You’re sitting with a 689 on your first AZ-104 attempt. The score report highlights three weak spots: Virtual Networks, Identity and Access Management, and Governance. You understand the basics. You read the Microsoft docs. You still can’t connect the dots fast enough under exam pressure.
This is the exact bottleneck that stops most candidates between attempt one and pass.
Why Vnet IAM Governance Trips Everyone Up
These three topics aren’t hard individually. VNets are subnets and peering. IAM is role assignments. Governance is policy and compliance. But the exam doesn’t test them separately.
The exam tests how they work together in real deployments.
A question won’t ask, “What is a Network Security Group?” It asks: “Your company has a hub-and-spoke VNet topology. Sales department users in the spoke need to access a shared database in the hub. They need only SELECT permissions on three tables. Senior management must audit all access. Which combination of solutions meets the requirement?”
Now you need VNet design knowledge, network routing understanding, IAM role scoping, and governance monitoring. Missing one piece means you can’t eliminate wrong answers.
Most candidates study each topic in isolation. They pass practice tests on individual domains at 80%+ but fail the integrated questions. That’s why the overwhelmed feeling hits hardest in the final week.
The Specific Pattern That Causes This
AZ-104 questions follow a repeatable structure that most candidates miss:
The setup: A business requirement with multiple constraints.
The catch: One solution works for half the requirement but breaks another part.
The test: Can you spot which component is missing?
Example: “You manage Azure resources for a healthcare provider. Compliance requires that all changes to network configurations are logged and reviewed. You create a VNet with subnets for patient data. You assign the Network Contributor role to your DevOps team. Auditors report that role assignments aren’t being tracked. What must you enable?”
The trap: Candidates know the answer is Azure Activity Log or Azure Policy audit logs. But they don’t connect it to the IAM role assignment because they studied “VNet setup” and “IAM roles” separately.
The real answer requires understanding that role assignments are governance events that must be logged—not just VNet design decisions.
This pattern repeats across 40% of the exam. A question starts in one domain and ends in another.
How The Exam Actually Tests This
The Microsoft Azure Administrator (AZ-104) exam allocates roughly 15-20% of questions to networking, 20-25% to identity and access, and 15-20% to governance and compliance. But at least half of those questions are hybrid.
Here’s the structure you’ll face:
Scenario questions (4-5 minutes each): You read 60-80 words describing a real deployment. Four options. One is correct. One is a partial solution. Two are wrong.
Case studies (15-20 minutes total): You get a business case: a company migrating workloads, their compliance requirements, their team structure. Then 4-6 questions build on that case. Each question assumes you remember the constraints from the setup.
Specific example from recent exam feedback: “A financial services company uses a hub VNet for shared services and spoke VNets for business units. The compliance requirement is that any change to network security rules must be approved before deployment. The current setup uses Azure RBAC for access control but doesn’t enforce approval. Which service should be added?”
The answer is Azure Blueprints or Azure Policy with remediation tasks and role-based approval gates. But you only get there if you understand:
- How VNet segmentation works (spokes and hub).
- How RBAC controls who can make changes (IAM).
- How governance policies enforce when changes happen (approval gates).
Missing the governance layer means you pick “increase RBAC granularity”—which addresses access but not approval enforcement.
How To Recognize It Instantly
When you see a question that mentions these phrases together, stop and map the domains:
- “Compliance requires” + “network changes” = Governance + VNet
- “Role assignment” + “audit requirements” = IAM + Governance
- “Spoke VNets” + “restricted access” + “compliance” = All three
- “Least privilege” + “network isolation” = IAM + VNet together
- “Change tracking” + “access control” = Governance + IAM
The moment you spot two or three of these in one question, you’re in hybrid territory. Don’t answer based on one domain alone.
Real exam pattern: “You manage access for 200 developers across multiple subscriptions. You need to ensure that only senior engineers can create VNets, and all VNet changes must be logged. Currently, everyone with Contributor role can create VNets without oversight. What’s your solution?”
This is asking for:
- A more restrictive IAM role (governance and identity).
- A VNet creation control (governance and infrastructure).
- Logging of those actions (governance and compliance).
Answer: Custom RBAC role + Azure Policy assignment + Activity Log monitoring. If you only think “IAM,” you miss the policy enforcement part.
Practice This Before Your Exam
Stop taking full-length practice tests for two days. Instead:
Exercise 1 (30 minutes): Take 10 scenario questions from your practice test. For each one, write down which domains it touches. Don’t answer yet. Just identify the pattern. If you get more than 2 wrong in this mapping phase, you’re not recognizing hybrid questions.
Exercise 2 (45 minutes): Pick one Azure case study (Microsoft Learn has free ones). Read it once. Then answer these before looking at questions:
- What VNet design is described?
- What IAM constraints are mentioned?
- What compliance or audit requirements exist? Write bullet points. This forces you to extract the multi-domain context before the exam pressures you.
Exercise 3 (30 minutes): Go back to your failed attempt’s score report. Find the questions you got wrong. Reread them. For each one, identify which domain answer choice you picked and which domain the correct answer was in. You’ll see your blind spot immediately.
Exercise 4 (practice test, full): Take one more full-length practice test. This time, when you hit a scenario, pause and label the domains before selecting an answer. Slow down on these. Speed is not your problem—pattern recognition is.
Next Action Right Now
Open your practice test platform. Find one scenario question in the governance section. Read it. Before you answer, write down: (1) Is this about VNet design, IAM, governance, or a mix? (2) What constraint would I miss if I ignored one domain?
Do that now. Do it for five questions. You’ll either spot the pattern or you’ll be stuck on the same bottleneck for your retake.