Microsoft Azure Administrator Study Guide 2026 (AZ-104)

The Microsoft Azure Administrator certification (AZ-104) validates your ability to manage Azure subscriptions, implement and manage storage, deploy and manage compute resources, configure and manage virtual networks, and manage identities and governance. Whether you're advancing your cloud infrastructure career or transitioning from on-premises IT, passing the AZ-104 exam requires a strategic, domain-focused approach. This study guide provides a detailed breakdown of each exam domain, key concepts, services to master, and effective study strategies to maximize your preparation.

Table of Contents

Exam Overview and Domain Breakdown

The AZ-104 exam tests your practical knowledge across five weighted domains. Understanding the exam structure helps you allocate study time effectively and focus on high-impact topics.

Exam Structure

  • Duration: 120 minutes
  • Number of Questions: Typically 40-60 questions (mix of single-answer, multiple-choice, and case studies)
  • Passing Score: 700 out of 1000 (approximately 70%)
  • Format: Multiple choice, case studies, and interactive labs in the live exam environment

Domain Weights

  • Domain 1: Manage Azure Identities and Governance, 20-25%
  • Domain 2: Implement and Manage Storage, 15-20%
  • Domain 3: Deploy and Manage Compute Resources, 20-25%
  • Domain 4: Configure and Manage Virtual Networks, 20-25%
  • Domain 5: Monitor and Maintain Azure Resources, 10-15%

Notice that Domains 1, 3, and 4 carry the heaviest weight. Prioritize these areas during your study plan.

Domain 1: Manage Azure Identities and Governance (20-25%)

Domain 1 is foundational. You cannot effectively manage Azure resources without understanding identity and governance frameworks. This domain covers Azure Active Directory (now Entra ID), role-based access control (RBAC), subscriptions, management groups, and policy enforcement.

Key Topics and Services

  • Azure Entra ID (formerly Azure AD): User and group management, hybrid identity scenarios, multi-factor authentication (MFA), and conditional access policies. You must understand how to create users, groups, and manage licenses.
  • Manage Azure Subscriptions: Subscription structure, cost analysis, budgets, and alerts. Know how subscriptions relate to management groups and the inheritance model.
  • Management Groups: Organizing subscriptions hierarchically, applying policies at scale, and understanding scope.
  • Azure Role-Based Access Control (RBAC): Custom roles, built-in roles (Owner, Contributor, Reader, Viewer), service principals, and managed identities. This is heavily tested.
  • Azure Policy: Creating policies, applying definitions at various scopes, audit and deny effects, and remediation tasks.
  • Resource Tags: Tagging strategies for cost allocation, organization, and automation.
  • Azure Resource Manager (ARM): Templates, parameterization, and infrastructure-as-code principles.

Critical Concepts to Master

Role-Based Access Control is the most frequently tested concept. Understand the difference between role assignment scope, permissions inheritance, and how to troubleshoot access denied errors. Practice assigning roles at the subscription, resource group, and resource levels. Know the difference between Azure roles (RBAC) and Azure AD roles (identity and access management in Entra ID).

Azure Policy is tested heavily in scenario questions. You need to know how to create compliance initiatives, understand policy effects (Deny, Audit, Modify, AuditIfNotExists, DeployIfNotExists), and how remediation works for existing resources.

Study Tips for Domain 1

  • Create a practical lab environment and practice assigning RBAC roles to test users and managed identities.
  • Build custom Azure Policy definitions and apply them to resource groups. Test the effect of different policy modes (Disabled vs. Enabled).
  • Practice using the Azure Portal, Azure CLI, and PowerShell to perform identity and governance tasks.
  • Review real-world scenarios: "A developer needs read access to a specific resource group but must not be able to delete resources." How would you implement this?
  • Understand the principle of least privilege and how to apply it using RBAC, Azure Policy, and Entra ID Conditional Access.

Domain 2: Implement and Manage Storage (15-20%)

Azure Storage is critical for nearly every application workload. This domain covers Azure Storage accounts, blob storage, file shares, managed disks, and storage security and optimization.

Key Topics and Services

  • Azure Storage Accounts: Storage account types (Standard, Premium), replication options (LRS, GRS, RA-GRS, GZRS), access tiers (Hot, Cool, Archive), and network security (firewalls, service endpoints, private endpoints).
  • Blob Storage: Containers, blobs, blob types (block, append, page), lifecycle management, and blob snapshots. Understand hot, cool, and archive tiers and when to use each.
  • File Shares: Azure Files (SMB protocol), NFS support, file sync, and hybrid scenarios.
  • Managed Disks: Disk types (Standard HDD, Standard SSD, Premium SSD, Ultra Disk), snapshots, disk encryption, and disk migration.
  • Storage Security: Shared access signatures (SAS), access keys, Azure Storage encryption, and Azure Key Vault integration.
  • Storage Monitoring: Storage Analytics, metrics, and logging.

Critical Concepts to Master

Replication and redundancy are heavily tested. Understand the differences between LRS (locally redundant storage, 3 copies in one datacenter), GRS (geo-redundant, copies to secondary region), and RA-GRS (read access to secondary region). Know that GRS and RA-GRS provide higher durability but may have higher latency and costs.

Lifecycle management is another key topic. You must understand how to create policies to automatically move blobs between tiers or delete them based on age. This directly impacts cost optimization, a major exam theme.

Shared Access Signatures (SAS) are frequently tested in practical scenarios. Know the difference between account-level SAS and service-level SAS, and understand how to create SAS tokens with appropriate permissions and expiration times.

Study Tips for Domain 2

  • Create a storage account and manually upload blobs, configure lifecycle policies, and test tier transitions.
  • Generate SAS tokens and test access from different clients or applications.
  • Practice creating snapshots of managed disks and understand their use in disaster recovery.
  • Review Azure Storage pricing and practice calculating costs for different replication and access tier combinations.
  • Understand hybrid scenarios: integrating Azure Files with on-premises file servers using Azure File Sync.
  • Test storage account firewalls and private endpoints to secure access.

Domain 3: Deploy and Manage Compute Resources (20-25%)

Compute is the heaviest domain by weight. You must be proficient in Azure Virtual Machines, App Service, container services, and scale sets. This domain covers deployment, configuration, patching, and lifecycle management.

Key Topics and Services

  • Azure Virtual Machines: VM creation, sizing, networking configuration, extensions, custom script extensions, desired state configuration (DSC), and automation.
  • Availability and Scalability: Availability sets, availability zones, scale sets (VMSS), and auto-scale rules. Understand when to use each for redundancy and performance.
  • Azure App Service: App Service plans, deployment slots, scaling, and authentication.
  • Containers: Azure Container Instances (ACI), Azure Kubernetes Service (AKS), and container registries.
  • Azure Functions: Serverless compute, function triggers, bindings, and Azure Logic Apps.
  • Backup and Disaster Recovery: Azure Backup, backup vaults, recovery services vaults, and site recovery.
  • Compute Monitoring: Azure Monitor, diagnostic settings, and VM insights.

Critical Concepts to Master

Virtual Machine deployment and configuration is the most tested area. You need hands-on experience creating VMs with specific configurations, adding data disks, configuring network interfaces, and applying extensions. Custom Script Extensions and Desired State Configuration (DSC) are frequently tested for post-deployment automation.

Scale Sets (VMSS) are important for autoscaling scenarios. Understand how to create a scale set, define autoscale rules based on metrics, and update VMs within a scale set without downtime.

Availability is tested extensively. Know the differences between Availability Sets (logical grouping for fault domains) and Availability Zones (physically separate datacenters within a region). Understand when to use each.

Study Tips for Domain 3

  • Deploy multiple VMs using the Azure Portal, CLI, and PowerShell. Practice each method until you're comfortable.
  • Create a Virtual Machine Scale Set, configure autoscale rules, and test scaling by generating load.
  • Deploy applications using custom script extensions and understand idempotency.
  • Create a backup vault, configure backup policies, and practice recovery scenarios.
  • Deploy an App Service with multiple deployment slots and practice blue-green deployments.
  • Work with Azure Container Instances to understand containerized workloads.
  • Review disaster recovery scenarios: how would you design a highly available multi-region application?

Domain 4: Configure and Manage Virtual Networks (20-25%)

Virtual networking is foundational to Azure infrastructure. This domain is weighted heavily and covers VNets, subnets, routing, network security groups, load balancing, and connectivity options.

Key Topics and Services

  • Virtual Networks and Subnets: VNet design, address spaces, subnetting strategies, and service endpoints.
  • Network Security Groups (NSGs): Inbound and outbound rules, rule priorities, and Application Security Groups (ASGs).
  • Routing: User-defined routes (UDRs), system routes, route tables, and next hop types.
  • Network Peering: VNet peering, global peering, and transitive peering limitations.
  • VPN Connectivity: Site-to-Site VPN, Point-to-Site VPN, and Express Route.
  • Load Balancing: Azure Load Balancer (Layer 4), Application Gateway (Layer 7), and traffic management.
  • DNS: Azure DNS, private DNS zones, and DNS configuration.
  • Network Monitoring: Network Watcher, connection monitoring, and traffic analytics.

Critical Concepts to Master

Network Security Groups (NSGs) are central to network security in Azure. You need to understand how to create rules with appropriate priorities, understand the default rules, and troubleshoot access issues. Application Security Groups allow you to group VMs and apply NSG rules to the group rather than individual resources, simplifying management at scale.

User-Defined Routes (UDRs) are tested in complex networking scenarios. Understand how to create route tables, define routes with specific next hops, and apply them to subnets. Know the route priority and how Azure selects the most specific route.

VNet Peering is important for multi-VNet architectures. Know the difference between regional and global peering, understand transitive peering limitations (peering is not transitive by default), and how to enable service chaining.

Study Tips for Domain 4

  • Create multiple VNets with different address spaces and subnets. Practice VNet peering and verify connectivity.
  • Create NSGs and define rules to allow/deny traffic between subnets and from external sources. Test using Network Watcher connectivity checks.
  • Design a routing scenario: Create a route table that directs traffic through a network virtual appliance (NVA).
  • Deploy an Azure Load Balancer or Application Gateway and configure backend pools, health probes, and load balancing rules.
  • Configure DNS in Azure: Create a public DNS zone and a private DNS zone, and practice DNS resolution.
  • Use Network Watcher to troubleshoot connectivity issues and verify NSG rules are applied correctly.
  • Understand hybrid connectivity: Configure a Site-to-Site VPN connection between Azure and an on-premises network.

Domain 5: Monitor and Maintain Azure Resources (10-15%)

While this domain carries a lighter weight, monitoring and maintenance are critical operational skills. You must understand Azure Monitor, alerting, log analytics, and resource health.

Key Topics and Services

  • Azure Monitor: Metrics, diagnostic logs, diagnostic settings, and data collection rules.
  • Log Analytics: Workspaces, Kusto Query Language (KQL), and querying logs.
  • Alerting: Alert rules, action groups, and notifications.
  • Application Insights: Application monitoring, dependency tracking, and performance analysis.
  • Resource Health: Service health, resource health alerts, and health history.
  • Updates and Patching: Update Management, patch compliance, and maintenance windows.

Critical Concepts to Master

Azure Monitor is the platform for observability in Azure. Understand the difference between metrics (numerical data at time intervals) and logs (structured data for analysis). Know how to enable diagnostic settings on resources to send logs to Log Analytics.

Kusto Query Language (KQL) is used in Log Analytics and Application Insights. While you won't need to write complex queries, understanding basic query syntax and common operators is important for troubleshooting scenarios.

Alert Rules tie monitoring data to actions. Understand how to create metric-based alerts and log-based alerts, and how action groups deliver notifications or trigger automation.

Study Tips for Domain 5

  • Create a Log Analytics workspace and enable diagnostic logs from multiple resources (VMs, Storage, App Service).
  • Write basic KQL queries to retrieve and analyze logs. Practice filtering, aggregating, and visualizing data.
  • Create alert rules based on metrics and logs. Configure action groups to send email or trigger Azure Automation runbooks.
  • Deploy Application Insights to a web application and monitor performance metrics.
  • Review resource health and understand health history to identify patterns in service disruptions.
  • Practice using Update Management to assess patch compliance and schedule updates across multiple VMs.

Domain-by-Domain Study Strategies and Timeline

A strategic study plan maximizes retention and exam readiness. Here's a recommended approach based on domain weight and difficulty.

Week 1-2: Domain 1 (Identities and Governance)

Start with Entra ID and RBAC since they're fundamental to everything else. Build a solid understanding of identity concepts before moving to compute and networking. Spend time in the Azure Portal managing users, groups, and role assignments. Create lab scenarios where you implement least privilege access. Test your understanding by explaining why a user received an "access denied" error and how you'd fix it.

Week 3-4: Domain 3 (Compute Resources)

This domain is weighted heavily and requires hands-on practice. Deploy VMs, scale sets, and App Service instances. Practice post-deployment configuration using custom script extensions and DSC. Understand availability and disaster recovery concepts by designing multi-region solutions. Use the challenge labs included in your training to apply learning in realistic scenarios. Aim to deploy at least 5 different compute configurations from scratch.

Week 5-6: Domain 4 (Virtual Networks)

Network configuration is complex but heavily tested. Create multiple VNets, configure peering, and design NSG rules for real-world scenarios. Practice troubleshooting network connectivity issues using Network Watcher. Design a multi-tier application network with appropriate segmentation and security. Test each configuration to verify it works as intended.

Week 7: Domain 2 (Storage)

Storage is important but slightly less weighted than other domains. Create storage accounts with different replication strategies, configure lifecycle policies, and practice SAS token generation. Test access control and security settings. Understand pricing implications of your storage decisions.

Week 8: Domain 5 (Monitoring) and Comprehensive Review

Complete your preparation by mastering monitoring. Create Log Analytics queries, set up alerts, and understand Application Insights. Then review all five domains, focusing on areas where you feel less confident. Take practice exams, review incorrect answers, and study the explanations.

General Study Tips

  • Use Multiple Learning Methods: Combine video training, documentation reading, hands-on labs, and practice exams. Different methods reinforce understanding.
  • Focus on "Why" Not "How": Don't just follow steps; understand the business problem each feature solves. This helps with scenario-based questions.
  • Master the Azure Portal, CLI, and PowerShell: Exam questions reference the portal, but you should be comfortable with command-line tools. Practice all three interfaces.
  • Use Microsoft Learn Modules: Free, official content directly from Microsoft. These align perfectly with exam domains.
  • Read Azure Documentation: Official docs contain details often tested in scenario questions. Review best practices and limitations.
  • Take Challenge Labs Seriously: The 20-hour challenge labs included in your training simulate real exam scenarios. Complete these multiple times until you can solve problems confidently.
  • Practice with Real Scenarios: Create scenarios that combine multiple services. For example, "Deploy a scalable web application with a database, configure autoscaling, set up monitoring, and implement disaster recovery."
  • Track Your Progress: Keep a study journal. Record topics you've reviewed, hands-on practice completed, and areas needing more work. This prevents wasted study time.

Key Azure Services and Concepts Summary Table

Domain Core Service Key Concepts Testing Frequency
Domain 1 Azure Entra ID, RBAC Role assignment, policy, management groups Very High
Domain 2 Azure Storage Replication, tiers, SAS, lifecycle High
Domain 3 VMs, VMSS, App Service Deployment, scaling, availability, backup Very High
Domain 4 VNets, NSGs, Load Balancer Routing, peering, security rules, connectivity Very High
Domain 5 Azure Monitor, Log Analytics Metrics, logs, alerts, KQL queries Medium

Hands-On Lab Experience and Challenge Labs

The AZ-104 exam includes scenario-based questions and interactive labs that test practical skills. Your training includes 20 hours of challenge labs that mirror real exam scenarios. These labs are not optional, they're essential to your preparation.

Lab Strategy

Complete challenge labs multiple times. First, follow instructions step-by-step to understand the process. Then, attempt the lab again from memory, referring to documentation rather than step-by-step guides. Finally, complete the lab under time pressure, simulating the exam environment. This progression builds deep, lasting knowledge.

Common lab scenarios include deploying a multi-tier application with Azure VMs, configuring load balancing and autoscaling, implementing network security, and setting up monitoring and alerts. Each scenario combines multiple domains. By completing these labs, you develop the muscle memory and problem-solving skills needed to excel on the exam.

Post-Lab Review

After completing each lab, answer these questions: What was the business objective? What Azure services solved the problem? What configurations were critical? What could go wrong? This reflection deepens understanding and prepares you for exam scenario questions.

External Resources and Documentation

Supplement your training with official Microsoft resources. These provide the authoritative source of information and often contain details tested in the exam.

The DiviTrain Advantage

  • Expert tutor support available 24/7
  • MeasureUp Practice Exams (60 days access)
  • 365 days of access to all course materials
  • Challenge labs (20 hours) included

Our comprehensive AZ-104 training combines video instruction, interactive labs, and official practice exams to maximize your chances of passing on your first attempt. Hands-on learning through challenge labs ensures you're not just memorizing, you're building practical skills.

Explore AZ-104 Training

Exam Day Tips and Strategies

Success on exam day requires both knowledge and strategy. Here's how to perform your best.

Time Management

The exam gives you 120 minutes for 40-60 questions. That's approximately 2 minutes per question on average. Questions vary in complexity. Spend time on scenario-based and interactive questions, but don't get stuck. If a question is unclear, flag it, move on, and return later if time allows. Practice exams help you develop timing skills.

Question Strategies

Read each question carefully. Multiple-choice questions often include plausible but incorrect answers. Understand what the question is truly asking. For scenario questions, identify the business requirement first, then map it to Azure services. Elimination helps when you're unsure, eliminate obviously incorrect answers and reason through the remaining options.

Handling Interactive Labs

Some exam questions are interactive labs where you perform tasks in a live Azure environment. These test practical skills. Read the instructions carefully, perform tasks methodically, and verify your work. If you make a mistake, don't panic. Most labs allow multiple attempts or let you move past errors.

Pre-Exam Preparation

The day before, review key concepts from each domain. Get good sleep the night before. On exam day, eat a healthy breakfast and avoid caffeine that might cause jitters. Arrive early to your testing center to avoid stress. Read the exam instructions completely before starting.

Post-Exam

After the exam, you'll receive a pass or fail result immediately. If you pass, congratulations. If you don't, request a score report detailing your performance in each domain. Use this feedback to identify weak areas, study more intensively, and retake the exam. Most people pass on their second attempt after targeted study.

Preparing for the Microsoft Azure Administrator Role

The AZ-104 certification validates skills you'll actually use as an Azure Administrator. Understanding the role helps contextualize exam content and builds practical confidence.

Day-to-Day Responsibilities

Azure Administrators manage Azure resources, implement security policies, manage user access, provision and configure resources, and monitor system health. You'll troubleshoot issues, optimize performance and costs, and ensure compliance with organizational policies. The exam tests knowledge directly applicable to these responsibilities.

Career Advancement

The AZ-104 is an excellent stepping stone. Many professionals pursue Azure Security Engineer (AZ-500) or Azure Developer (AZ-204) certifications after achieving AZ-104. You might also explore other cloud specializations to broaden your expertise. The foundation from AZ-104 supports all advanced certifications.

Building Real-World Skills

Beyond the exam, deepen practical skills by managing a real Azure environment or a sandbox subscription. Deploy applications, configure monitoring, implement security, and optimize costs. This experience makes knowledge permanent and demonstrates competence to employers.

Frequently Asked Questions

Q1: What prerequisites do I need before taking the AZ-104 exam?

A: Microsoft recommends 6-12 months of hands-on Azure experience, though this isn't strictly required. You should be comfortable with IT concepts, networking basics, and command-line tools. Many successfully pass without extensive IT backgrounds through dedicated study and hands-on lab practice. Starting with Azure Fundamentals (AZ-900) helps if you're new to cloud computing.

Q2: How long does it typically take to prepare for the AZ-104 exam?

A: Most candidates spend 4-8 weeks preparing, studying 10-15 hours per week. The timeline depends on your background and learning pace. Those with existing Azure experience may complete preparation in 4 weeks, while those new to cloud might need 8-10 weeks. Consistency matters more than intensity. Regular study over 8 weeks outperforms cramming over 2 weeks.

Q3: What's the difference between Azure roles and Azure AD roles?

A: Azure roles (RBAC) control access to Azure resources like virtual machines and storage accounts. Azure AD roles (now Entra ID roles) manage identity and access functions like user management and application administration. Both are tested on AZ-104. Most exam questions about access control test RBAC, but you should understand both systems and when each applies.

Q4: Are the challenge labs exactly like the exam questions?

A: Challenge labs mirror the style and complexity of exam questions but aren't identical. They cover the same domains and test similar skills. Completing challenge labs multiple times builds the problem-solving muscle memory needed for exam success. While exam content is different, your ability to apply knowledge to new scenarios directly transfers.

Q5: Can I pass the AZ-104 without hands-on lab experience?

A: Theoretically possible but not recommended. Hands-on experience is crucial for scenario-based questions that make up a significant portion of the exam. The 20-hour challenge labs included in your training provide the practical experience needed. Don't skip labs. Even if you lack real Azure infrastructure, completing training labs ensures exam readiness.

Q6: How often can I retake the AZ-104 exam if I fail?

A: You can retake the exam after 24 hours from your first attempt. Microsoft doesn't limit retakes, but spacing them out gives time to study weaknesses. After a failed attempt, request a score report showing performance in each domain. Study those weak areas for 1-2 weeks, then retake. Most people pass on their second attempt after targeted study.

Q7: Is the AZ-104 certification valid worldwide, and what's the renewal requirement?

A: Yes, Azure certifications are globally recognized. The AZ-104 is valid for two years from the date you pass. To renew, you can either retake the exam or pass a related exam like AZ-500 or AZ-204. Microsoft Learn modules can help you stay current with Azure updates. Renewing ensures your credential reflects current platform knowledge.

Q8: What's the best way to study if I'm working full-time?

A: Dedicate 1-2 hours daily rather than full-day weekend study. Consistency is key for retention. Use morning or evening slots, study during commutes with mobile resources, and use lunch breaks for quick reviews. Spread 8 weeks of preparation across domains so each receives focused attention. Your training platform with 365-day access lets you study at your pace without time pressure.

About the Author

DiviTrain is an international IT learning platform with nearly 20 years of experience in professional IT training. Our courses are developed by Skillsoft, the global leader in enterprise learning, ensuring high-quality, industry-relevant content. You get access to hands-on practice labs, expert tutor support available 24/7, and official MeasureUp practice exams, all backed by DiviTrain's commitment to your certification success. Whether you're pursuing your first certification or advancing your career in cloud infrastructure, DiviTrain provides the complete tools, guidance, and support you need to succeed.

Structured Data

Terug naar blog

Start your career in IT with Divitrain

1 6