AZ-104: Microsoft Azure Administrator

Exam Quick Facts

Official Learning Paths

1. 📘 Manage Azure identities and governance — Entra ID, RBAC, subscriptions, policies
2. 📘 Implement and manage storage — Storage accounts, blobs, files, access controls
3. 📘 Deploy and manage compute resources — VMs, containers, App Service, ARM/Bicep
4. 📘 Implement and manage virtual networking — VNets, NSGs, load balancers, DNS
5. 📘 Monitor and maintain Azure resources — Azure Monitor, backup, Site Recovery

📖 Study Resources

Skills at a Glance

Who is this exam for?

The AZ-104 is the go-to certification for Azure administrators — the people who deploy, manage, and monitor an organisation’s Azure environment day-to-day. Unlike the AZ-900 (which is conceptual), the AZ-104 is hands-on and expects you to know how to actually do things in the Azure portal, CLI, and PowerShell.

You should have experience with operating systems, networking, servers, and virtualisation, plus familiarity with PowerShell, Azure CLI, ARM templates or Bicep, and the Azure portal. This exam was last updated on April 17, 2026 — make sure your study materials reflect the latest objectives.

💡 Tip: This exam includes lab-based questions where you perform tasks in a live Azure environment. Practice in the Azure portal and with the GitHub labs — reading alone won’t be enough.

Skills Measured — with Microsoft Learn Links

Manage Azure identities and governance (20–25%)

This domain covers identity management through Microsoft Entra ID and governance through Azure Policy, RBAC, and subscriptions. You need to know how to create and manage users and groups, assign roles at different scopes, and enforce organisational policies.

Manage Microsoft Entra users and groups

Creating and managing users and groups is the foundation of identity management in Azure. You’ll need to know how to create cloud users, manage properties, handle licensing, work with external (guest) users, and configure self-service password reset.

• Create users and groups
• Manage user and group properties
• Manage licenses in Microsoft Entra ID
• Manage external users
• Configure self-service password reset (SSPR)

Manage access to Azure resources

RBAC (Role-Based Access Control) determines who can do what on which Azure resources. Understanding built-in roles (Owner, Contributor, Reader), how role assignments work at different scopes (management group → subscription → resource group → resource), and how to interpret effective permissions is critical.

• Manage built-in Azure roles
• Assign roles at different scopes
• Interpret access assignments

Manage Azure subscriptions and governance

Governance ensures your Azure environment stays organised, compliant, and cost-effective. Azure Policy enforces rules, resource locks prevent accidental changes, tags help you organise and track costs, and management groups let you manage policies across multiple subscriptions.

• Implement and manage Azure Policy
• Configure resource locks
• Apply and manage tags on resources
• Manage resource groups
• Manage subscriptions
• Manage costs by using alerts, budgets, and Azure Advisor recommendations
• Configure management groups

Implement and manage storage (15–20%)

Azure Storage is where your data lives. This domain covers configuring access controls (firewalls, SAS tokens, access keys), creating and managing storage accounts, and working with Azure Files and Blob Storage. You need hands-on experience with storage configuration — this domain is very practical.

Configure access to storage

Securing access to storage is critical. Azure Storage firewalls and virtual network rules restrict who can reach your data, SAS tokens provide time-limited access, and access keys give full control. Know the difference and when to use each approach.

• Configure Azure Storage firewalls and virtual networks
• Create and use shared access signature (SAS) tokens
• Configure stored access policies
• Manage access keys
• Configure identity-based access for Azure Files

Configure and manage storage accounts

• Create and configure storage accounts
• Configure Azure Storage redundancy
• Configure object replication
• Configure storage account encryption
• Manage data by using Azure Storage Explorer and AzCopy

Configure Azure Files and Azure Blob Storage

Azure Files provides fully managed file shares (think network drives in the cloud), while Blob Storage handles unstructured data like images, backups, and logs. Know how to configure tiers (Hot, Cool, Cold, Archive), lifecycle management policies, soft delete, snapshots, and versioning.

• Create and configure a file share in Azure Files
• Create and configure a container in Azure Blob Storage
• Configure storage tiers
• Configure soft delete for blobs and containers
• Configure snapshots and soft delete for Azure Files
• Configure blob lifecycle management
• Configure blob versioning

Deploy and manage Azure compute resources (20–25%)

This is one of the two largest domains. It covers everything from ARM templates and Bicep files (infrastructure as code) to virtual machines, containers (Container Instances, Container Apps, Container Registry), and App Service. Expect both conceptual and hands-on lab questions here.

Automate deployment of resources by using ARM templates or Bicep files

Infrastructure as code (IaC) lets you define your resources in a template file and deploy them consistently. ARM templates use JSON, Bicep uses a cleaner syntax that compiles to ARM. You need to be able to read, modify, and deploy both.

• Interpret an Azure Resource Manager template or a Bicep file
• Modify an existing Azure Resource Manager template
• Modify an existing Bicep file
• Deploy resources by using an ARM template or a Bicep file
• Export a deployment as an ARM template or convert to Bicep

Create and configure virtual machines

VMs are still a core Azure service. You need to know how to create them, manage sizes and disks, configure encryption, deploy to availability zones and sets, work with Scale Sets, and move VMs between resource groups or regions.

• Create a virtual machine
• Configure encryption at host for Azure virtual machines
• Move a virtual machine to another resource group, subscription, or region
• Manage virtual machine sizes
• Manage virtual machine disks
• Deploy virtual machines to availability zones and availability sets
• Deploy and configure an Azure Virtual Machine Scale Sets

Provision and manage containers in the Azure portal

Containers are lightweight alternatives to VMs. Azure Container Registry stores container images, Container Instances runs single containers without managing servers, and Container Apps provides a managed platform for microservices. Know when to use each.

• Create and manage an Azure Container Registry
• Provision a container by using Azure Container Instances
• Provision a container by using Azure Container Apps
• Manage sizing and scaling for containers

Create and configure Azure App Service

App Service is Azure’s managed platform for hosting web apps, APIs, and mobile backends. You need to know how to create App Service plans, configure scaling, set up custom domains and SSL/TLS certificates, configure deployment slots (for blue-green deployments), and manage backups.

• Provision an App Service plan
• Configure scaling for an App Service plan
• Create an App Service
• Configure certificates and TLS for an App Service
• Map an existing custom DNS name to an App Service
• Configure backup for an App Service
• Configure networking settings for an App Service
• Configure deployment slots for an App Service

Implement and manage virtual networking (15–20%)

Networking connects everything in Azure. This domain covers creating and managing VNets and subnets, securing traffic with NSGs, configuring DNS, load balancing, and setting up secure access methods like Azure Bastion and private endpoints. Practice these skills in the portal — networking questions are often scenario-based.

Configure and manage virtual networks in Azure

• Create and configure virtual networks and subnets
• Create and configure virtual network peering
• Configure public IP addresses
• Configure user-defined routes
• Troubleshoot network connectivity

Configure secure access to virtual networks

NSGs filter traffic to and from Azure resources using rules based on source/destination, port, and protocol. Application security groups let you group VMs logically. Private endpoints and service endpoints provide secure, private connectivity to Azure PaaS services without going over the public internet.

• Create and configure NSGs and application security groups
• Evaluate effective security rules in NSGs
• Implement Azure Bastion
• Configure service endpoints for Azure PaaS
• Configure private endpoints for Azure PaaS

Configure name resolution and load balancing

Azure DNS lets you host your DNS zones in Azure. Load balancers distribute traffic across multiple backend instances — Azure Load Balancer for L4 (TCP/UDP) and Application Gateway for L7 (HTTP/HTTPS). Know how to create, configure, and troubleshoot both.

• Configure Azure DNS
• Configure an internal or public load balancer
• Troubleshoot load balancing

Monitor and maintain Azure resources (10–15%)

This is the smallest domain but still critical. It covers Azure Monitor (metrics, logs, alerts), monitoring specific resource types, Network Watcher, and backup/recovery with Azure Backup and Site Recovery. Don’t underestimate this domain — scenario questions on alerts and backup policies are common.

Monitor resources in Azure

Azure Monitor is the central platform for observability in Azure. You can view metrics, query logs using KQL, set up alert rules, and use Azure Monitor Insights for specialised views of VMs, storage, and networks. Network Watcher helps diagnose connectivity issues.

• Interpret metrics in Azure Monitor
• Configure log settings in Azure Monitor
• Query and analyze logs in Azure Monitor
• Set up alert rules, action groups, and alert processing rules
• Configure and interpret monitoring of VMs, storage, and networks
• Use Azure Network Watcher and Connection Monitor

Implement backup and recovery

Azure Backup protects your data from accidental deletion and corruption. Site Recovery provides disaster recovery by replicating VMs to a secondary region. You need to know how to create vaults, configure backup policies, perform restores, and set up failover scenarios.

• Create a Recovery Services vault
• Create an Azure Backup vault
• Create and configure a backup policy
• Perform backup and restore operations by using Azure Backup
• Configure Azure Site Recovery for Azure resources
• Perform a failover to a secondary region by using Site Recovery
• Configure and interpret reports and alerts for backups

Quick Links

• 📝 Official Exam Page
• 📖 Microsoft Study Guide
• 🎯 Practice Assessment
• 🧪 Hands-on Labs