMS, voice call, and push notifications through the Azure mobile app. Action options include triggering Azure Automation runbooks, calling Azure Functions, invoking Logic Apps workflows, creating ITSM tickets, and using webhooks for custom integrations. Configuring action groups that provide appropriate notification to the right people while automating routine responses reduces the operational burden on administrators. The examination tests understanding of how alerts and action groups work together to create a responsive monitoring system and asks candidates to reason about appropriate configurations for described operational requirements.
Data protection through Azure Backup is an administrative responsibility that the AZ-104 examination addresses with practical depth. Administrators must understand how to configure backup for the resource types they manage, how to verify that backups are completing successfully, how to perform recovery operations when needed, and how to design backup policies that meet recovery point and recovery time objectives without unnecessary cost.
Recovery Services vault creation and configuration, backup policy design for virtual machines and other supported workload types, monitoring backup job status and responding to failures, and performing actual restore operations are all topics the examination covers. Soft delete protection that retains deleted backup data for additional time to enable recovery from accidental deletion or ransomware attacks is an important security feature administrators should understand and enable. Cross-region restore capabilities for geo-redundant vaults provide recovery options when primary regions are unavailable. The examination expects candidates to understand not just how to configure individual backup features but how to design comprehensive protection strategies for described scenarios with specific recovery requirements.
Azure administrators bear significant responsibility for keeping cloud costs under control while ensuring that resources provide the performance and availability the business requires. Cost management is therefore a genuine administrative competency that the AZ-104 examination addresses. Microsoft Cost Management provides tools for analyzing spending, understanding cost trends, identifying optimization opportunities, and implementing controls that prevent unexpected cost growth.
Budgets and cost alerts notify administrators and stakeholders when spending approaches or exceeds defined thresholds, enabling proactive response before costs significantly exceed expectations. Azure Advisor provides recommendations across cost, security, reliability, operational excellence, and performance dimensions, with cost recommendations specifically identifying opportunities like rightsizing oversized virtual machines, eliminating unused resources, and purchasing reserved instances for predictable workloads. Reserved instances and Azure Hybrid Benefit represent purchasing optimization strategies that can significantly reduce costs for stable workloads. Understanding how to analyze costs, interpret Advisor recommendations, and implement optimization measures while maintaining required service levels is practical administrative knowledge the examination validates.
Modern Azure administration increasingly relies on infrastructure as code approaches for consistent, repeatable, and auditable resource deployment rather than manual portal-based configuration. The AZ-104 examination reflects this reality by including deployment automation in its scope. Azure Resource Manager templates, which define Azure resources declaratively in JSON format, provide the foundational infrastructure as code capability in Azure. Bicep is a more recent domain-specific language that compiles to ARM templates while providing significantly improved authoring experience through cleaner syntax and better tooling support.
Candidates should understand how to read and interpret ARM templates and Bicep files, how to deploy them through the Azure portal, Azure CLI, and Azure PowerShell, and how to parameterize templates for reuse across different environments. Azure PowerShell and Azure CLI are both command-line tools for interacting with Azure resources, and administrators should be comfortable with both because different organizations and different tasks favor different tools. Understanding how to perform common administrative operations through scripts rather than only through the portal enables automation of repetitive tasks and consistent execution of complex multi-step procedures. The examination tests practical command-line knowledge rather than memorization of complete command syntax.
Preparing effectively for the AZ-104 demands a study strategy that combines conceptual understanding with hands-on practice across the full breadth of examination content. The examination’s scenario-based questions require reasoning about which approach is most appropriate for described situations, which means that memorizing feature descriptions provides far less value than understanding when and why different features and configurations are used. Building this kind of reasoned understanding requires working with actual Azure resources throughout the preparation process.
Creating a personal Azure subscription for hands-on practice is strongly recommended and can be managed cost-effectively by being deliberate about which resources are created and ensuring they are deleted when practice sessions are complete. Microsoft Learn provides structured learning paths specifically aligned with AZ-104 content that combine conceptual explanations with guided hands-on exercises in sandboxed Azure environments. Practice examinations from reputable providers help identify knowledge gaps and build familiarity with examination question styles, but candidates should use them as diagnostic tools to direct further study rather than as the primary study method. Joining study communities where preparation experiences and difficult concepts are discussed provides perspectives and explanations that individual study alone does not generate.
The AZ-104 Microsoft Azure Administrator certification represents one of the most valuable credentials available to cloud computing professionals, and earning it through thorough preparation delivers genuine career value precisely because it validates real competence rather than surface familiarity. The examination’s breadth across identity management, governance, storage, compute, networking, monitoring, and operational practices reflects the actual scope of responsibilities that Azure administrators carry in production environments.
Candidates who approach AZ-104 preparation as an opportunity to build genuine administrative competence rather than simply as a credential acquisition exercise will find that the preparation process itself makes them measurably more effective in their daily work. Understanding why Azure services work the way they do, when different configuration options are appropriate, and how different services interact within larger architectures provides value that extends far beyond passing a single examination.
The study journey toward AZ-104 certification is substantial and should not be underestimated. Microsoft has designed the examination to meaningfully separate professionals who can competently manage Azure environments from those who have only read about doing so. Hands-on practice is not supplementary to examination preparation. It is central to it. Concepts that seem clear when reading documentation frequently reveal their complexity when actually implemented, and those implementation experiences build the nuanced understanding that examination scenarios test.
Organizations deploying and depending on Azure infrastructure need administrators who understand the environment they manage at the depth the AZ-104 validates. The security implications of identity and access control mistakes, the performance consequences of storage and compute misconfiguration, the availability risks of inadequate backup and monitoring practices, and the cost consequences of unmanaged resource proliferation are all real business concerns that competent Azure administrators help organizations navigate successfully. The AZ-104 certification, earned through preparation that builds genuine competence, signals credibly that a professional is ready to carry these responsibilities. For Azure administrators at any stage of their career, the investment in preparing thoroughly for this examination represents one of the highest-return professional development decisions available in the current cloud computing landscape.