Limited time: Get 2 months free with annual plan — Claim offer →
Certifications Tools Flashcards Career Paths Exam Guides Blog Pricing
Start for free
Exam GuidesMicrosoftAZ-104
MicrosoftAssociate Level2026 Updated

Microsoft Azure Administrator

Updated May 1, 202612 min readWritten by Certsqill experts
Quick facts — AZ-104
Exam cost
$165
Questions
40-60 items
Time limit
130 minutes
Passing score
700/1000
Valid for
1 year (renew annually free)
Testing
Pearson VUE

Who this exam is for

The Microsoft Azure Administrator certification is designed for professionals who work with or want to work with Microsoft technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The AZ-104 exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain
Weight
Focus areas
Manage Azure Identities & Governance
15-20%
Microsoft Entra ID users/groups, RBAC roles and scope inheritance, Azure Policy, Management Groups, subscriptions, resource locks, and cost management.
Implement & Manage Storage
15-20%
Storage account types and performance tiers, blob access tiers (Hot/Cool/Archive), lifecycle management policies, Azure Files/File Sync, storage security (SAS tokens, access keys, private endpoints), and AzCopy.
Deploy & Manage Azure Compute Resources
20-25%
VM deployment and configuration, VM scale sets, availability sets vs availability zones, Azure App Service plans and deployment slots, Azure Container Instances, Azure Kubernetes Service basics.
Implement & Manage Virtual Networking
15-20%
VNet design and subnets, NSGs and Application Security Groups, Azure DNS (public and private zones), VNet peering, VPN gateways (Basic/VpnGw1), Azure Bastion, Private Endpoints, Load Balancer vs Application Gateway.
Monitor & Maintain Azure Resources
10-15%
Azure Monitor metrics and logs, Log Analytics workspaces, diagnostic settings, alert rules, Azure Backup and Recovery Services vaults, Azure Site Recovery basics for VM replication.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

RBAC Scope & Inheritance
A user is assigned the Reader role at the subscription level and the Contributor role at a specific resource group. What is their effective access to resources in that resource group?
RBAC is additive — the most permissive role at the most specific scope wins. Deny assignments override allows only when explicit deny assignments exist (rare, usually Azure Blueprints).
Networking Troubleshooting
A VM cannot communicate with the internet. The VM has a public IP, the NSG allows outbound traffic on port 443, but traffic is still blocked. What should you check next?
Tests layered networking — NSG on NIC vs NSG on subnet, effective routes, User Defined Routes, and Azure Firewall if deployed in the VNet hub.
Storage Configuration
Which storage redundancy option replicates data synchronously across three availability zones within a single region and also supports geo-failover to a secondary region?
GZRS (Geo-zone-redundant storage) — zone-redundant in primary region AND geo-replicated. Know all six options: LRS, ZRS, GRS, GZRS, RA-GRS, RA-GZRS.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

W1
Week 1: Identity, Governance & Storage
  • Study Microsoft Entra ID: user creation, bulk import, group types (assigned vs dynamic), guest B2B users, domain join
  • Master RBAC: built-in roles (Owner/Contributor/Reader/User Access Administrator), custom roles via JSON, scope levels from management group down to resource
  • Learn Azure Policy: policy definitions, initiative assignments, compliance evaluation triggers, and remediation tasks for non-compliant resources
  • Study storage accounts: performance tiers (Standard vs Premium), redundancy options, access tiers, blob lifecycle management policies, and AzCopy commands
W2
Week 2: Compute Resources
  • Deploy and configure VMs: sizes, managed disk types (Standard HDD/SSD, Premium SSD, Ultra Disk), extensions, custom script extension for post-deployment config
  • Study VM Scale Sets: scaling policies (manual/custom/scheduled), health probes, automatic repair, update domains vs fault domains
  • Learn App Service: plan tiers (Free/Basic/Standard/Premium/Isolated), deployment slots, swap operations, auto-scaling rules, custom domains with TLS
  • Practice ARM templates and Bicep: parameters, variables, outputs, complete vs incremental deployment modes, deployment using CLI
W3
Week 3: Networking Deep Dive
  • Design VNets: address spaces, subnet planning, subnet delegation (AKS, App Service), service endpoints vs private endpoints
  • Master NSGs: inbound/outbound rules, priority ordering (lowest number = highest priority), default rules, effective security rules tool per NIC
  • Study load balancing options: Azure Load Balancer (L4, external/internal SKUs), Application Gateway (L7, WAF, path-based routing), Traffic Manager (DNS-based global)
  • Learn VNet peering (local and global), VPN Gateway SKUs (Basic vs VpnGw1-5), ExpressRoute vs VPN trade-offs, Azure Bastion deployment for secure RDP/SSH
W4
Week 4: Monitoring, Backup & Mock Exams
  • Configure Azure Monitor: create diagnostic settings, build metric alerts, write basic KQL queries (where, project, summarize, order by) in Log Analytics
  • Set up Azure Backup: create Recovery Services vault, configure VM backup policies (frequency, retention), practice file/folder recovery and VM restore
  • Study Azure Site Recovery: configure replication for Azure VMs, understand replication policies, test failover vs planned failover vs unplanned failover
  • Take 3+ full mock exams under timed conditions; identify weakest domains; re-study NSG effective rules and RBAC scenarios specifically

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Weak on RBAC scope and inheritance
RBAC appears in multiple questions across domains. Candidates confuse Management Group vs Subscription vs Resource Group scope. Key rule: permissions inherit downward and are additive. The Owner at subscription level has Owner rights to all child resource groups and resources.
Confusing NSG vs Azure Firewall vs Application Gateway
NSGs filter traffic at the NIC/subnet level using 5-tuple rules (L3/L4). Azure Firewall is a managed, stateful firewall for centralized hub-spoke architectures with FQDN filtering. Application Gateway is an L7 load balancer with integrated WAF. These have distinct use cases and are not interchangeable.
Not understanding storage account tiers and redundancy
Candidates blur Hot/Cool/Archive (access tiers affecting cost and retrieval latency for blobs) with LRS/ZRS/GRS/GZRS (replication options for durability and availability). These are completely independent settings. Archive tier has retrieval latency of hours, making it unsuitable for frequently accessed data.
Ignoring the monitoring and backup domain
Though only 10-15% of the exam, backup and monitoring questions are consistently present and frequently failed. Know the difference between Recovery Services vault (for VM backup and Site Recovery) and Backup vault (for newer resource types like managed disks and blobs). Understand basic KQL query syntax.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?
920 AZ-104 questions. AI tutor. 7 mock exams. 7-day free trial.

Related Articles for AZ-104

azure
How to Study for AZ-104 in 14 Days: The Two-Week Prep Plan
May 9, 2026 13 min read
azure
How to Study for AZ-104 in 30 Days: Full Preparation Plan (2026)
May 9, 2026 14 min read
azure
How to Study for AZ-104 in 7 Days: A Realistic Sprint Plan
May 9, 2026 14 min read
Browse all articles