Why AZ-104 Is Still the Cloud Certification to Pass in 2026
The Microsoft Certified: Azure Administrator Associate credential, earned by passing the single AZ-104 exam, is the most in-demand intermediate Azure cert for IT professionals. Azure is the second-largest public cloud, and nearly every enterprise running Microsoft 365 also runs Azure infrastructure that needs administrators.
Unlike fundamentals-level certs that test vocabulary, AZ-104 validates that you can actually run an Azure environment: secure identities with Microsoft Entra ID, deploy compute, configure virtual networks, manage storage, and monitor it all. Employers treat it as proof you can do the job, not just describe it.
This guide is built to be the most complete and current AZ-104 resource you will find. It uses the skills-measured outline Microsoft last updated on April 17, 2026 and verifies every exam-logistics fact against the official Microsoft Learn certification page. You get the exam format, the current domains with what to study, hands-on lab focus, a 10-week plan, exam-day strategy, and free practice questions.
free AZ-104 practice questionsPractice questions with detailed explanations
AZ-104 Exam Overview
Quick Facts (verified against Microsoft Learn)
| Component | Details |
|---|---|
| Credential | Microsoft Certified: Azure Administrator Associate |
| Exam Code | AZ-104 (one exam, no prerequisite exam) |
| Questions | 40-60 (varies per session) |
| Duration | 100 minutes |
| Passing Score | 700 on a scaled 1-1000 range |
| Cost | $165 USD (US); varies by country |
| Delivery | Pearson VUE test center or online (OnVUE) |
| Format | Multiple choice, multi-select, build lists, drag-and-drop, case studies, possible interactive labs |
| Languages | English plus 9 others (localized ~8 weeks after English) |
| Validity | 12 months; renew free on Microsoft Learn |
| Level | Intermediate / Associate |
| Skills last updated | April 17, 2026 |
Watch the duration. Microsoft Learn states you have 100 minutes for AZ-104, not 120. Plan your pacing around roughly 1.5 to 2 minutes per question, with extra reserve for any interactive lab or case study.
Skills Measured Breakdown (April 17, 2026 outline)
| Domain | Weight | Key Topics |
|---|---|---|
| Manage Azure identities and governance | 20-25% | Entra ID users/groups, RBAC, Azure Policy, locks, tags, management groups, cost alerts |
| Implement and manage storage | 15-20% | Storage accounts, redundancy, SAS, access keys, Blob tiers, Files, lifecycle, AzCopy |
| Deploy and manage Azure compute resources | 20-25% | ARM/Bicep, VMs, VM Scale Sets, ACR, Container Instances, Container Apps, App Service |
| Implement and manage virtual networking | 15-20% | VNets/subnets, peering, NSGs/ASGs, Bastion, endpoints, DNS, load balancing |
| Monitor and maintain Azure resources | 10-15% | Azure Monitor, metrics/logs, alerts, Network Watcher, Backup, Site Recovery |
What changed in April 2026: Identities and governance rose to 20-25% (it was 15-20%) and networking dropped to 15-20% (it was 20-25%). Microsoft also fully adopted Microsoft Entra ID naming and expanded container coverage to include Azure Container Apps. The functional groups themselves were unchanged; the edits were weight and wording adjustments.
Domain 1: Manage Azure Identities and Governance (20-25%)
This is now the joint-largest domain, so invest here. It centers on Microsoft Entra ID (the rebranded Azure Active Directory), access control, and the governance guardrails that keep a subscription compliant.
Microsoft Entra ID (formerly Azure AD)
Core Concepts:
- Tenants: Each Microsoft Entra ID instance is a tenant; a subscription trusts exactly one tenant
- Users: Cloud-only vs. synchronized from on-prem AD via Entra Connect; guest (B2B) users
- Groups: Security groups vs. Microsoft 365 groups; assigned vs. dynamic membership
- Licenses: Free, P1, P2 tiers unlock different features (P2 adds Identity Protection, PIM)
Key Configuration Tasks:
- Create and manage users and groups (portal, CLI, PowerShell)
- Manage user and group properties and bulk operations
- Assign licenses to users and groups
- Manage external users (B2B collaboration and invitations)
- Configure self-service password reset (SSPR)
Role-Based Access Control (RBAC)
Built-in Roles (Know These):
- Owner: Full access including permissions management
- Contributor: Full access except permissions
- Reader: View all resources but cannot modify
- User Access Administrator: Manage user access to resources
Role Assignment Components:
- Security Principal: User, group, service principal, managed identity
- Role Definition: Collection of permissions
- Scope: Resource, resource group, subscription, management group
Custom Roles:
- Create with JSON role definition
- Use Azure CLI or PowerShell
- Cannot assign at tenant root level
Azure Policy
Policy Types:
- Built-in policies: Pre-created by Microsoft
- Custom policies: JSON definitions you create
Common Use Cases:
- Enforce tagging requirements
- Restrict VM sizes
- Require SQL encryption
- Audit compliance
Policy vs. RBAC:
- RBAC: Controls what you CAN do (authorization)
- Policy: Controls what you MUST do (compliance)
Governance Tools
Azure Blueprints:
- Deploy consistent environments
- Include ARM templates, policies, RBAC assignments
- Subscription-level deployment
Management Groups:
- Organize subscriptions hierarchically
- Apply policies/RBAC at scale
- Up to 10,000 management groups per tenant
Resource Locks:
- CanNotDelete: Prevent deletion
- ReadOnly: Prevent modification
- Apply at subscription, resource group, or resource level
Domain 2: Implement and Manage Storage (15-20%)
Azure Storage Account Types
| Type | Use Case | Redundancy |
|---|---|---|
| Standard (GPv2) | General purpose | LRS, ZRS, GRS, GZRS |
| Premium (Block Blobs) | Low latency apps | LRS, ZRS |
| Premium (File Shares) | High-performance file shares | LRS, ZRS |
| Premium (Page Blobs) | Premium SSD disks | LRS, ZRS |
Blob Storage
Access Tiers:
- Hot: Frequently accessed (highest storage cost, lowest access cost)
- Cool: Infrequently accessed (30+ days storage)
- Cold: Rarely accessed (90+ days storage)
- Archive: Rarely accessed (180+ days, hours retrieval)
Security:
- Shared Access Signatures (SAS): Time-limited access tokens; stored access policies for revocation
- Microsoft Entra ID authentication: RBAC for blob access
- Access keys: Account-level keys; rotate regularly
- Encryption: Always encrypted at rest (Microsoft-managed or customer-managed key)
Key Operations:
- Upload/download blobs (portal, CLI, SDK)
- Configure blob lifecycle policies
- Enable blob versioning
- Configure soft delete (7-365 days)
- Configure immutability policies
Azure Files
Use Cases:
- Lift-and-shift applications
- Shared application configuration
- Diagnostics and logs
- Development/test environments
Key Features:
- SMB and NFS protocols
- Identity-based access (Microsoft Entra Domain Services or on-prem AD DS)
- Hybrid access via File Sync
- Snapshots for point-in-time recovery
File Sync:
- Cache Azure file shares on Windows Server
- Tiering (cloud vs. local)
- Sync groups for multi-server scenarios
Storage Security and Management
Networking:
- Private endpoints for secure access
- Service endpoints (legacy approach)
- Firewall rules and virtual network rules
Monitoring:
- Storage Analytics metrics
- Diagnostic logging
- Capacity and transaction monitoring
Domain 3: Deploy and Manage Azure Compute Resources (20-25%)
The current outline leads this domain with infrastructure as code, so do not skip ARM templates and Bicep. Container coverage now explicitly includes Azure Container Apps alongside Container Instances and Container Registry.
ARM Templates and Bicep (read these closely)
The exam expects you to interpret and modify declarative deployments, not author them from scratch.
What to know:
- Read an ARM template's
parameters,variables,resources, andoutputssections - Read a Bicep file and map it to the equivalent ARM template (Bicep is the cleaner DSL that compiles to ARM JSON)
- Modify an existing template or Bicep file (change a SKU, add a resource, parameterize a value)
- Deploy a template or Bicep file via
az deployment group createorNew-AzResourceGroupDeployment - Export a deployed resource group as a template, and convert ARM JSON to Bicep with
az bicep decompile
Virtual Machines
VM Sizes (Know the Families):
- A-series: Entry-level, dev/test
- B-series: Burstable, cost-effective
- D-series: General purpose, balanced
- E-series: Memory optimized
- F-series: Compute optimized
- H-series: High performance computing
- L-series: Storage optimized
- M-series: Memory optimized (large)
Disk Types:
- Ultra Disk: Sub-millisecond latency, configurable performance
- Premium SSD: High performance, production workloads
- Standard SSD: Consistent performance, lower cost
- Standard HDD: Lowest cost, dev/test acceptable
Availability Options:
- Availability Sets: 2+ fault domains, 5 update domains
- Availability Zones: Physically separate datacenters
- Virtual Machine Scale Sets: Auto-scaling groups
Configuration Tasks:
- Deploy VMs (portal, CLI, ARM templates)
- Configure extensions (custom script, DSC, etc.)
- Configure disk encryption (Azure Disk Encryption)
- Configure networking (VNet, NSG, public IP)
- Configure monitoring and diagnostics
App Service
App Types:
- Web Apps
- API Apps
- WebJobs (background tasks)
- Mobile Apps (legacy)
Deployment Options:
- Git/GitHub integration
- Azure DevOps
- Container registry
- ZIP deploy
- FTP
Scaling:
- Scale up: Change to larger App Service plan
- Scale out: Increase instance count (auto-scale supported)
Key Features:
- Deployment slots (staging/production)
- Custom domains and SSL
- Authentication/Authorization (Easy Auth)
- Hybrid connections
- VNet integration
Container Services
Azure Kubernetes Service (AKS):
- Managed Kubernetes control plane
- Node pools and cluster autoscaler
- Microsoft Entra ID integration
- Container networking policies
Azure Container Instances (ACI):
- Serverless single containers
- No orchestration complexity
- Fast startup times
- Per-second billing
Azure Container Apps (now on the blueprint):
- Serverless containers built on Kubernetes and KEDA, without managing a cluster
- Built-in autoscaling, including scale-to-zero, driven by HTTP traffic or events
- Revisions, traffic splitting, and managed ingress
- Know how it differs from ACI (event-driven microservices and scaling) and AKS (no cluster to operate)
Azure Container Registry (ACR):
- Private Docker registry
- Geo-replication
- Content trust and signing
- Tasks for automated builds
Azure Functions
Hosting Plans:
- Consumption: Serverless, pay-per-execution
- Premium: Pre-warmed workers, VNet integration
- App Service Plan: Run on dedicated VMs
Triggers and Bindings:
- HTTP triggers (REST APIs)
- Timer triggers (scheduled tasks)
- Queue/Topic triggers (message processing)
- Blob triggers (file processing)
- Event Grid/Event Hub triggers
Domain 4: Implement and Manage Virtual Networking (15-20%)
This domain's weight dropped slightly in April 2026, but it is still heavily tested and a common weak spot. The current outline emphasizes VNets and subnets, peering, NSGs and ASGs, Azure Bastion, service and private endpoints, Azure DNS, load balancing, and connectivity troubleshooting. Note: ExpressRoute and Azure Firewall are useful background but are not core bullets on the current AZ-104 outline, so prioritize the items above.
Virtual Networks (VNets)
Address Space:
- Use private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Plan for growth (avoid small subnets)
- No overlapping address spaces in peering
Subnets:
- Segregate by workload type
- Reserve gateway subnet for VPN/ExpressRoute
- Use NSGs at subnet level
VNet Peering:
- Connect VNets (same or different regions)
- Transitive routing limitations
- Gateway transit for shared connectivity
Network Security
Network Security Groups (NSGs):
- Filter traffic at subnet and NIC levels
- Default rules (allow VNet, allow Azure LB, deny all inbound)
- Custom rules with priority (100-4096)
- Stateful inspection
Application Security Groups (ASGs):
- Group VMs by application role
- Reference ASGs in NSG rules instead of IP addresses
- Simplify security rule management
Azure Bastion (explicit blueprint item):
- Secure RDP/SSH to VMs through the portal over TLS, with no public IP on the VM
- Removes the need to expose port 3389/22 to the internet
- Know when to choose Bastion over a jump box or just-in-time VM access
Service endpoints vs. private endpoints (know the difference):
- Service endpoints: extend your VNet identity to a PaaS service over the Azure backbone; the service still has a public IP
- Private endpoints: give the PaaS service a private IP inside your VNet via Azure Private Link; traffic never touches the public internet
Azure Firewall (background context):
- Managed firewall as a service
- Threat intelligence integration
- SNAT/DNAT capabilities
- Hub-and-spoke architecture support
Connectivity Options
VPN Gateway:
- Site-to-site (S2S) VPN
- Point-to-site (P2S) VPN
- VNet-to-VNet VPN
- Gateway SKUs (Basic, VpnGw1-5)
ExpressRoute:
- Private connection to Azure (not over internet)
- Layer 3 connectivity via partner
- Higher bandwidth, lower latency than VPN
- More expensive than VPN
Azure Private Link:
- Private connectivity to PaaS services
- Bypass public internet
- Private Endpoint for resource access
- Private Link Service for your own services
Load Balancing
Azure Load Balancer:
- Layer 4 (TCP/UDP) load balancing
- Public and internal SKUs
- Health probes for backend monitoring
- Distribution modes (hash-based, source IP affinity)
Azure Application Gateway:
- Layer 7 (HTTP/HTTPS) load balancing
- Web Application Firewall (WAF)
- SSL termination
- URL-based routing
- Session affinity
Azure Front Door:
- Global load balancing
- CDN capabilities
- WAF at edge
- Dynamic site acceleration
Azure Traffic Manager:
- DNS-based traffic routing
- Geographic routing
- Performance routing
- Failover routing
Domain 5: Monitor and Maintain Azure Resources (10-15%)
Azure Monitor
Components:
- Metrics: Numerical data (performance counters)
- Logs: Structured and unstructured log data
- Alerts: Proactive notifications
- Workbooks: Interactive reports
- Insights: Pre-built monitoring for specific services
Log Analytics Workspace:
- Central log repository
- KQL (Kusto Query Language) for queries
- Retention configuration (30-730 days)
- Pricing tiers
Application Insights:
- Application Performance Monitoring (APM)
- Distributed tracing
- Exception tracking
- Availability tests
Network Watcher and Connection Monitor (blueprint items):
- Connection Monitor: continuous reachability and latency checks between endpoints
- IP flow verify: confirm whether an NSG rule allows or denies specific traffic
- Next hop: diagnose routing and user-defined route problems
- NSG flow logs: capture allowed/denied traffic for auditing and troubleshooting
Know the metrics-vs-logs distinction. A frequent exam trap: Azure Monitor metrics are numeric, near-real-time, and good for alerts; logs (queried with KQL in Log Analytics) are richer and better for investigation. Pick the right one for each scenario.
Backup and Recovery
Azure Backup:
- Create a Recovery Services vault (VMs, MARS agent, SQL/SAP HANA in VM) and an Azure Backup vault (newer vault type the current outline calls out)
- VM backup (app-consistent)
- File/folder backup (MARS agent)
- SQL Server in VM and SAP HANA backup
- Backup policies, retention, and soft delete protection
Azure Site Recovery:
- Disaster recovery for VMs
- On-prem to Azure replication
- Azure region-to-region replication
- Recovery plans for orchestrated failover
Configuration Tasks:
- Configure backup policies
- Perform test restores
- Configure retention policies
- Set up replication
Resource Optimization
Azure Advisor:
- Cost recommendations
- Security recommendations
- High availability recommendations
- Performance recommendations
- Operational excellence recommendations
Cost Management:
- Budgets and alerts
- Cost analysis
- Reserved instance recommendations
- Tagging for chargeback
10-Week AZ-104 Study Plan
Weeks 1-2: Azure Fundamentals
Week 1: Microsoft Entra ID and Identity
- Microsoft Entra ID fundamentals
- User and group management
- RBAC concepts and implementation
- Azure Policy basics
Hands-on Labs:
- Create Microsoft Entra ID users and groups
- Assign RBAC roles at different scopes
- Create and apply Azure Policy
Week 2: Governance and Subscription Management
- Subscription types and billing
- Management groups
- Resource locks
- Cost management and tagging
Weeks 3-4: Storage and Networking
Week 3: Azure Storage
- Storage account types and configuration
- Blob storage tiers
- Azure Files and File Sync
- Storage security (SAS, encryption)
Hands-on Labs:
- Create storage accounts with different redundancy
- Upload blobs and configure lifecycle policies
- Set up Azure Files share
- Generate and test SAS tokens
Week 4: Virtual Networking
- VNet and subnet design
- NSG configuration
- VNet peering
- Private endpoints
Hands-on Labs:
- Create VNet with multiple subnets
- Configure NSG rules
- Set up VNet peering between two VNets
- Configure private endpoint for storage
Weeks 5-6: Compute Resources
Week 5: Virtual Machines
- VM deployment and sizing
- Disk types and configuration
- Availability Sets and Zones
- VM extensions
Hands-on Labs:
- Deploy VMs in Availability Set
- Configure managed disks
- Set up VM extensions
- Configure VM monitoring
Week 6: ARM/Bicep, App Service, and Containers
- Read and modify ARM templates and Bicep files; deploy and export them
- App Service plans, scaling, deployment slots, and TLS
- Container services (ACR, Container Instances, Container Apps)
Hands-on Labs:
- Deploy a resource group from a Bicep file, then export it back to an ARM template
- Deploy a web app and add a staging deployment slot
- Push an image to ACR and run it on Container Instances
- Deploy a container to Azure Container Apps with scale-to-zero
Weeks 7-8: Advanced Networking and Security
Week 7: Advanced Networking
- Load balancing options
- VPN Gateway configuration
- ExpressRoute concepts
- Azure Firewall
Hands-on Labs:
- Configure Load Balancer
- Set up VPN Gateway
- Configure Azure Firewall
Week 8: Security and Compliance
- Azure Security Center/Defender
- Azure Key Vault
- Microsoft Entra ID conditional access
- Encryption at rest and in transit
Weeks 9-10: Monitoring and Final Prep
Week 9: Monitoring and Maintenance
- Azure Monitor and Log Analytics
- Alerts and action groups
- Backup and Site Recovery
- Azure Advisor
Hands-on Labs:
- Create Log Analytics workspace
- Set up alerts
- Configure VM backup
- Review Azure Advisor recommendations
Week 10: Practice Exams and Review
- Full-length practice exams
- Weak area review
- Hands-on scenario practice
- Final review of all domains
Hands-On Lab Recommendations
Free Resources
-
Microsoft Learn Sandboxes
- Free Azure environment for exercises
- Accessible via Microsoft Learn modules
- No credit card required
-
Azure Free Account
- $200 credit for 30 days
- 12 months of free services
- Always free services after trial
-
Visual Studio Subscription
- Monthly Azure credits ($50-150)
- Access to Azure DevOps features
- Developer tools
Practice Projects
Beginner Projects:
- Deploy 3-tier web application (web/app/database)
- Set up VNet with private subnet
- Configure Microsoft Entra ID authentication
Intermediate Projects:
- Deploy AKS cluster with ingress controller
- Configure site-to-site VPN simulation
- Implement Azure Policy compliance framework
Advanced Projects:
- Multi-region disaster recovery setup
- Hybrid identity architecture
- Complex networking with hub-and-spoke
Exam Day Tips
Preparation Checklist
- Review official skills measured
- Complete hands-on labs
- Take practice exams (scoring 80%+)
- Review case study strategies
- Check system requirements for online exam
Question Strategy
- Read carefully - Azure questions often have subtle details
- Eliminate wrong answers - Narrow down options
- Watch for distractors - Similar services (Blob vs. Files)
- Consider cost - Often the differentiating factor
- Mark for review - Don't spend too long on one question
Case Studies
- Read all case information before questions
- Take notes on key requirements
- Questions often build on each other
- Refer back to case details as needed
Career Impact and Next Steps
Salary Expectations
| Role | Avg Salary (US) | With AZ-104 |
|---|---|---|
| Systems Administrator | $70,000 | $85,000-95,000 |
| Cloud Administrator | $95,000 | $105,000-120,000 |
| Azure Engineer | $110,000 | $120,000-140,000 |
| DevOps Engineer | $115,000 | $125,000-145,000 |
Career Path After AZ-104
Intermediate Certifications:
- AZ-500: Azure Security Engineer
- AZ-700: Azure Network Engineer
- AZ-400: Azure DevOps Engineer
Advanced Certifications:
- AZ-305: Azure Solutions Architect
- AZ-600: Azure Stack Hub Operator
Related Paths:
- Cloud architecture
- Site reliability engineering
- Cloud security specialization
- DevOps and automation
Conclusion
The AZ-104 Azure Administrator certification validates your ability to implement and manage Microsoft Azure environments, a skill set in high demand across virtually every industry.
The exam requires both theoretical knowledge and practical experience. You cannot pass by memorizing facts alone; you need hands-on time with Azure services, including reading a Bicep file and configuring NSGs, RBAC, and storage redundancy.
Follow the 10-week study plan, complete the recommended labs, and drill scenario-based questions against the current April 2026 blueprint. With consistent hands-on practice you'll join the ranks of certified Azure Administrators.
