What is the AZ-104 exam?

The AZ-104: Microsoft Azure Administrator Associate exam certifies your ability to implement, manage, and monitor an organization's Microsoft Azure environment. It covers managing Azure subscriptions, implementing storage solutions, configuring virtual networking, managing identities with Azure AD, and monitoring resources. The exam has 40-60 questions and takes 120 minutes.

What is the difference between AZ-104 and AZ-103?

AZ-104 replaced AZ-103 in April 2020. Key differences: AZ-104 places greater emphasis on Azure AD governance, role-based access control (RBAC), Azure Policy, and security features. The compute section was reorganized to focus more on containerization (AKS, ACI). AZ-104 removed some legacy content and added newer services like Azure Bastion and Azure Private Link. If you passed AZ-103, your certification is still valid for one year from the passing date.

How much does the AZ-104 exam cost?

The AZ-104 exam costs $165 USD in the United States. Prices vary by country due to local currency exchange rates and taxes. Some countries offer significant discounts (e.g., India is approximately $55 USD). Microsoft occasionally offers discounted exam vouchers through training providers or during promotional periods. The exam fee includes one attempt; retakes require additional payment.

What is the passing score for AZ-104?

Microsoft does not publish the exact passing score for AZ-104, but it is generally understood to be 700 out of 1000 (70%). The exam uses scaled scoring, and the difficulty of questions varies. Some questions may be worth more than others depending on complexity. You receive a pass/fail result immediately after the exam, with a breakdown of performance by skill area.

How hard is the AZ-104 exam?

AZ-104 is considered a moderately difficult exam. It requires both theoretical knowledge and hands-on experience. Candidates report that the most challenging areas are: Azure AD conditional access policies, network security configuration (NSGs, ASGs), role-based access control (RBAC) scenarios, and troubleshooting scenarios. The exam tests practical skills through case studies, build lists, and scenario-based questions. Average preparation time is 2-3 months with 10-15 hours of study per week.

What is the best way to prepare for AZ-104?

The best AZ-104 preparation combines: 1) Microsoft Learn free learning paths (official source), 2) Hands-on labs in Azure sandbox or personal subscription ($200 free credit for new accounts), 3) Practice exams from reputable providers (MeasureUp, Whizlabs), 4) Video courses (Pluralsight, A Cloud Guru, Udemy), 5) Building real projects (deploy VMs, configure networks, set up Azure AD). Practical experience is essential—purely theoretical study is insufficient.

AZ-104 Certification Guide 2026: Azure Administrator FREE

Why AZ-104 Remains the Foundation Cloud Certification in 2026

In an era where multi-cloud strategies dominate enterprise architecture and Azure holds 23% of the cloud market, the Microsoft Certified: Azure Administrator Associate (AZ-104) remains one of the most valuable certifications for IT professionals.

Unlike entry-level certifications that test vocabulary, AZ-104 validates that you can actually manage Azure environments. When you pass, employers know you can configure virtual networks, secure identities, deploy compute resources, and troubleshoot real infrastructure problems.

This guide covers everything you need to pass AZ-104 in 2026, including the exam format, skills measured, hands-on lab recommendations, and a 10-week study plan.

free cloud certification questionsPractice questions with detailed explanations

AZ-104 Exam Overview

Quick Facts

Component	Details
Exam Code	AZ-104
Questions	40-60
Duration	120 minutes
Passing Score	~700/1000 (estimated)
Cost	$165 USD
Format	Multiple choice, case studies, build lists
Validity	1 year (renewal required)
Prerequisites	None (experience recommended)

Skills Measured Breakdown

Domain	Weight	Key Topics
Manage Azure AD and Governance	15-20%	Users, groups, RBAC, Azure Policy, subscriptions
Implement and Manage Storage	15-20%	Blob, Files, Tables, Queues, backup, replication
Deploy and Manage Compute	20-25%	VMs, VMSS, App Service, AKS, ACI, Functions
Configure and Manage Virtual Networking	20-25%	VNets, NSGs, VPN Gateway, ExpressRoute, Private Link
Monitor and Maintain Resources	10-15%	Monitor, Log Analytics, Alerts, Backup, Site Recovery

Domain 1: Manage Azure Identities and Governance (15-20%)

Azure Active Directory

Core Concepts:

Tenants: Each Azure AD instance is a tenant
Users: Cloud-only vs. synchronized from on-prem AD
Groups: Security groups vs. Microsoft 365 groups
Licenses: Free, P1, P2 tiers with different features

Key Configuration Tasks:

Create and manage users (portal, CLI, PowerShell)
Configure group membership and owners
Assign licenses to users and groups
Configure external identities (B2B collaboration)
Manage password resets and self-service

Role-Based Access Control (RBAC)

Built-in Roles (Know These):

Owner: Full access including permissions management
Contributor: Full access except permissions
Reader: View all resources but cannot modify
User Access Administrator: Manage user access to resources

Role Assignment Components:

Security Principal: User, group, service principal, managed identity
Role Definition: Collection of permissions
Scope: Resource, resource group, subscription, management group

Custom Roles:

Create with JSON role definition
Use Azure CLI or PowerShell
Cannot assign at tenant root level

Azure Policy

Policy Types:

Built-in policies: Pre-created by Microsoft
Custom policies: JSON definitions you create

Common Use Cases:

Enforce tagging requirements
Restrict VM sizes
Require SQL encryption
Audit compliance

Policy vs. RBAC:

RBAC: Controls what you CAN do (authorization)
Policy: Controls what you MUST do (compliance)

Governance Tools

Azure Blueprints:

Deploy consistent environments
Include ARM templates, policies, RBAC assignments
Subscription-level deployment

Management Groups:

Organize subscriptions hierarchically
Apply policies/RBAC at scale
Up to 10,000 management groups per tenant

Resource Locks:

CanNotDelete: Prevent deletion
ReadOnly: Prevent modification
Apply at subscription, resource group, or resource level

Domain 2: Implement and Manage Storage (15-20%)

Azure Storage Account Types

Type	Use Case	Redundancy
Standard (GPv2)	General purpose	LRS, ZRS, GRS, GZRS
Premium (Block Blobs)	Low latency apps	LRS, ZRS
Premium (File Shares)	High-performance file shares	LRS, ZRS
Premium (Page Blobs)	Premium SSD disks	LRS, ZRS

Blob Storage

Access Tiers:

Hot: Frequently accessed (highest storage cost, lowest access cost)
Cool: Infrequently accessed (30+ days storage)
Cold: Rarely accessed (90+ days storage)
Archive: Rarely accessed (180+ days, hours retrieval)

Security:

Shared Access Signatures (SAS): Time-limited access tokens
Azure AD authentication: RBAC for blob access
Encryption: Always encrypted at rest (Microsoft-managed or CMK)

Key Operations:

Upload/download blobs (portal, CLI, SDK)
Configure blob lifecycle policies
Enable blob versioning
Configure soft delete (7-365 days)
Configure immutability policies

Azure Files

Use Cases:

Lift-and-shift applications
Shared application configuration
Diagnostics and logs
Development/test environments

Key Features:

SMB and NFS protocols
Azure AD Domain Services integration
Hybrid access via File Sync
Snapshots for point-in-time recovery

File Sync:

Cache Azure file shares on Windows Server
Tiering (cloud vs. local)
Sync groups for multi-server scenarios

Storage Security and Management

Networking:

Private endpoints for secure access
Service endpoints (legacy approach)
Firewall rules and virtual network rules

Monitoring:

Storage Analytics metrics
Diagnostic logging
Capacity and transaction monitoring

Domain 3: Deploy and Manage Azure Compute Resources (20-25%)

Virtual Machines

VM Sizes (Know the Families):

A-series: Entry-level, dev/test
B-series: Burstable, cost-effective
D-series: General purpose, balanced
E-series: Memory optimized
F-series: Compute optimized
H-series: High performance computing
L-series: Storage optimized
M-series: Memory optimized (large)

Disk Types:

Ultra Disk: Sub-millisecond latency, configurable performance
Premium SSD: High performance, production workloads
Standard SSD: Consistent performance, lower cost
Standard HDD: Lowest cost, dev/test acceptable

Availability Options:

Availability Sets: 2+ fault domains, 5 update domains
Availability Zones: Physically separate datacenters
Virtual Machine Scale Sets: Auto-scaling groups

Configuration Tasks:

Deploy VMs (portal, CLI, ARM templates)
Configure extensions (custom script, DSC, etc.)
Configure disk encryption (Azure Disk Encryption)
Configure networking (VNet, NSG, public IP)
Configure monitoring and diagnostics

App Service

App Types:

Web Apps
API Apps
WebJobs (background tasks)
Mobile Apps (legacy)

Deployment Options:

Git/GitHub integration
Azure DevOps
Container registry
ZIP deploy
FTP

Scaling:

Scale up: Change to larger App Service plan
Scale out: Increase instance count (auto-scale supported)

Key Features:

Deployment slots (staging/production)
Custom domains and SSL
Authentication/Authorization (Easy Auth)
Hybrid connections
VNet integration

Container Services

Azure Kubernetes Service (AKS):

Managed Kubernetes control plane
Node pools and cluster autoscaler
Azure AD integration
Container networking policies

Azure Container Instances (ACI):

Serverless containers
No orchestration complexity
Fast startup times
Per-second billing

Azure Container Registry (ACR):

Private Docker registry
Geo-replication
Content trust and signing
Tasks for automated builds

Azure Functions

Hosting Plans:

Consumption: Serverless, pay-per-execution
Premium: Pre-warmed workers, VNet integration
App Service Plan: Run on dedicated VMs

Triggers and Bindings:

HTTP triggers (REST APIs)
Timer triggers (scheduled tasks)
Queue/Topic triggers (message processing)
Blob triggers (file processing)
Event Grid/Event Hub triggers

Domain 4: Configure and Manage Virtual Networking (20-25%)

Virtual Networks (VNets)

Address Space:

Use private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
Plan for growth (avoid small subnets)
No overlapping address spaces in peering

Subnets:

Segregate by workload type
Reserve gateway subnet for VPN/ExpressRoute
Use NSGs at subnet level

VNet Peering:

Connect VNets (same or different regions)
Transitive routing limitations
Gateway transit for shared connectivity

Network Security

Network Security Groups (NSGs):

Filter traffic at subnet and NIC levels
Default rules (allow VNet, allow Azure LB, deny all inbound)
Custom rules with priority (100-4096)
Stateful inspection

Application Security Groups (ASGs):

Group VMs by application role
Reference ASGs in NSG rules instead of IP addresses
Simplify security rule management

Azure Firewall:

Managed firewall as a service
Threat intelligence integration
SNAT/DNAT capabilities
Hub-and-spoke architecture support

Connectivity Options

VPN Gateway:

Site-to-site (S2S) VPN
Point-to-site (P2S) VPN
VNet-to-VNet VPN
Gateway SKUs (Basic, VpnGw1-5)

ExpressRoute:

Private connection to Azure (not over internet)
Layer 3 connectivity via partner
Higher bandwidth, lower latency than VPN
More expensive than VPN

Azure Private Link:

Private connectivity to PaaS services
Bypass public internet
Private Endpoint for resource access
Private Link Service for your own services

Load Balancing

Azure Load Balancer:

Layer 4 (TCP/UDP) load balancing
Public and internal SKUs
Health probes for backend monitoring
Distribution modes (hash-based, source IP affinity)

Azure Application Gateway:

Layer 7 (HTTP/HTTPS) load balancing
Web Application Firewall (WAF)
SSL termination
URL-based routing
Session affinity

Azure Front Door:

Global load balancing
CDN capabilities
WAF at edge
Dynamic site acceleration

Azure Traffic Manager:

DNS-based traffic routing
Geographic routing
Performance routing
Failover routing

Domain 5: Monitor and Maintain Azure Resources (10-15%)

Azure Monitor

Components:

Metrics: Numerical data (performance counters)
Logs: Structured and unstructured log data
Alerts: Proactive notifications
Workbooks: Interactive reports
Insights: Pre-built monitoring for specific services

Log Analytics Workspace:

Central log repository
KQL (Kusto Query Language) for queries
Retention configuration (30-730 days)
Pricing tiers

Application Insights:

Application Performance Monitoring (APM)
Distributed tracing
Exception tracking
Availability tests

Backup and Recovery

Azure Backup:

VM backup (app-consistent)
File/folder backup (MARS agent)
SQL Server in VM backup
SAP HANA backup
Soft delete protection

Azure Site Recovery:

Disaster recovery for VMs
On-prem to Azure replication
Azure region-to-region replication
Recovery plans for orchestrated failover

Configuration Tasks:

Configure backup policies
Perform test restores
Configure retention policies
Set up replication

Resource Optimization

Azure Advisor:

Cost recommendations
Security recommendations
High availability recommendations
Performance recommendations
Operational excellence recommendations

Cost Management:

Budgets and alerts
Cost analysis
Reserved instance recommendations
Tagging for chargeback

10-Week AZ-104 Study Plan

Weeks 1-2: Azure Fundamentals

Week 1: Azure AD and Identity

Azure AD fundamentals
User and group management
RBAC concepts and implementation
Azure Policy basics

Hands-on Labs:

Create Azure AD users and groups
Assign RBAC roles at different scopes
Create and apply Azure Policy

Week 2: Governance and Subscription Management

Subscription types and billing
Management groups
Resource locks
Cost management and tagging

Weeks 3-4: Storage and Networking

Week 3: Azure Storage

Storage account types and configuration
Blob storage tiers
Azure Files and File Sync
Storage security (SAS, encryption)

Hands-on Labs:

Create storage accounts with different redundancy
Upload blobs and configure lifecycle policies
Set up Azure Files share
Generate and test SAS tokens

Week 4: Virtual Networking

VNet and subnet design
NSG configuration
VNet peering
Private endpoints

Hands-on Labs:

Create VNet with multiple subnets
Configure NSG rules
Set up VNet peering between two VNets
Configure private endpoint for storage

Weeks 5-6: Compute Resources

Week 5: Virtual Machines

VM deployment and sizing
Disk types and configuration
Availability Sets and Zones
VM extensions

Hands-on Labs:

Deploy VMs in Availability Set
Configure managed disks
Set up VM extensions
Configure VM monitoring

Week 6: App Service and Containers

App Service plans and deployment
Container services (AKS, ACI)
Azure Functions

Hands-on Labs:

Deploy web app from GitHub
Create AKS cluster and deploy application
Deploy container to ACI
Create Azure Function with HTTP trigger

Weeks 7-8: Advanced Networking and Security

Week 7: Advanced Networking

Load balancing options
VPN Gateway configuration
ExpressRoute concepts
Azure Firewall

Hands-on Labs:

Configure Load Balancer
Set up VPN Gateway
Configure Azure Firewall

Week 8: Security and Compliance

Azure Security Center/Defender
Azure Key Vault
Azure AD conditional access
Encryption at rest and in transit

Weeks 9-10: Monitoring and Final Prep

Week 9: Monitoring and Maintenance

Azure Monitor and Log Analytics
Alerts and action groups
Backup and Site Recovery
Azure Advisor

Hands-on Labs:

Create Log Analytics workspace
Set up alerts
Configure VM backup
Review Azure Advisor recommendations

Week 10: Practice Exams and Review

Full-length practice exams
Weak area review
Hands-on scenario practice
Final review of all domains

Hands-On Lab Recommendations

Free Resources

Microsoft Learn Sandboxes
- Free Azure environment for exercises
- Accessible via Microsoft Learn modules
- No credit card required
Azure Free Account
- $200 credit for 30 days
- 12 months of free services
- Always free services after trial
Visual Studio Subscription
- Monthly Azure credits ($50-150)
- Access to Azure DevOps features
- Developer tools

Practice Projects

Beginner Projects:

Deploy 3-tier web application (web/app/database)
Set up VNet with private subnet
Configure Azure AD authentication

Intermediate Projects:

Deploy AKS cluster with ingress controller
Configure site-to-site VPN simulation
Implement Azure Policy compliance framework

Advanced Projects:

Multi-region disaster recovery setup
Hybrid identity architecture
Complex networking with hub-and-spoke

Exam Day Tips

Preparation Checklist

Review official skills measured
Complete hands-on labs
Take practice exams (scoring 80%+)
Review case study strategies
Check system requirements for online exam

Question Strategy

Read carefully - Azure questions often have subtle details
Eliminate wrong answers - Narrow down options
Watch for distractors - Similar services (Blob vs. Files)
Consider cost - Often the differentiating factor
Mark for review - Don't spend too long on one question

Case Studies

Read all case information before questions
Take notes on key requirements
Questions often build on each other
Refer back to case details as needed

Career Impact and Next Steps

Salary Expectations

Role	Avg Salary (US)	With AZ-104
Systems Administrator	$70,000	$85,000-95,000
Cloud Administrator	$95,000	$105,000-120,000
Azure Engineer	$110,000	$120,000-140,000
DevOps Engineer	$115,000	$125,000-145,000

Career Path After AZ-104

Intermediate Certifications:

AZ-500: Azure Security Engineer
AZ-700: Azure Network Engineer
AZ-400: Azure DevOps Engineer

Advanced Certifications:

AZ-305: Azure Solutions Architect
AZ-600: Azure Stack Hub Operator

Related Paths:

Cloud architecture
Site reliability engineering
Cloud security specialization
DevOps and automation

Conclusion

The AZ-104 Azure Administrator certification validates your ability to implement and manage Microsoft Azure environments—a skill set in high demand across virtually every industry.

The exam requires both theoretical knowledge and practical experience. You cannot pass by memorizing facts alone; you need hands-on time with Azure services.

Follow the 10-week study plan, complete the recommended labs, and practice with scenario-based questions. With dedication and hands-on experience, you'll join the ranks of certified Azure Administrators.

Start Free Cloud Certification Practice →Practice questions with detailed explanations

✓Key Facts

Why AZ-104 Remains the Foundation Cloud Certification in 2026

AZ-104 Exam Overview

Quick Facts

Skills Measured Breakdown

Domain 1: Manage Azure Identities and Governance (15-20%)

Azure Active Directory

Role-Based Access Control (RBAC)

Azure Policy

Governance Tools

Domain 2: Implement and Manage Storage (15-20%)

Azure Storage Account Types

Blob Storage

Azure Files

Storage Security and Management

Domain 3: Deploy and Manage Azure Compute Resources (20-25%)

Virtual Machines

App Service

Container Services

Azure Functions

Domain 4: Configure and Manage Virtual Networking (20-25%)

Virtual Networks (VNets)

Network Security

Connectivity Options

Load Balancing

Domain 5: Monitor and Maintain Azure Resources (10-15%)

Azure Monitor

Backup and Recovery

Resource Optimization

10-Week AZ-104 Study Plan

Weeks 1-2: Azure Fundamentals

Weeks 3-4: Storage and Networking

Weeks 5-6: Compute Resources

Weeks 7-8: Advanced Networking and Security

Weeks 9-10: Monitoring and Final Prep

Hands-On Lab Recommendations

Free Resources

Practice Projects

Exam Day Tips

Preparation Checklist

Question Strategy

Case Studies

Career Impact and Next Steps

Salary Expectations

Career Path After AZ-104

Conclusion

Free Study Resources

az-104

Related Articles

Series 79 in 2026: The Deal Execution Grid That Fixes Low Mock Scores Fast

Series 22 in 2026: DPP Suitability and Tax Traps Most Candidates Miss

Series 10 in 2026: Supervisor Escalation System for Complex Branch Scenarios

Stay Updated