How to Pass Microsoft Azure Administrator AZ-104 (Study Plan + Tips)
The Microsoft Azure Administrator AZ-104 certification validates your ability to manage Azure subscriptions, secure identities, manage governance, and administer Azure compute, storage, and networking resources. This comprehensive guide provides a structured study plan, domain breakdown, and actionable strategies to help you pass the exam on your first attempt.
Table of Contents
Exam Overview and Format
The AZ-104 exam is a multiple-choice, performance-based assessment that tests your practical ability to manage Azure infrastructure. You'll have 120 minutes to complete the exam, which typically includes 40-60 questions. The test combines traditional multiple-choice questions with scenario-based labs where you perform real tasks in a live Azure environment.
Microsoft changed the exam format in 2024 to emphasize hands-on capabilities. Rather than just knowing Azure concepts, you must demonstrate the ability to perform administrative tasks like creating virtual machines, configuring networking, managing identities, and implementing governance policies. This shift toward practical assessment means your study approach must include substantial hands-on practice.
The exam allows you to skip questions and return to them later, but there's no penalty for incorrect answers. This means you should attempt every question. The passing score is typically around 700 out of 1000 points, though Microsoft doesn't publish exact cut scores.
Question Types You'll Encounter
Multiple Choice (Single Answer): Select one correct answer from four options. These test conceptual knowledge and require careful reading to avoid trick answers.
Multiple Select: Choose all correct answers from a list. You must select all correct options to earn points, with no partial credit. These are typically worth more points than single-choice questions.
Performance-Based Labs: Interactive scenarios where you configure actual Azure resources using the Azure Portal, PowerShell, or Azure CLI. You'll be given a task (e.g., "Create a virtual network with three subnets and restrict traffic between them") and must complete it within the live environment. These labs often count for 10-30% of your exam score.
Drag-and-Drop: Match concepts to definitions or arrange items in the correct order. These test your understanding of Azure architecture and processes.
Domain Breakdown and Weights
Microsoft breaks the AZ-104 exam into five domains, each weighted differently. Understanding these weights helps you allocate your study time effectively. The exam doesn't weight every topic equally, so prioritizing high-weight domains increases your efficiency.
Domain 1: Manage Azure Identities and Governance (20-25%)
This domain covers Azure Active Directory (now called Microsoft Entra ID), role-based access control (RBAC), and Azure Policy. You'll need to understand how to manage user identities, assign permissions using RBAC roles, create and enforce Azure Policies, and manage subscriptions and management groups.
Key topics include:
- Creating and managing Azure AD users, groups, and applications
- Configuring role-based access control and custom roles
- Implementing Azure Policy for governance and compliance
- Managing subscriptions and implementing cost management
- Configuring managed identities for resources
This domain is critical because identity and governance principles apply across all other domains. If you don't understand RBAC, you'll struggle with secure resource deployment.
Domain 2: Manage Storage (15-20%)
You'll need to demonstrate proficiency with Azure Storage accounts, including blobs, files, queues, and tables. This domain also covers storage security, replication options, and lifecycle management.
Key topics include:
- Creating and managing storage accounts and storage tiers
- Configuring blob storage, file shares, and managed disks
- Implementing storage security (access keys, SAS tokens, encryption)
- Configuring replication and redundancy options
- Managing backups and recovery
Storage is foundational to Azure. Nearly every application uses some form of storage, so expect storage questions to appear throughout the exam in different contexts.
Domain 3: Manage Compute Resources (20-25%)
This is the largest domain, covering virtual machines, App Service, container services, and Azure Kubernetes Service (AKS). You need hands-on experience creating VMs, configuring scale sets, and understanding deployment options.
Key topics include:
- Creating and configuring virtual machines and VM scale sets
- Managing VM images and custom images
- Deploying and managing Azure Container Instances and AKS
- Configuring App Service plans and web apps
- Implementing auto-scaling and load balancing
Compute is where you'll spend significant time in the lab scenarios. Expect 30-40% of your performance-based lab time to involve compute resources.
Domain 4: Manage Virtual Networking (20-25%)
Networking is critical for cloud administrators. This domain covers virtual networks, subnets, network security groups (NSGs), application gateways, and load balancers. You need to understand how to design and secure network architectures.
Key topics include:
- Creating virtual networks, subnets, and network interfaces
- Configuring network security groups and application security groups
- Implementing application gateways and load balancers
- Configuring VPN and ExpressRoute for hybrid connectivity
- Implementing DNS and name resolution
Networking questions often have multiple correct answers based on different architectures. You need to understand tradeoffs between performance, security, and cost.
Domain 5: Monitor and Maintain Azure Resources (10-15%)
This domain covers monitoring, logging, maintenance, and troubleshooting. You'll need to know Azure Monitor, Application Insights, and how to diagnose Azure resource issues.
Key topics include:
- Configuring Azure Monitor and alerts
- Implementing Application Insights for monitoring
- Analyzing logs and performance metrics
- Backing up and recovering Azure resources
- Updating and maintaining virtual machines
While this domain has the lowest weight, monitoring skills apply across all other domains. Don't skip this area, but don't over-invest study time here either.
12-Week Study Plan
A structured 12-week plan ensures you cover all domains thoroughly while building practical skills. This schedule assumes 5-7 hours of study per week. Adjust based on your experience level and available time.
Weeks 1-2: Foundation and Identity (Domain 1)
Learning Objective: Understand Azure AD, RBAC, and subscription management fundamentals.
Study Activities:
- Complete Microsoft Learn modules on Azure Active Directory basics
- Practice creating users, groups, and assigning RBAC roles in your free Azure sandbox
- Work through Azure Policy fundamentals and create 2-3 sample policies
- Understand management groups and subscription organization
Hands-On Lab Focus: Create an Azure AD tenant, add users, organize them into groups, and practice assigning different RBAC roles to users and applications. Use the Azure Portal exclusively during these weeks to build muscle memory.
Success Metrics: You should be able to explain when to use custom RBAC roles versus built-in roles, and describe how Azure Policy differs from RBAC.
Weeks 3-4: Storage Fundamentals (Domain 2)
Learning Objective: Master storage accounts, access methods, and security controls.
Study Activities:
- Complete Microsoft Learn modules on Azure Storage account types and configurations
- Create storage accounts with different redundancy options (LRS, GRS, RAGRS, GZRS)
- Practice uploading blobs, creating file shares, and working with queues
- Learn about SAS tokens, shared keys, and managed identity access
- Study storage lifecycle policies and blob tiering
Hands-On Lab Focus: Create a storage account, upload different types of content (blobs, files), configure access controls using SAS tokens and shared keys, and implement a lifecycle policy that moves blobs to cool storage after 30 days.
Success Metrics: You should understand all replication options and be able to recommend the appropriate option based on cost and recovery requirements.
Weeks 5-7: Compute Resources (Domain 3)
Learning Objective: Build proficiency with virtual machines, containers, and deployment options.
Study Activities:
- Create multiple virtual machines using the Portal, PowerShell, and Azure CLI
- Configure VM scale sets and learn about auto-scaling policies
- Deploy App Service web apps with multiple deployment slots
- Work through Azure Container Instances and understand when to use containers versus VMs
- Study AKS architecture, nodes, and pods (conceptually, not deep diving)
Hands-On Lab Focus: Create a VM, customize it with software, create an image from it, deploy a VM scale set using that image, and configure auto-scaling rules. Then deploy a containerized application to Azure Container Instances.
Success Metrics: You should be able to choose the right compute option (VM, App Service, containers, AKS) for different workload scenarios and explain the tradeoffs.
Weeks 8-10: Networking (Domain 4)
Learning Objective: Design and implement secure, scalable network architectures.
Study Activities:
- Create virtual networks with multiple subnets and configure address spaces
- Implement network security groups and understand inbound/outbound rules
- Deploy load balancers and application gateways
- Configure VPN connections and understand VPN gateway options
- Study DNS and name resolution in Azure
Hands-On Lab Focus: Create a virtual network with multiple subnets, deploy VMs in different subnets, configure NSGs to allow traffic between certain subnets while blocking others, then add a load balancer in front of the VMs.
Success Metrics: You should be able to design a network architecture for a multi-tier application, understand NSG rule evaluation order, and explain the difference between application gateways and load balancers.
Weeks 11-12: Monitoring, Integration, and Exam Prep (Domain 5 + Review)
Learning Objective: Learn monitoring tools, perform practice exams, and reinforce weak areas.
Study Activities:
- Set up Azure Monitor and configure alerts on virtual machine metrics
- Work with Azure Log Analytics and write KQL queries
- Deploy Application Insights to a web application
- Practice backing up and restoring Azure resources
- Take full-length practice exams (use MeasureUp or official Microsoft practice tests)
- Review weak areas identified in practice exams
Hands-On Lab Focus: Create a full scenario combining compute, networking, storage, and monitoring. Example: Deploy a web app with a database, configure monitoring and alerts, simulate a failure, and use the monitoring data to troubleshoot.
Success Metrics: Score 80% or higher on practice exams. Identify and eliminate knowledge gaps in 2-3 weak areas.
Core Topics Deep Dive
Azure Active Directory and RBAC
Azure AD (Microsoft Entra ID) is the identity provider for Azure. Understand the difference between Azure AD users, guest accounts, and service principals. Service principals are non-interactive accounts used by applications and automation tools, while users are actual people.
RBAC is fundamental to Azure security. The exam expects you to understand:
- Built-in roles: Owner, Contributor, Reader, and domain-specific roles like Virtual Machine Contributor
- Custom roles: When to create them (rarely, unless you have very specific permission requirements)
- Scope: Roles are assigned at management group, subscription, or resource group level. Understand inheritance
- Deny assignments: These explicitly prohibit actions even if a role grants them (less common but important)
Practice scenario: A developer team needs to create and manage VMs but not modify networking. You would assign them the "Virtual Machine Contributor" role scoped to a specific resource group, not the subscription.
Storage Account Security and Access Patterns
Storage security involves multiple layers. Understand:
- Storage account keys: Primary and secondary keys provide full access. Rotate regularly. Never commit keys to version control
- SAS tokens: Shared Access Signatures grant time-limited, scoped access. Use for client applications or temporary access
- Managed identity: Services (VMs, App Service, Logic Apps) can use managed identity to access storage without storing credentials
- Network security: Firewall rules restrict access to specific VNets or IP addresses. Service endpoints enable VNet isolation
A common exam scenario: Your application needs to access blob storage. Rather than embedding connection strings with storage keys in your code, use managed identity. This eliminates the need to manage credentials and is automatically rotated by Azure.
Virtual Machine Deployment and Management
VMs are central to Azure compute. Know how to:
- Create VMs: Understand availability zones versus availability sets. Zones provide better redundancy (different data centers), while availability sets are for older regions without zones
- Storage options: Managed disks (recommended) versus unmanaged disks. Always use managed disks for new deployments
- VM sizes: General purpose (B, D), compute optimized (F), memory optimized (E), storage optimized (L). The exam may ask which size is appropriate for specific workloads
- Custom images: Generalize VMs using Sysprep (Windows) or deprovision (Linux) before creating images
Practice creating VMs using both the Portal and CLI, and deploy the same VM from a custom image to understand the full lifecycle.
Network Security and NSGs
Network security groups are virtual firewalls. Key concepts:
- Rules are evaluated in order: Rules are processed from lowest priority number to highest. The first matching rule is applied
- Inbound vs. outbound: Default rules deny all inbound but allow all outbound. Modify based on requirements
- Service tags: Azure-provided shortcuts representing IP ranges. "Internet" represents all public IPs, "AzureCloud" represents Azure services
- Application security groups (ASGs): Group resources and apply rules to the group rather than individual IPs. Simplifies rule management
A scenario you'll likely encounter: Create an NSG that allows web traffic from the internet to VMs in a subnet but restricts database traffic to only those web VMs. You would use ASGs to group the web tier and database tier, then create rules allowing traffic between them.
Azure Policy and Governance
Azure Policy enforces organizational standards. Understand:
- Policies: Rules that enforce compliance (e.g., "all storage accounts must have encryption enabled")
- Initiatives: Collections of policies (e.g., "Cloud Security Benchmark" contains many individual policies)
- Effects: Audit (log non-compliance), Deny (block non-compliant resources), DeployIfNotExists (automatically remediate), Modify (change resource properties)
- Scope: Policies are assigned to management groups, subscriptions, or resource groups and inherited by children
You might need to write simple policy rules in JSON or understand policy effects in scenario questions.
Practice Exam Strategy
Practice exams are your best indicator of readiness. They reveal knowledge gaps, teach you test-taking strategies, and reduce exam anxiety. Use these strategically throughout your study period.
When to Take Practice Exams
Baseline exam (Week 3): Take a practice exam early, even unprepared, to understand the question format and identify which domains need the most work. This shouldn't count as "studying" but rather as assessment.
Mid-point exam (Week 8): After covering 80% of content, take another practice exam. You should score 60-70%. This reveals which specific topics still need reinforcement.
Final exams (Weeks 11-12): Take 2-3 full-length practice exams. You should score 80%+ before scheduling your real exam. Review every question you missed, even if you guessed correctly.
How to Analyze Practice Exam Results
Simply taking practice exams isn't enough. Your analysis matters more than the test itself:
- Identify patterns: Do you consistently miss questions in specific domains or topics? Are your mistakes conceptual misunderstandings or careless reading errors?
- Review incorrect answers: Don't just move on. Understand why the correct answer is right and why your choice was wrong
- Review correct answers: If you guessed correctly, understand why the answer is correct. You might have gotten lucky
- Time management: Were you rushed? Did you spend too long on difficult questions? Practice pacing
Create a spreadsheet tracking your practice exam scores by domain. This gives you a clear view of which areas need additional study.
Recommended Practice Exam Sources
Microsoft's official AZ-104 page provides free practice questions and links to official practice exams. MeasureUp and Examtopics also offer practice exams specifically aligned to the current exam format.
The benefit of MeasureUp exams is that they're officially developed by Microsoft and closely match the real exam's difficulty and question types. Free practice from Skillsoft or other platforms is valuable for initial learning but may not perfectly reflect the real exam's rigor.
Hands-On Lab Work
The shift toward performance-based labs means hands-on practice is non-negotiable. You can't pass AZ-104 through memorization alone. You must develop muscle memory for Azure Portal navigation, PowerShell commands, and Azure CLI operations.
Lab Strategy and Free Resources
You have several options for hands-on practice:
- Azure Free Tier: Microsoft provides a free Azure account with $200 credits. This is sufficient for all AZ-104 labs if you're careful. Don't leave resources running 24/7 or use expensive compute
- Microsoft Learn modules: Free, guided labs that walk you through specific tasks. Start here for foundational topics
- Challenge labs: Available through training providers like DiviTrain, these labs present open-ended scenarios requiring you to solve problems independently without step-by-step guidance
DiviTrain's AZ-104 course includes 20 hours of challenge labs designed specifically for the exam. These labs simulate real exam scenarios where you receive minimal guidance and must figure out the solution, closely mirroring the actual performance-based portion of the exam.
Lab Progression Path
Weeks 1-4 (Guided labs): Complete Microsoft Learn modules with built-in step-by-step labs. These teach you where features are located and basic operations.
Weeks 5-10 (Scenario-based labs): Move to labs that present a problem without step-by-step instructions. Example: "Deploy a three-tier application with a web layer, application layer, and database layer. Configure networking to restrict traffic appropriately." You must figure out the steps.
Weeks 11-12 (Challenge labs): Complete complex, multi-step labs combining multiple domains. These should feel close to the actual exam difficulty.
PowerShell and Azure CLI Proficiency
The exam may ask you to recognize PowerShell or CLI commands, or the performance-based labs may require you to use them. You don't need expert-level scripting skills, but understand common commands:
PowerShell basics:
- Connect-AzAccount (authenticate)
- New-AzResourceGroup (create a resource group)
- New-AzVM (create a virtual machine)
- Get-AzVM (list VMs)
Azure CLI basics:
- az login (authenticate)
- az group create (create a resource group)
- az vm create (create a virtual machine)
- az vm list (list VMs)
Many administrators prefer CLI for simplicity, while others use PowerShell for scripting. During the exam, you can use either. The Portal is always available as a backup if you're unsure of CLI syntax.
Exam Day Strategies
Before Your Exam
Schedule strategically: Book your exam when you're at peak mental capacity. Most people perform better in the morning. Avoid scheduling immediately after a stressful work period.
Review exam requirements: Microsoft has specific rules about exam centers and online proctoring. Check your exam eligibility, required identification, and whether you're taking it at a testing center or online.
Do a final review (3-4 days before): Don't cram the night before. Instead, review your practice exam analytics, your weak topics, and do light studying. Get good sleep before the exam.
Know the exam format: You'll have 120 minutes. That's roughly 2 minutes per question plus additional time for performance-based labs. Understand your time budget.
During the Exam
Read questions carefully: Exam questions are often worded precisely. A single word can change the correct answer. Read the question once completely before considering answers. Watch for qualifiers like "BEST", "MUST", "NOT", and "MOST".
Manage performance-based labs: These labs often appear as a series of tasks to complete in a live Azure environment. You have limited time to complete them. Read the entire scenario first before starting, plan your approach, then execute efficiently.
Use the "mark for review" feature: Flag difficult questions and come back to them after completing easier questions. This prevents spending 10 minutes on a single question.
Eliminate incorrect answers: Even if you're unsure of the correct answer, often three of four options are clearly wrong. Elimination increases your probability of guessing correctly.
Manage time on labs: If a lab is taking too long, move on and return if you have time at the end. A 5-minute lab is worth the same as a 15-minute one, so don't get stuck.
Verify your answers before submitting: With 10 minutes remaining, do a final review of flagged questions. Fix obvious mistakes without second-guessing correct answers.
Test-Taking Techniques
For multiple-choice questions: Select the best answer, not just a correct answer. Often multiple options may seem correct, but one is more complete or specific. Choose the option that directly addresses the question.
For multiple-select questions: These require ALL correct answers to earn points. If unsure about one option, reconsider your other selections. It's often better to select fewer items if you're uncertain.
For scenario-based questions: Identify what the scenario is actually asking. Often extra information is provided to test whether you can filter out irrelevant details.
For labs: Start with the easiest task in the lab and work your way to more complex ones. This builds confidence and ensures you earn partial credit even if you can't complete everything.
Common Mistakes to Avoid
Mistake 1: Skipping hands-on labs. Administrators often want to focus on understanding concepts without building them practically. This is a critical mistake for AZ-104. The exam heavily tests practical ability, not just theoretical knowledge. Dedicate 40% of your study time to hands-on work.
Mistake 2: Over-focusing on one domain. Many administrators are strongest in networking or compute and under-prepare in identity/governance or storage. The exam distributes questions across all domains, so weaknesses are penalized. Spend time on uncomfortable topics.
Mistake 3: Confusing Azure services. Azure has many services that sound similar. App Service vs. Functions, Cosmos DB vs. SQL Database, VMs vs. VM Scale Sets. Understand the differences and use cases. Create a comparison matrix if this is a weak area.
Mistake 4: Not reading practice exam explanations. Simply taking practice exams without deep analysis is wasted effort. Review every explanation, even for questions you answered correctly.
Mistake 5: Using outdated study materials. Azure changes frequently. Study materials from 2023 may be outdated by 2026. Use Microsoft Learn and current training providers like DiviTrain that update content regularly.
Mistake 6: Memorizing instead of understanding. AZ-104 tests application of knowledge, not memorization. If you can recite facts but can't solve scenarios, you'll fail. Focus on understanding the "why" behind configurations.
Mistake 7: Underestimating networking and monitoring. These domains seem straightforward but are frequently tested in complex scenarios. Give them adequate study time.
The DiviTrain Advantage
When preparing for AZ-104, choosing the right learning platform makes a significant difference. DiviTrain offers a comprehensive learning ecosystem specifically designed for exam success:
- Expert tutor support available 24/7: When you get stuck on a concept or lab, expert instructors are available to guide you without giving away answers
- MeasureUp Practice Exams: 60 days of access to official practice exams that mirror the real exam's difficulty and format exactly
- 365 days of course access: You're not rushed through material. Take your time, revisit concepts, and study at your own pace
- Challenge Labs (20 hours): Scenario-based, hands-on labs that simulate real exam performance tasks. These are the difference between theoretical knowledge and practical ability
Additional Learning Resources
Microsoft Learn AZ-104 Learning Path: The official Microsoft learning path includes free modules, labs, and practice assessments. This is your authoritative source for exam content.
Azure Resource Manager Documentation: Understanding ARM concepts is important for governance and deployment topics. Microsoft's official docs are comprehensive and regularly updated.
Azure CLI Documentation: Reference for CLI commands. Bookmark this for quick lookups during study and exam prep.
Azure Identity Management Guide: Deep dive into identity concepts, which form the foundation of many exam questions.
Additionally, explore DiviTrain's Microsoft certification collection to see related certifications like AZ-900 Azure Fundamentals (prerequisite knowledge) and AZ-500 Azure Security (a natural progression after AZ-104).
Frequently Asked Questions
Q: Do I need to pass AZ-900 before taking AZ-104?
A: No, AZ-900 is not a prerequisite for AZ-104. However, many people find that passing AZ-900 first helps them understand Azure fundamentals, which makes AZ-104 easier to grasp. If you have no Azure experience, consider the AZ-900 path first. If you have hands-on Azure experience, you can go directly to AZ-104.
Q: How many questions are on the AZ-104 exam?
A: Typically 40-60 questions, though exact numbers vary. The exam includes multiple-choice, multiple-select, drag-and-drop, and performance-based lab questions. The 120-minute time limit applies regardless of exact question count.
Q: What's the passing score for AZ-104?
A: The passing score is typically around 700 out of 1000 points, though Microsoft doesn't publish exact cut scores. Different exam versions may have slightly different scores. Your goal should be 80%+ on practice exams to ensure you pass the real exam.
Q: How long is the AZ-104 exam valid?
A: Microsoft certifications are valid for three years from the date you pass. After three years, you must retake the exam to maintain the certification. However, you can recertify by passing any Microsoft Azure exam, which resets the three-year timer.
Q: Can I use notes during the performance-based labs?
A: No, you cannot bring external notes into the exam. However, you can reference Azure Portal help documentation and search for commands within the Azure CLI or PowerShell during performance-based lab tasks. Understanding concepts is more important than memorizing syntax.
Q: How much hands-on Azure experience do I need before attempting AZ-104?
A: Ideally, you should have 1-2 years of hands-on Azure administration experience before taking AZ-104. If you have less experience, invest more study time in hands-on labs. If you have significant Azure experience, you can likely reduce study time to 6-8 weeks.
Q: What should I do if I fail AZ-104?
A: Don't panic. Most successful Azure administrators pass on the second attempt. Review your score report, identify weak domains, spend 2-3 weeks focused on those areas, retake practice exams until you score 85%+, then reschedule the exam. Microsoft allows retakes after 24 hours but recommends waiting longer to study more effectively.
Q: Can I use PowerShell during the exam instead of the Portal?
A: Yes, in the performance-based labs, you can use PowerShell, Azure CLI, or the Portal to complete tasks. The exam doesn't require a specific method. However, practice with the Portal during study since most examiners are familiar with Portal workflows and it's often faster for quick tasks.
Conclusion
Passing AZ-104 requires a combination of theoretical knowledge, practical hands-on skills, and test-taking strategy. Use this guide as your roadmap, but personalize it based on your experience level and learning style. Prioritize hands-on lab work over passive reading, take practice exams seriously, and don't rush.
The 12-week study plan, domain breakdown, and exam strategies provided here align with how Microsoft structures the exam and what real Azure administrators need to know. If you follow this approach diligently, you'll be well-prepared to pass AZ-104 on your first attempt.
Remember: AZ-104 certification demonstrates real, practical cloud administration skills valued across industries. The effort you invest in this exam translates directly to job readiness and career advancement in cloud infrastructure roles.
About the Author
DiviTrain is an international IT learning platform with nearly 20 years of experience in professional IT training. Our courses are developed by Skillsoft, the global leader in enterprise learning, ensuring high-quality, industry-relevant content. You get access to hands-on practice labs, expert tutor support available 24/7, and official MeasureUp practice exams, all backed by DiviTrain's commitment to your certification success. Whether you're pursuing your first certification or advancing your career in cloud infrastructure and Azure administration, DiviTrain provides the complete tools, guidance, and support you need to succeed.
