1.2 Administrator Role and Candidate Profile

What Microsoft means by Azure administrator

The AZ-104 candidate is expected to have subject matter expertise in implementing, managing, and monitoring an organization's Microsoft Azure environment. That phrase is more important than it looks. It means the exam is not asking whether you have heard of a storage account, a virtual network, a role assignment, or an alert rule. It is asking whether you can make those resources work together under constraints.

The administrator role covers virtual networks, storage, compute, identity, security, and governance. Those areas do not stay separate in real environments. A VM question may require understanding managed disks, availability zones, network security groups, Bastion, Azure Monitor, backup policy, and role-based access control. A storage question may require firewall rules, private endpoints, lifecycle management, SAS token scope, and identity-based access for Azure Files.

Microsoft also states that candidates often work with networking, security, database, application development, and DevOps roles. That is an exam clue. AZ-104 does not require you to be the database engineer or application developer, but it expects you to administer the Azure platform around them. You might grant access to a managed identity, configure App Service networking, apply policy to a subscription, expose an internal load balancer, or diagnose why a route table sends traffic to the wrong appliance.

Tool expectations

The profile names experience with PowerShell, Azure CLI, Azure portal, Azure Resource Manager templates or Bicep files, and Microsoft Entra ID. Do not read that as a list of optional extras. The exam can describe an admin task and expect you to recognize the fastest or most appropriate control plane. The portal is useful for discovery and one-off configuration. Azure CLI and PowerShell are better for repeatable commands, automation, and scripted troubleshooting. ARM and Bicep appear when the question is about declarative deployment, template interpretation, export, conversion, or modification.

From vocabulary to operations

A vocabulary-only learner says, "An NSG filters traffic." An administrator says, "I need to inspect effective security rules on the NIC and subnet, confirm priority order, check whether an application security group is referenced, and compare that with route and load balancer behavior." That difference is the AZ-104 level. The same pattern applies everywhere. Knowing that a resource lock exists is not enough; know that a delete lock can block deletion, that a read-only lock can block management operations, and that RBAC permissions do not override a lock.

A vocabulary-only learner says, "Blob lifecycle management moves data to cool or archive." An administrator asks whether versioning, soft delete, snapshots, access tier, legal or retention settings, and access patterns support the required recovery and cost outcome. When a question says "least administrative effort" or "minimize cost," those phrases steer the answer just as much as the service name.

Candidate readiness checklist

• You can create and troubleshoot users, groups, role assignments, policy, locks, tags, and budgets.
• You can configure storage access with keys, SAS, stored access policies, identity, network rules, and private access patterns.
• You can deploy and manage VMs, scale sets, containers, App Service plans, deployment slots, custom domains, certificates, and backups.
• You can design and troubleshoot VNets, subnets, peering, public IPs, UDRs, NSGs, ASGs, Bastion, endpoints, DNS, and load balancers.
• You can configure metrics, logs, alerts, action groups, processing rules, insights, Network Watcher, backup, restore, and failover.
• You can read a Bicep or ARM fragment and predict the deployed result.

Scenario recognition

When a scenario includes "organization," think governance scope. Management groups, subscriptions, resource groups, tags, policy, and budgets are likely. When it includes "developer team," think least-privilege access, deployment repeatability, and integration with DevOps workflows. When it includes "branch office," "on-premises," or "cannot connect," think DNS, routes, NSGs, peering, endpoints, and Network Watcher.

When it includes "restore," "accidental deletion," or "ransomware," think soft delete, backup vaults, Recovery Services vaults, snapshots, versioning, and restore points. When it includes "scale," ask whether the workload is VM-based, App Service-based, container-based, or a VM scale set. When it includes "compliance," ask whether Azure Policy, locks, tags, management groups, resource graph, logs, or role assignments is the actual control.

The correct mindset is operational ownership. You are not memorizing service brochures. You are deciding which Azure control solves a requirement, which side effect it creates, and how to validate that it worked.