Technology19 min read

AZ-104 Study Guide 2026: Pass the Azure Administrator Exam

Complete 2026 AZ-104 Azure Administrator guide: current skills-measured domains (April 17, 2026 update), 100-minute exam format, $165 cost, hands-on labs, a 10-week study plan, and free practice questions.

Ran Chen, EA, CFP®March 5, 2026

Key Facts

  • The AZ-104 exam gives candidates 100 minutes and typically contains 40-60 questions (Microsoft Learn).
  • The AZ-104 passing score is 700 on a scaled range of 1 to 1000 (Microsoft Learn).
  • The AZ-104 exam fee is $165 USD in the United States, scheduled through Pearson VUE.
  • AZ-104 tests five domains: Identities and Governance 20-25%, Storage 15-20%, Compute 20-25%, Networking 15-20%, Monitoring 10-15%.
  • Microsoft last updated the AZ-104 skills-measured outline on April 17, 2026, adjusting domain weights.
  • The April 2026 AZ-104 outline tests ARM templates and Bicep files, Azure Container Apps, Azure Bastion, and Network Watcher.
  • AZ-104 now uses Microsoft Entra ID terminology, the rebranded name for Azure Active Directory since 2023.
  • The Microsoft Certified: Azure Administrator Associate credential renews for free yearly via an online Microsoft Learn assessment.
  • A new Azure free account provides $200 in credit for 30 days plus 12 months of selected free services for labs.
  • Microsoft recommends candidates have prior experience with PowerShell, Azure CLI, the Azure portal, ARM or Bicep, and Microsoft Entra ID.

📺 Watch the Video

Why AZ-104 Is Still the Cloud Certification to Pass in 2026

The Microsoft Certified: Azure Administrator Associate credential, earned by passing the single AZ-104 exam, is the most in-demand intermediate Azure cert for IT professionals. Azure is the second-largest public cloud, and nearly every enterprise running Microsoft 365 also runs Azure infrastructure that needs administrators.

Unlike fundamentals-level certs that test vocabulary, AZ-104 validates that you can actually run an Azure environment: secure identities with Microsoft Entra ID, deploy compute, configure virtual networks, manage storage, and monitor it all. Employers treat it as proof you can do the job, not just describe it.

This guide is built to be the most complete and current AZ-104 resource you will find. It uses the skills-measured outline Microsoft last updated on April 17, 2026 and verifies every exam-logistics fact against the official Microsoft Learn certification page. You get the exam format, the current domains with what to study, hands-on lab focus, a 10-week plan, exam-day strategy, and free practice questions.

free AZ-104 practice questionsPractice questions with detailed explanations

AZ-104 Exam Overview

Quick Facts (verified against Microsoft Learn)

ComponentDetails
CredentialMicrosoft Certified: Azure Administrator Associate
Exam CodeAZ-104 (one exam, no prerequisite exam)
Questions40-60 (varies per session)
Duration100 minutes
Passing Score700 on a scaled 1-1000 range
Cost$165 USD (US); varies by country
DeliveryPearson VUE test center or online (OnVUE)
FormatMultiple choice, multi-select, build lists, drag-and-drop, case studies, possible interactive labs
LanguagesEnglish plus 9 others (localized ~8 weeks after English)
Validity12 months; renew free on Microsoft Learn
LevelIntermediate / Associate
Skills last updatedApril 17, 2026

Watch the duration. Microsoft Learn states you have 100 minutes for AZ-104, not 120. Plan your pacing around roughly 1.5 to 2 minutes per question, with extra reserve for any interactive lab or case study.

Skills Measured Breakdown (April 17, 2026 outline)

DomainWeightKey Topics
Manage Azure identities and governance20-25%Entra ID users/groups, RBAC, Azure Policy, locks, tags, management groups, cost alerts
Implement and manage storage15-20%Storage accounts, redundancy, SAS, access keys, Blob tiers, Files, lifecycle, AzCopy
Deploy and manage Azure compute resources20-25%ARM/Bicep, VMs, VM Scale Sets, ACR, Container Instances, Container Apps, App Service
Implement and manage virtual networking15-20%VNets/subnets, peering, NSGs/ASGs, Bastion, endpoints, DNS, load balancing
Monitor and maintain Azure resources10-15%Azure Monitor, metrics/logs, alerts, Network Watcher, Backup, Site Recovery

What changed in April 2026: Identities and governance rose to 20-25% (it was 15-20%) and networking dropped to 15-20% (it was 20-25%). Microsoft also fully adopted Microsoft Entra ID naming and expanded container coverage to include Azure Container Apps. The functional groups themselves were unchanged; the edits were weight and wording adjustments.


Domain 1: Manage Azure Identities and Governance (20-25%)

This is now the joint-largest domain, so invest here. It centers on Microsoft Entra ID (the rebranded Azure Active Directory), access control, and the governance guardrails that keep a subscription compliant.

Microsoft Entra ID (formerly Azure AD)

Core Concepts:

  • Tenants: Each Microsoft Entra ID instance is a tenant; a subscription trusts exactly one tenant
  • Users: Cloud-only vs. synchronized from on-prem AD via Entra Connect; guest (B2B) users
  • Groups: Security groups vs. Microsoft 365 groups; assigned vs. dynamic membership
  • Licenses: Free, P1, P2 tiers unlock different features (P2 adds Identity Protection, PIM)

Key Configuration Tasks:

  • Create and manage users and groups (portal, CLI, PowerShell)
  • Manage user and group properties and bulk operations
  • Assign licenses to users and groups
  • Manage external users (B2B collaboration and invitations)
  • Configure self-service password reset (SSPR)

Role-Based Access Control (RBAC)

Built-in Roles (Know These):

  • Owner: Full access including permissions management
  • Contributor: Full access except permissions
  • Reader: View all resources but cannot modify
  • User Access Administrator: Manage user access to resources

Role Assignment Components:

  1. Security Principal: User, group, service principal, managed identity
  2. Role Definition: Collection of permissions
  3. Scope: Resource, resource group, subscription, management group

Custom Roles:

  • Create with JSON role definition
  • Use Azure CLI or PowerShell
  • Cannot assign at tenant root level

Azure Policy

Policy Types:

  • Built-in policies: Pre-created by Microsoft
  • Custom policies: JSON definitions you create

Common Use Cases:

  • Enforce tagging requirements
  • Restrict VM sizes
  • Require SQL encryption
  • Audit compliance

Policy vs. RBAC:

  • RBAC: Controls what you CAN do (authorization)
  • Policy: Controls what you MUST do (compliance)

Governance Tools

Azure Blueprints:

  • Deploy consistent environments
  • Include ARM templates, policies, RBAC assignments
  • Subscription-level deployment

Management Groups:

  • Organize subscriptions hierarchically
  • Apply policies/RBAC at scale
  • Up to 10,000 management groups per tenant

Resource Locks:

  • CanNotDelete: Prevent deletion
  • ReadOnly: Prevent modification
  • Apply at subscription, resource group, or resource level

Domain 2: Implement and Manage Storage (15-20%)

Azure Storage Account Types

TypeUse CaseRedundancy
Standard (GPv2)General purposeLRS, ZRS, GRS, GZRS
Premium (Block Blobs)Low latency appsLRS, ZRS
Premium (File Shares)High-performance file sharesLRS, ZRS
Premium (Page Blobs)Premium SSD disksLRS, ZRS

Blob Storage

Access Tiers:

  • Hot: Frequently accessed (highest storage cost, lowest access cost)
  • Cool: Infrequently accessed (30+ days storage)
  • Cold: Rarely accessed (90+ days storage)
  • Archive: Rarely accessed (180+ days, hours retrieval)

Security:

  • Shared Access Signatures (SAS): Time-limited access tokens; stored access policies for revocation
  • Microsoft Entra ID authentication: RBAC for blob access
  • Access keys: Account-level keys; rotate regularly
  • Encryption: Always encrypted at rest (Microsoft-managed or customer-managed key)

Key Operations:

  • Upload/download blobs (portal, CLI, SDK)
  • Configure blob lifecycle policies
  • Enable blob versioning
  • Configure soft delete (7-365 days)
  • Configure immutability policies

Azure Files

Use Cases:

  • Lift-and-shift applications
  • Shared application configuration
  • Diagnostics and logs
  • Development/test environments

Key Features:

  • SMB and NFS protocols
  • Identity-based access (Microsoft Entra Domain Services or on-prem AD DS)
  • Hybrid access via File Sync
  • Snapshots for point-in-time recovery

File Sync:

  • Cache Azure file shares on Windows Server
  • Tiering (cloud vs. local)
  • Sync groups for multi-server scenarios

Storage Security and Management

Networking:

  • Private endpoints for secure access
  • Service endpoints (legacy approach)
  • Firewall rules and virtual network rules

Monitoring:

  • Storage Analytics metrics
  • Diagnostic logging
  • Capacity and transaction monitoring

Domain 3: Deploy and Manage Azure Compute Resources (20-25%)

The current outline leads this domain with infrastructure as code, so do not skip ARM templates and Bicep. Container coverage now explicitly includes Azure Container Apps alongside Container Instances and Container Registry.

ARM Templates and Bicep (read these closely)

The exam expects you to interpret and modify declarative deployments, not author them from scratch.

What to know:

  • Read an ARM template's parameters, variables, resources, and outputs sections
  • Read a Bicep file and map it to the equivalent ARM template (Bicep is the cleaner DSL that compiles to ARM JSON)
  • Modify an existing template or Bicep file (change a SKU, add a resource, parameterize a value)
  • Deploy a template or Bicep file via az deployment group create or New-AzResourceGroupDeployment
  • Export a deployed resource group as a template, and convert ARM JSON to Bicep with az bicep decompile

Virtual Machines

VM Sizes (Know the Families):

  • A-series: Entry-level, dev/test
  • B-series: Burstable, cost-effective
  • D-series: General purpose, balanced
  • E-series: Memory optimized
  • F-series: Compute optimized
  • H-series: High performance computing
  • L-series: Storage optimized
  • M-series: Memory optimized (large)

Disk Types:

  • Ultra Disk: Sub-millisecond latency, configurable performance
  • Premium SSD: High performance, production workloads
  • Standard SSD: Consistent performance, lower cost
  • Standard HDD: Lowest cost, dev/test acceptable

Availability Options:

  • Availability Sets: 2+ fault domains, 5 update domains
  • Availability Zones: Physically separate datacenters
  • Virtual Machine Scale Sets: Auto-scaling groups

Configuration Tasks:

  • Deploy VMs (portal, CLI, ARM templates)
  • Configure extensions (custom script, DSC, etc.)
  • Configure disk encryption (Azure Disk Encryption)
  • Configure networking (VNet, NSG, public IP)
  • Configure monitoring and diagnostics

App Service

App Types:

  • Web Apps
  • API Apps
  • WebJobs (background tasks)
  • Mobile Apps (legacy)

Deployment Options:

  • Git/GitHub integration
  • Azure DevOps
  • Container registry
  • ZIP deploy
  • FTP

Scaling:

  • Scale up: Change to larger App Service plan
  • Scale out: Increase instance count (auto-scale supported)

Key Features:

  • Deployment slots (staging/production)
  • Custom domains and SSL
  • Authentication/Authorization (Easy Auth)
  • Hybrid connections
  • VNet integration

Container Services

Azure Kubernetes Service (AKS):

  • Managed Kubernetes control plane
  • Node pools and cluster autoscaler
  • Microsoft Entra ID integration
  • Container networking policies

Azure Container Instances (ACI):

  • Serverless single containers
  • No orchestration complexity
  • Fast startup times
  • Per-second billing

Azure Container Apps (now on the blueprint):

  • Serverless containers built on Kubernetes and KEDA, without managing a cluster
  • Built-in autoscaling, including scale-to-zero, driven by HTTP traffic or events
  • Revisions, traffic splitting, and managed ingress
  • Know how it differs from ACI (event-driven microservices and scaling) and AKS (no cluster to operate)

Azure Container Registry (ACR):

  • Private Docker registry
  • Geo-replication
  • Content trust and signing
  • Tasks for automated builds

Azure Functions

Hosting Plans:

  • Consumption: Serverless, pay-per-execution
  • Premium: Pre-warmed workers, VNet integration
  • App Service Plan: Run on dedicated VMs

Triggers and Bindings:

  • HTTP triggers (REST APIs)
  • Timer triggers (scheduled tasks)
  • Queue/Topic triggers (message processing)
  • Blob triggers (file processing)
  • Event Grid/Event Hub triggers

Domain 4: Implement and Manage Virtual Networking (15-20%)

This domain's weight dropped slightly in April 2026, but it is still heavily tested and a common weak spot. The current outline emphasizes VNets and subnets, peering, NSGs and ASGs, Azure Bastion, service and private endpoints, Azure DNS, load balancing, and connectivity troubleshooting. Note: ExpressRoute and Azure Firewall are useful background but are not core bullets on the current AZ-104 outline, so prioritize the items above.

Virtual Networks (VNets)

Address Space:

  • Use private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Plan for growth (avoid small subnets)
  • No overlapping address spaces in peering

Subnets:

  • Segregate by workload type
  • Reserve gateway subnet for VPN/ExpressRoute
  • Use NSGs at subnet level

VNet Peering:

  • Connect VNets (same or different regions)
  • Transitive routing limitations
  • Gateway transit for shared connectivity

Network Security

Network Security Groups (NSGs):

  • Filter traffic at subnet and NIC levels
  • Default rules (allow VNet, allow Azure LB, deny all inbound)
  • Custom rules with priority (100-4096)
  • Stateful inspection

Application Security Groups (ASGs):

  • Group VMs by application role
  • Reference ASGs in NSG rules instead of IP addresses
  • Simplify security rule management

Azure Bastion (explicit blueprint item):

  • Secure RDP/SSH to VMs through the portal over TLS, with no public IP on the VM
  • Removes the need to expose port 3389/22 to the internet
  • Know when to choose Bastion over a jump box or just-in-time VM access

Service endpoints vs. private endpoints (know the difference):

  • Service endpoints: extend your VNet identity to a PaaS service over the Azure backbone; the service still has a public IP
  • Private endpoints: give the PaaS service a private IP inside your VNet via Azure Private Link; traffic never touches the public internet

Azure Firewall (background context):

  • Managed firewall as a service
  • Threat intelligence integration
  • SNAT/DNAT capabilities
  • Hub-and-spoke architecture support

Connectivity Options

VPN Gateway:

  • Site-to-site (S2S) VPN
  • Point-to-site (P2S) VPN
  • VNet-to-VNet VPN
  • Gateway SKUs (Basic, VpnGw1-5)

ExpressRoute:

  • Private connection to Azure (not over internet)
  • Layer 3 connectivity via partner
  • Higher bandwidth, lower latency than VPN
  • More expensive than VPN

Azure Private Link:

  • Private connectivity to PaaS services
  • Bypass public internet
  • Private Endpoint for resource access
  • Private Link Service for your own services

Load Balancing

Azure Load Balancer:

  • Layer 4 (TCP/UDP) load balancing
  • Public and internal SKUs
  • Health probes for backend monitoring
  • Distribution modes (hash-based, source IP affinity)

Azure Application Gateway:

  • Layer 7 (HTTP/HTTPS) load balancing
  • Web Application Firewall (WAF)
  • SSL termination
  • URL-based routing
  • Session affinity

Azure Front Door:

  • Global load balancing
  • CDN capabilities
  • WAF at edge
  • Dynamic site acceleration

Azure Traffic Manager:

  • DNS-based traffic routing
  • Geographic routing
  • Performance routing
  • Failover routing

Domain 5: Monitor and Maintain Azure Resources (10-15%)

Azure Monitor

Components:

  • Metrics: Numerical data (performance counters)
  • Logs: Structured and unstructured log data
  • Alerts: Proactive notifications
  • Workbooks: Interactive reports
  • Insights: Pre-built monitoring for specific services

Log Analytics Workspace:

  • Central log repository
  • KQL (Kusto Query Language) for queries
  • Retention configuration (30-730 days)
  • Pricing tiers

Application Insights:

  • Application Performance Monitoring (APM)
  • Distributed tracing
  • Exception tracking
  • Availability tests

Network Watcher and Connection Monitor (blueprint items):

  • Connection Monitor: continuous reachability and latency checks between endpoints
  • IP flow verify: confirm whether an NSG rule allows or denies specific traffic
  • Next hop: diagnose routing and user-defined route problems
  • NSG flow logs: capture allowed/denied traffic for auditing and troubleshooting

Know the metrics-vs-logs distinction. A frequent exam trap: Azure Monitor metrics are numeric, near-real-time, and good for alerts; logs (queried with KQL in Log Analytics) are richer and better for investigation. Pick the right one for each scenario.

Backup and Recovery

Azure Backup:

  • Create a Recovery Services vault (VMs, MARS agent, SQL/SAP HANA in VM) and an Azure Backup vault (newer vault type the current outline calls out)
  • VM backup (app-consistent)
  • File/folder backup (MARS agent)
  • SQL Server in VM and SAP HANA backup
  • Backup policies, retention, and soft delete protection

Azure Site Recovery:

  • Disaster recovery for VMs
  • On-prem to Azure replication
  • Azure region-to-region replication
  • Recovery plans for orchestrated failover

Configuration Tasks:

  • Configure backup policies
  • Perform test restores
  • Configure retention policies
  • Set up replication

Resource Optimization

Azure Advisor:

  • Cost recommendations
  • Security recommendations
  • High availability recommendations
  • Performance recommendations
  • Operational excellence recommendations

Cost Management:

  • Budgets and alerts
  • Cost analysis
  • Reserved instance recommendations
  • Tagging for chargeback

10-Week AZ-104 Study Plan

Weeks 1-2: Azure Fundamentals

Week 1: Microsoft Entra ID and Identity

  • Microsoft Entra ID fundamentals
  • User and group management
  • RBAC concepts and implementation
  • Azure Policy basics

Hands-on Labs:

  • Create Microsoft Entra ID users and groups
  • Assign RBAC roles at different scopes
  • Create and apply Azure Policy

Week 2: Governance and Subscription Management

  • Subscription types and billing
  • Management groups
  • Resource locks
  • Cost management and tagging

Weeks 3-4: Storage and Networking

Week 3: Azure Storage

  • Storage account types and configuration
  • Blob storage tiers
  • Azure Files and File Sync
  • Storage security (SAS, encryption)

Hands-on Labs:

  • Create storage accounts with different redundancy
  • Upload blobs and configure lifecycle policies
  • Set up Azure Files share
  • Generate and test SAS tokens

Week 4: Virtual Networking

  • VNet and subnet design
  • NSG configuration
  • VNet peering
  • Private endpoints

Hands-on Labs:

  • Create VNet with multiple subnets
  • Configure NSG rules
  • Set up VNet peering between two VNets
  • Configure private endpoint for storage

Weeks 5-6: Compute Resources

Week 5: Virtual Machines

  • VM deployment and sizing
  • Disk types and configuration
  • Availability Sets and Zones
  • VM extensions

Hands-on Labs:

  • Deploy VMs in Availability Set
  • Configure managed disks
  • Set up VM extensions
  • Configure VM monitoring

Week 6: ARM/Bicep, App Service, and Containers

  • Read and modify ARM templates and Bicep files; deploy and export them
  • App Service plans, scaling, deployment slots, and TLS
  • Container services (ACR, Container Instances, Container Apps)

Hands-on Labs:

  • Deploy a resource group from a Bicep file, then export it back to an ARM template
  • Deploy a web app and add a staging deployment slot
  • Push an image to ACR and run it on Container Instances
  • Deploy a container to Azure Container Apps with scale-to-zero

Weeks 7-8: Advanced Networking and Security

Week 7: Advanced Networking

  • Load balancing options
  • VPN Gateway configuration
  • ExpressRoute concepts
  • Azure Firewall

Hands-on Labs:

  • Configure Load Balancer
  • Set up VPN Gateway
  • Configure Azure Firewall

Week 8: Security and Compliance

  • Azure Security Center/Defender
  • Azure Key Vault
  • Microsoft Entra ID conditional access
  • Encryption at rest and in transit

Weeks 9-10: Monitoring and Final Prep

Week 9: Monitoring and Maintenance

  • Azure Monitor and Log Analytics
  • Alerts and action groups
  • Backup and Site Recovery
  • Azure Advisor

Hands-on Labs:

  • Create Log Analytics workspace
  • Set up alerts
  • Configure VM backup
  • Review Azure Advisor recommendations

Week 10: Practice Exams and Review

  • Full-length practice exams
  • Weak area review
  • Hands-on scenario practice
  • Final review of all domains

Hands-On Lab Recommendations

Free Resources

  1. Microsoft Learn Sandboxes

    • Free Azure environment for exercises
    • Accessible via Microsoft Learn modules
    • No credit card required
  2. Azure Free Account

    • $200 credit for 30 days
    • 12 months of free services
    • Always free services after trial
  3. Visual Studio Subscription

    • Monthly Azure credits ($50-150)
    • Access to Azure DevOps features
    • Developer tools

Practice Projects

Beginner Projects:

  • Deploy 3-tier web application (web/app/database)
  • Set up VNet with private subnet
  • Configure Microsoft Entra ID authentication

Intermediate Projects:

  • Deploy AKS cluster with ingress controller
  • Configure site-to-site VPN simulation
  • Implement Azure Policy compliance framework

Advanced Projects:

  • Multi-region disaster recovery setup
  • Hybrid identity architecture
  • Complex networking with hub-and-spoke

Exam Day Tips

Preparation Checklist

  • Review official skills measured
  • Complete hands-on labs
  • Take practice exams (scoring 80%+)
  • Review case study strategies
  • Check system requirements for online exam

Question Strategy

  1. Read carefully - Azure questions often have subtle details
  2. Eliminate wrong answers - Narrow down options
  3. Watch for distractors - Similar services (Blob vs. Files)
  4. Consider cost - Often the differentiating factor
  5. Mark for review - Don't spend too long on one question

Case Studies

  • Read all case information before questions
  • Take notes on key requirements
  • Questions often build on each other
  • Refer back to case details as needed

Career Impact and Next Steps

Salary Expectations

RoleAvg Salary (US)With AZ-104
Systems Administrator$70,000$85,000-95,000
Cloud Administrator$95,000$105,000-120,000
Azure Engineer$110,000$120,000-140,000
DevOps Engineer$115,000$125,000-145,000

Career Path After AZ-104

Intermediate Certifications:

  • AZ-500: Azure Security Engineer
  • AZ-700: Azure Network Engineer
  • AZ-400: Azure DevOps Engineer

Advanced Certifications:

  • AZ-305: Azure Solutions Architect
  • AZ-600: Azure Stack Hub Operator

Related Paths:

  • Cloud architecture
  • Site reliability engineering
  • Cloud security specialization
  • DevOps and automation

Conclusion

The AZ-104 Azure Administrator certification validates your ability to implement and manage Microsoft Azure environments, a skill set in high demand across virtually every industry.

The exam requires both theoretical knowledge and practical experience. You cannot pass by memorizing facts alone; you need hands-on time with Azure services, including reading a Bicep file and configuring NSGs, RBAC, and storage redundancy.

Follow the 10-week study plan, complete the recommended labs, and drill scenario-based questions against the current April 2026 blueprint. With consistent hands-on practice you'll join the ranks of certified Azure Administrators.

Start free AZ-104 practice questions →Practice questions with detailed explanations
Test Your Knowledge
Question 1 of 7

How long do candidates have to complete the AZ-104 exam?

A
60 minutes
B
100 minutes
C
120 minutes
D
180 minutes
Learn More with AI

10 free AI interactions per day

AZ-104AzureMicrosoftCloud CertificationAdministratorMicrosoft Entra IDAzure ADBicep2026

Related Articles

Stay Updated

Get free exam tips and study guides delivered to your inbox.

Free exam tips & study guides. Unsubscribe anytime.