How to Pass the Azure Administrator (AZ-104) Exam: Study Guide 2026

The Azure Administrator Associate (AZ-104) is the most important certification in the Azure ecosystem. It is the bridge between fundamentals and expert-level certifications, the prerequisite for the Solutions Architect Expert (AZ-305), and one of the most requested certifications in job postings for cloud roles.

The AZ-104 tests real, hands-on knowledge. Unlike the AZ-900 which tests conceptual understanding, the AZ-104 expects you to know how to actually configure, manage, and troubleshoot Azure resources. This guide covers every domain in depth, provides hands-on lab guidance using the Azure free tier, and gives you a structured 6-week study plan.

Exam Overview

The AZ-104 exam has 40-60 questions and you get 100 minutes. You need a score of 700 out of 1000 to pass. The exam costs $165 USD.

The exam may include a hands-on lab section where you perform tasks in a live Azure environment. Not every exam instance includes labs, but you should be prepared for them.

Microsoft recommends at least six months of hands-on experience managing Azure resources. If you hold the AZ-900, you have a head start on the concepts, but the AZ-104 goes significantly deeper.

Setting Up Your Lab Environment

Hands-on practice is non-negotiable for the AZ-104. You cannot pass this exam by reading documentation alone.

Azure free account: Sign up for an Azure free account at azure.microsoft.com/free. You get $200 in credit for 30 days, plus 12 months of free services and always-free services. This is enough to practice everything on the AZ-104.

Cost management tip: Set up a budget alert for $10/day so you do not accidentally burn through your credits. Delete resources after each lab session. Use the Azure pricing calculator to estimate costs before creating expensive resources.

Azure Cloud Shell: Available directly in the Azure portal, Cloud Shell gives you a pre-configured Bash or PowerShell environment with Azure CLI and Azure PowerShell already installed. Use it for all your command-line practice.

The Five Exam Domains

Domain 1: Manage Azure Identities and Governance (20-25%)

This domain tests your ability to manage users, groups, roles, subscriptions, and policies.

Microsoft Entra ID (formerly Azure AD):

• Users — creating and managing user accounts, including guest users (B2B collaboration). Know the difference between cloud-only users and synced users (from on-premises AD via Entra Connect).
• Groups — security groups and Microsoft 365 groups. Understand dynamic groups (membership based on user attributes) vs assigned groups.
• Administrative units — delegating admin permissions to a subset of users within Entra ID.
• Self-service password reset (SSPR) — configuring SSPR for cloud users, authentication methods, and write-back to on-premises AD.
• Multi-factor authentication (MFA) — per-user MFA, Conditional Access-based MFA, and security defaults.

Role-Based Access Control (RBAC):

• Built-in roles: Owner (full access + assign roles), Contributor (full access, cannot assign roles), Reader (view only). Know these three cold.
• Custom roles: creating roles with specific permissions when built-in roles do not fit.
• Role scope: management group, subscription, resource group, or individual resource.
• Role assignments: assigning roles to users, groups, service principals, or managed identities.
• Know how to check effective permissions and diagnose access issues.

Subscriptions and governance:

• Management groups — organizing subscriptions in a hierarchy for policy and RBAC inheritance.
• Azure Policy — creating and assigning policies that enforce rules on resources. Know built-in policies like “Allowed locations” and “Allowed VM SKUs.” Understand initiatives (collections of policies), compliance reporting, and remediation tasks.
• Resource locks — CanNotDelete (prevent deletion) and ReadOnly (prevent modification and deletion). Know that locks are inherited from parent scopes.
• Tags — applying metadata to resources for cost tracking, ownership, and environment classification. Know that tags are not inherited by default.
• Cost Management — budgets, cost alerts, cost analysis, and Azure Advisor cost recommendations.

Hands-on labs for this domain:

# Create a user
az ad user create --display-name "Lab User" \
  --user-principal-name [email protected] \
  --password "SecurePass123!"

# Create a group and add the user
az ad group create --display-name "Lab Group" --mail-nickname labgroup
az ad group member add --group "Lab Group" \
  --member-id $(az ad user show --id [email protected] --query id -o tsv)

# Assign a role
az role assignment create --assignee [email protected] \
  --role "Reader" --scope /subscriptions/YOUR_SUB_ID

# Create a policy assignment
az policy assignment create --name "allowed-locations" \
  --policy "e56962a6-4747-49cd-b67b-bf8b01975c4c" \
  --params '{"listOfAllowedLocations": {"value": ["eastus", "westus"]}}'

# Create a resource lock
az lock create --name "no-delete" --lock-type CanNotDelete \
  --resource-group myResourceGroup

Domain 2: Implement and Manage Storage (15-20%)

This domain covers Azure Storage accounts and data management.

Storage accounts:

• Account types: Standard (HDD) vs Premium (SSD), and the different kinds: StorageV2 (general purpose v2), BlobStorage, BlockBlobStorage, FileStorage.
• Redundancy: LRS, ZRS, GRS, RA-GRS, GZRS, RA-GZRS. Know what each provides and when to use each. RA-GRS and RA-GZRS enable read access to the secondary region.
• Access tiers: Hot, Cool, Cold, Archive. Know minimum retention periods and access costs.
• Lifecycle management policies: automatically moving blobs between tiers or deleting them based on age.

Blob storage:

• Blob types: Block blobs (general purpose), Append blobs (log files), Page blobs (VM disks).
• Containers and access levels: Private, Blob (anonymous read for blobs only), Container (anonymous read for blobs and container).
• Shared Access Signatures (SAS): generating time-limited, permission-scoped access tokens. Know account SAS vs service SAS vs user delegation SAS.
• Stored access policies: managing SAS tokens by attaching them to a policy that can be revoked.
• Blob versioning and soft delete for data protection.
• Azure Storage Explorer: GUI tool for managing storage.

Azure Files:

• SMB and NFS file shares.
• File share snapshots for backup.
• Azure File Sync: syncing on-premises file servers with Azure Files.
• Know the difference between Azure Files and Azure Blob Storage.

Data transfer:

• AzCopy: command-line tool for copying data to/from Azure Storage.
• Azure Storage Explorer: GUI for managing storage.
• Azure Import/Export: shipping physical disks for large data transfers.
• Azure Data Box: Microsoft ships you a device for massive data transfers.

Hands-on labs:

# Create a storage account
az storage account create --name mystorageacct123 \
  --resource-group myRG --location eastus --sku Standard_LRS

# Create a blob container
az storage container create --name mycontainer \
  --account-name mystorageacct123

# Upload a file
az storage blob upload --container-name mycontainer \
  --file ./myfile.txt --name myfile.txt \
  --account-name mystorageacct123

# Generate a SAS token
az storage blob generate-sas --container-name mycontainer \
  --name myfile.txt --permissions r --expiry 2026-12-31 \
  --account-name mystorageacct123

# Create a file share
az storage share create --name myshare \
  --account-name mystorageacct123

Domain 3: Deploy and Manage Azure Compute Resources (20-25%)

This domain covers virtual machines, containers, and app services.

Virtual Machines:

• Creating VMs: images, sizes, disks, networking, availability options.
• Availability sets: fault domains and update domains for protecting against hardware failures and maintenance.
• Virtual Machine Scale Sets (VMSS): autoscaling groups of identical VMs. Know scaling policies (metric-based, schedule-based) and upgrade policies (automatic, rolling, manual).
• VM extensions: automating post-deployment configuration (Custom Script Extension, DSC Extension).
• Azure Bastion: secure RDP/SSH access without public IP addresses.
• Azure Disk Encryption: encrypting OS and data disks with BitLocker (Windows) or DM-Crypt (Linux).
• Managed disks: Standard HDD, Standard SSD, Premium SSD, Ultra Disk. Know IOPS and throughput characteristics.
• VM backup with Azure Backup: Recovery Services vault, backup policies, restore options.

Containers:

• Azure Container Instances (ACI): running single containers without managing infrastructure.
• Azure Container Registry (ACR): storing and managing container images.
• Azure Kubernetes Service (AKS): managed Kubernetes. Know node pools, scaling, networking (kubenet vs Azure CNI), and RBAC integration.
• Azure Container Apps: serverless containers with built-in scaling, Dapr, and KEDA support.

Azure App Service:

• App Service plans: Free, Shared, Basic, Standard, Premium, Isolated tiers. Know which features each tier provides (custom domains, SSL, autoscaling, deployment slots).
• Deployment slots: staging environments that can be swapped with production for zero-downtime deployments.
• Autoscaling: rule-based (metric triggers) and automatic scaling.
• Configuration: application settings, connection strings, path mappings.
• Deployment methods: Git, GitHub Actions, Azure DevOps, ZIP deploy.

Hands-on labs:

# Create a VM
az vm create --resource-group myRG --name myVM \
  --image Ubuntu2204 --size Standard_B2s \
  --admin-username azureuser --generate-ssh-keys

# Create a VMSS
az vmss create --resource-group myRG --name myVMSS \
  --image Ubuntu2204 --instance-count 2 --vm-sku Standard_B1s \
  --admin-username azureuser --generate-ssh-keys

# Create an App Service
az appservice plan create --name myPlan --resource-group myRG \
  --sku S1 --is-linux
az webapp create --resource-group myRG --plan myPlan \
  --name mywebapp123 --runtime "NODE:18-lts"

# Create a deployment slot
az webapp deployment slot create --name mywebapp123 \
  --resource-group myRG --slot staging

# Create an AKS cluster
az aks create --resource-group myRG --name myAKS \
  --node-count 2 --generate-ssh-keys
az aks get-credentials --resource-group myRG --name myAKS

Domain 4: Implement and Manage Virtual Networking (20-25%)

Networking is one of the most challenging and heavily weighted domains.

Virtual Networks (VNets):

• Address spaces and subnets. Know CIDR notation.
• Network Security Groups (NSGs): inbound and outbound rules, priority (lower number = higher priority), default rules, association to subnets or NICs.
• Application Security Groups (ASGs): grouping VMs for simplified NSG rules.
• Service endpoints: connecting Azure services (Storage, SQL) directly to your VNet.
• Private endpoints: accessing Azure services through a private IP in your VNet. Know the difference between service endpoints and private endpoints.

VNet connectivity:

• VNet peering: connecting two VNets (same or different regions). Non-transitive by default.
• VPN Gateway: site-to-site VPN for on-premises connectivity, point-to-site VPN for individual clients.
• ExpressRoute: dedicated private connection from on-premises to Azure.
• Virtual WAN: simplified hub-and-spoke networking at scale.

Load balancing:

• Azure Load Balancer: Layer 4 (TCP/UDP), internal or public. Health probes, backend pools, load balancing rules, NAT rules.
• Azure Application Gateway: Layer 7 (HTTP/HTTPS), URL-based routing, SSL termination, WAF, cookie-based affinity.
• Azure Front Door: global Layer 7 load balancing with CDN, WAF, and SSL offloading.
• Azure Traffic Manager: DNS-based load balancing for routing traffic across regions.
• Know when to use each: Load Balancer for non-HTTP within a region, Application Gateway for HTTP within a region, Front Door for global HTTP, Traffic Manager for global DNS-based routing.

DNS:

• Azure DNS: hosting public and private DNS zones.
• Private DNS zones: name resolution within VNets.
• DNS record types: A, AAAA, CNAME, MX, TXT, SRV, NS, SOA.

Network monitoring:

• Network Watcher: IP flow verify, next hop, connection troubleshoot, NSG flow logs, packet capture.
• Connection Monitor: monitoring network connectivity between Azure resources.

Hands-on labs:

# Create a VNet with subnets
az network vnet create --resource-group myRG --name myVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name frontend --subnet-prefix 10.0.1.0/24

az network vnet subnet create --resource-group myRG \
  --vnet-name myVNet --name backend --address-prefix 10.0.2.0/24

# Create an NSG and rules
az network nsg create --resource-group myRG --name myNSG

az network nsg rule create --resource-group myRG --nsg-name myNSG \
  --name AllowHTTP --priority 100 --direction Inbound \
  --access Allow --protocol Tcp --destination-port-ranges 80

# Create a load balancer
az network lb create --resource-group myRG --name myLB \
  --sku Standard --frontend-ip-name myFrontEnd \
  --backend-pool-name myBackEnd --public-ip-address myPublicIP

# Create VNet peering
az network vnet peering create --resource-group myRG \
  --name vnet1-to-vnet2 --vnet-name myVNet1 \
  --remote-vnet myVNet2 --allow-vnet-access

Domain 5: Monitor and Maintain Azure Resources (10-15%)

This domain covers monitoring, backup, and disaster recovery.

Azure Monitor:

• Metrics: platform metrics collected automatically from Azure resources. Custom metrics from applications.
• Logs: diagnostic settings to route logs to Log Analytics, Storage, or Event Hubs.
• Alerts: metric alerts, log alerts, activity log alerts. Action groups for notification and automation.
• Log Analytics workspace: centralized log collection and KQL (Kusto Query Language) queries.
• Application Insights: application performance monitoring (APM) for web applications.

Azure Backup:

• Recovery Services vault: the container for backups.
• Backup policies: frequency, retention, and schedule.
• VM backup: application-consistent snapshots.
• File-level restore: recovering individual files from VM backups.
• Azure Site Recovery: disaster recovery for VMs. Replication, failover, and failback.

KQL basics you should know:

// Filter events
AzureActivity | where OperationName == "Create or Update Virtual Machine"

// Count by category
AzureActivity | summarize count() by CategoryValue

// Time-based filtering
AzureActivity | where TimeGenerated > ago(24h)

// Join tables
VMConnection | join kind=inner (Heartbeat) on Computer

The 6-Week Study Plan

Week 1: Identity and Governance

• Microsoft Entra ID: users, groups, SSPR, MFA
• RBAC: built-in roles, custom roles, role assignments
• Azure Policy: built-in policies, initiatives, compliance
• Management groups, subscriptions, resource locks, tags
• Hands-on labs for all topics
• 25 practice questions per day in StudyKits

Week 2: Storage

• Storage accounts: types, redundancy, access tiers
• Blob storage: containers, SAS tokens, lifecycle management
• Azure Files: SMB shares, File Sync
• Data transfer: AzCopy, Storage Explorer
• Hands-on labs for all topics
• 30 practice questions per day

Week 3: Compute (VMs and Containers)

• VMs: creation, availability sets, VMSS, extensions, disks
• Azure Backup and disk encryption
• Container Instances, Container Registry, AKS
• Hands-on labs for all topics
• 30 practice questions per day

Week 4: Compute (App Service) and Networking Basics

• App Service plans, deployment slots, autoscaling
• VNets, subnets, NSGs, ASGs
• Service endpoints, private endpoints
• Hands-on labs for all topics
• 35 practice questions per day

Week 5: Advanced Networking and Monitoring

• VNet peering, VPN Gateway, ExpressRoute
• Load Balancer, Application Gateway, Front Door, Traffic Manager
• Azure DNS, private DNS zones
• Azure Monitor, Log Analytics, alerts
• Azure Backup, Site Recovery
• 40 practice questions per day

Week 6: Review and Practice Exams

• Take full-length practice exams (timed to 100 minutes)
• Review all incorrect answers
• Re-do hands-on labs for weak areas
• Focus on your two weakest domains
• 50 practice questions per day
• Schedule your exam for the end of this week

Exam Day Tips

• The AZ-104 may include hands-on lab questions. If it does, do the labs first (they take the most time and cannot be revisited after moving to the next section).
• For multiple-choice questions, read all options before selecting. Many questions have answers that are close but differ in one key detail.
• Know the Azure CLI and PowerShell command patterns. You do not need to memorize exact syntax, but you should recognize correct commands when you see them.
• When stuck between two answers, consider which solution requires the least administrative overhead. Microsoft favors managed services and built-in features over custom solutions.
• Time management: with 40-60 questions in 100 minutes, you have about 2 minutes per question. Labs take longer — budget 20-30 minutes if they appear.

What Comes After AZ-104?

The AZ-104 is the prerequisite for the AZ-305 (Azure Solutions Architect Expert), which is the premier Azure architecture certification. You can also branch into:

• AZ-400 (DevOps Engineer Expert) — if you focus on CI/CD and automation
• AZ-500 (Security Engineer Associate) — if you focus on security

For the complete roadmap, see our Azure Certification Path 2026 guide.

Start Studying Today

The AZ-104 is a challenging but achievable exam with the right preparation. Follow the 6-week study plan, do every hands-on lab, and practice consistently with StudyKits. The combination of practical experience and practice questions is what gets you across the finish line.

Download StudyKits and start working through AZ-104 practice questions that match the difficulty and format of the real exam.