How difficult is the AZ-104 exam compared to AZ-900?
The AZ-104 is substantially harder than the AZ-900. Where AZ-900 tests conceptual understanding, AZ-104 requires hands-on experience with Azure services including virtual machines, virtual networks, storage accounts, and identity management. Most candidates need 80-120 hours of dedicated preparation, including significant lab time in a real Azure environment.
The Microsoft Azure Administrator Associate certification, earned by passing the AZ-104 exam, is one of the most sought-after cloud credentials in the industry. It validates that you can implement, manage, and monitor Azure infrastructure at a level that meets enterprise requirements. Unlike the entry-level AZ-900, the AZ-104 tests actual administrative skills through scenario-based questions that require you to know not just what Azure services do, but how to configure them correctly under specific constraints.
According to the 2024 Global Knowledge IT Skills and Salary Survey, Azure Administrator ranked among the top five highest-paying IT certifications in North America, with certified professionals reporting average salaries of $130,000-$155,000 per year. The demand for Azure administrators has grown alongside enterprise Azure adoption, which Gartner projects will continue expanding at double-digit rates through 2026.
This guide provides a comprehensive breakdown of the AZ-104 exam domains, the skills you need to develop, how to structure your preparation, and what to expect on exam day.
AZ-104 Exam Overview
The AZ-104 exam contains 40-60 questions and allows 180 minutes (3 hours). The passing score is 700 out of 1000. Exam formats include multiple choice, multiple select, drag-and-drop, and performance-based lab simulations where you complete tasks directly in a simulated Azure environment.
| Domain | Approximate Weight |
|---|---|
| Manage Azure identities and governance | 15-20% |
| Implement and manage storage | 15-20% |
| Deploy and manage Azure compute resources | 20-25% |
| Implement and manage virtual networking | 15-20% |
| Monitor and maintain Azure resources | 10-15% |
Verify current objectives at learn.microsoft.com/certifications/azure-administrator before scheduling, as Microsoft updates exam content periodically.
The performance-based lab questions are the element candidates most frequently underestimate. These tasks require you to complete specific configurations in a simulated Azure portal with a live-feeling interface. There is no partial credit -- tasks are either complete and correct or not.
Domain 1: Manage Azure Identities and Governance (15-20%)
Microsoft Entra ID (Azure Active Directory)
Microsoft Entra ID (Entra ID) is the cloud-based identity and access management service that underlies authentication for Azure, Microsoft 365, and thousands of third-party SaaS applications. As an Azure administrator, you must be able to manage users, groups, and service principals programmatically.
Key skills tested:
- Create and manage users: Including bulk user creation via CSV upload and PowerShell, setting usage location for license assignment, configuring self-service password reset
- Create and manage groups: Security groups versus Microsoft 365 groups, dynamic group membership rules using user attributes
- Manage licenses: Assigning Microsoft 365 and Azure AD P2 licenses to users and groups
- Configure external identities: B2B collaboration with guest users, cross-tenant access settings
Azure Role-Based Access Control (RBAC) governs what users and services can do with Azure resources. The exam expects you to understand the four built-in role levels:
- Owner: Full access including the ability to assign roles to others
- Contributor: Full access to create and manage resources, cannot assign roles
- Reader: View resources only
- User Access Administrator: Manage user access to resources, not the resources themselves
Custom roles can be created to meet specific permission requirements that built-in roles do not address. Understanding when to use custom roles versus built-in roles is a recurring exam question pattern.
Azure Policy and Management Groups
Management groups provide a governance scope above subscriptions. They allow organizations to apply policies and RBAC assignments that cascade to all subscriptions within the group.
Azure Policy enforces compliance by auditing resource configurations and preventing non-compliant resource creation. A policy definition specifies the rule. A policy assignment applies the rule to a scope (management group, subscription, or resource group). A policy initiative (also called a policy set) groups multiple policy definitions.
"Role-based access control and Azure Policy serve different purposes that administrators frequently confuse. RBAC controls what actions users can take. Azure Policy controls the state of resources regardless of who created them. Both are necessary for a complete governance model." -- Thomas Maurer, Senior Cloud Advocate at Microsoft, from the Azure Governance documentation series
Domain 2: Implement and Manage Storage (15-20%)
Storage Account Configuration
Azure storage accounts are the containers for Azure's data storage services. The exam tests your ability to configure storage accounts with specific security, replication, and performance requirements.
Storage account types:
- Standard general-purpose v2: Supports all storage services (Blob, Queue, Table, File), appropriate for most workloads
- Premium block blob: High-performance SSD storage for block blob scenarios requiring low latency
- Premium file share: SSD-backed file shares for enterprise file server workloads
- Premium page blob: SSD storage for virtual machine disks
Replication options (critical exam topic):
| Replication Type | Description | Copies |
|---|---|---|
| LRS (Locally Redundant Storage) | 3 copies in same datacenter | 3 |
| ZRS (Zone-Redundant Storage) | 3 copies across availability zones | 3 |
| GRS (Geo-Redundant Storage) | LRS + async copy to paired region | 6 |
| GZRS (Geo-Zone-Redundant Storage) | ZRS + async copy to paired region | 6 |
| RA-GRS | GRS + read access to secondary | 6 |
| RA-GZRS | GZRS + read access to secondary | 6 |
Blob storage access tiers apply to individual blobs or as account defaults: Hot, Cool, Cold, and Archive. Tier changes are applied immediately (Hot/Cool/Cold) or require rehydration time of up to 15 hours (Archive).
Storage Security
Shared Access Signatures (SAS) provide granular, time-limited access to storage resources without exposing account keys. Types include:
- User delegation SAS: Secured with Entra ID credentials (most secure)
- Service SAS: Grants access to specific storage service resources
- Account SAS: Grants access across multiple storage services
Storage firewall and virtual network rules restrict storage account access to specific VNet subnets or IP address ranges. The default action must be set to Deny for these rules to take effect.
Microsoft Entra authorization for blob and queue storage allows users and applications to authenticate with Entra ID rather than account keys or SAS tokens, enabling Azure RBAC to control storage permissions at the container and blob level.
Domain 3: Deploy and Manage Azure Compute Resources (20-25%)
This is the highest-weighted domain and covers virtual machines, app service, containers, and Azure Virtual Desktop.
Virtual Machine Administration
Azure VM administration at the AZ-104 level goes well beyond provisioning. The exam tests:
VM configuration: Choosing appropriate VM sizes (general purpose, compute-optimized, memory-optimized, storage-optimized, GPU), configuring OS and data disks, setting up availability sets and availability zones, and applying Azure Spot pricing for interruptible workloads.
VM extensions: Small applications deployed after VM provisioning to automate configuration and management tasks. Common extensions include Custom Script Extension (runs scripts), Azure Monitor Agent (sends metrics and logs), and Desired State Configuration (enforces OS configuration).
Azure VM Scale Sets (VMSS) automatically create and manage groups of load-balanced VMs that can scale based on demand or a defined schedule. The exam expects you to configure scaling policies, understand the difference between uniform and flexible orchestration modes, and troubleshoot scaling events.
Azure Dedicated Hosts provide physical servers dedicated to a single customer, required for compliance scenarios where shared hardware is not permitted and for organizations needing to bring their own licenses under BYOL agreements.
Azure App Service
App Service plans define the region, number, size, and pricing tier of virtual machine resources running your apps. Key exam topics:
- Scaling: Manual scaling within a plan, autoscale based on metrics, scale-out versus scale-up
- Deployment slots: Separate environments (staging, production) that can be swapped with zero downtime
- Custom domains and TLS certificates: Binding custom domain names and SSL/TLS certificates
- WebJobs: Background processing within an App Service context
- App Service Environment (
ASE): Fully isolated, dedicated infrastructure for running App Service apps at high scale or with strict network isolation requirements
"The single most common AZ-104 failure point I see is candidates who can answer conceptual questions about App Service but cannot configure it correctly under time pressure. The lab questions on the exam are where the real separation happens." -- Gregor Suttie, Microsoft MVP and Azure trainer, from his AZ-104 preparation blog
Container Services
The AZ-104 covers ACI (Azure Container Instances) for simple containerized workloads and AKS (Azure Kubernetes Service) for production orchestration. Key AKS topics include node pools, cluster upgrades, integration with Azure Container Registry, and network policies.
Domain 4: Implement and Manage Virtual Networking (15-20%)
VNet Design and Configuration
Azure Virtual Networks (VNets) are the foundation of Azure networking. Address space planning, subnet design, and network security are heavily tested.
Network Security Groups (NSGs) contain security rules that allow or deny inbound and outbound traffic to Azure resources. NSGs can be associated with subnets or individual network interfaces. Rules are processed in priority order (lower numbers first), and a default deny rule (priority 65500) exists for all NSGs.
Application Security Groups (ASGs) group VMs with similar functions, allowing NSG rules to reference groups rather than individual IP addresses. This simplifies rule management in large environments.
Connectivity Solutions
VNet peering connects two VNets directly, with traffic routed through the Microsoft backbone rather than the internet. Global VNet peering works across regions. Peering is non-transitive -- if VNet A peers with VNet B and VNet B peers with VNet C, VNet A cannot reach VNet C without a direct peering or hub-and-spoke routing configuration.
Azure VPN Gateway creates encrypted connections between VNets and on-premises networks over public internet. Point-to-site VPN connects individual client machines. Site-to-site VPN connects entire on-premises networks.
Azure DNS: The exam covers both Azure-provided DNS (automatic resolution for resources within a VNet) and Azure DNS Zones (hosting custom domain zones within Azure). Private DNS zones provide name resolution within VNets without requiring custom DNS servers.
| Feature | NSG | Azure Firewall |
|---|---|---|
| Layer | Layer 4 (TCP/UDP) | Layer 4 + Layer 7 |
| Scope | Subnet/NIC | Entire VNet hub |
| Application rules | No | Yes (FQDN filtering) |
| Centralized management | No | Yes |
| Cost | Free | ~$1.25/hour |
Domain 5: Monitor and Maintain Azure Resources (10-15%)
Azure Monitor Configuration
Azure Monitor collects data from two primary sources: metrics (numerical time-series data like CPU utilization and disk I/O) and logs (structured and unstructured data sent to Log Analytics workspaces).
Log Analytics workspaces store log data and power Azure Monitor's query capabilities. The query language is Kusto Query Language (KQL), a read-only SQL-like language optimized for log analytics.
The AZ-104 expects you to write basic KQL queries. A typical query:
AzureActivity
| where ActivityStatus == "Failed"
| summarize count() by ResourceGroup
| order by count_ desc
Azure Monitor Alerts trigger actions based on metric thresholds or log query results. Alert rules consist of a target resource, condition, and action group. Action groups define what happens when an alert fires: email notifications, SMS, Azure Functions, Logic Apps, or ITSM ticketing system integration.
Backup and Recovery
Azure Backup provides backup for Azure VMs, on-premises servers, SQL databases in VMs, Azure Files, and SAP HANA databases. The exam tests:
- Recovery Services vault configuration
- Backup policy definition (frequency, retention)
- Performing item-level restore from VM backups
- Azure Site Recovery for disaster recovery with defined RPO/RTO
Preparation Strategy
Lab Time Is Non-Negotiable
Unlike the AZ-900, you cannot pass the AZ-104 through reading and videos alone. The performance-based lab questions on the exam require muscle memory for portal navigation and CLI commands. Aim for 40-60 hours of hands-on lab time in a real Azure subscription.
Microsoft Learn provides free sandbox environments for specific exercises, but they are not sufficient alone. A personal Azure subscription (or employer-provided subscription) with $50-100 of credit per month provides the freedom to practice configurations that sandboxes restrict.
Study Resources
| Resource | Type | Best For |
|---|---|---|
| Microsoft Learn AZ-104 path | Free online course | Structured objective coverage |
| John Savill AZ-104 YouTube series | Free video | Deep conceptual understanding |
| A Cloud Guru / Cloud Academy | Paid subscription | Structured video + labs |
| MeasureUp practice exams | Paid | Question format familiarity |
| Microsoft Azure documentation | Free | Authoritative reference |
Recommended Study Timeline
A structured 10-12 week approach for candidates with 1-2 years of IT experience:
- Weeks 1-2: Identity and governance (Entra ID, RBAC, Azure Policy)
- Weeks 3-4: Storage accounts, Blob storage, file shares
- Weeks 5-7: Compute (VMs, VMSS, App Service, containers)
- Weeks 8-9: Networking (VNets, NSGs, VPN, load balancers)
- Week 10: Monitoring, backup, and maintenance
- Weeks 11-12: Full practice exams, review weak areas, lab reinforcement
"The AZ-104 is an administrator's exam in every sense. The candidates who fail are usually those who prepared as if it were a conceptual exam. Get your hands dirty in the portal. Break things. Fix them. That is the preparation this exam demands." -- Lars Klint, Microsoft MVP, from his AZ-104 study series
Frequently Asked Questions
Do I need the AZ-900 before taking AZ-104?
No. The AZ-104 has no formal prerequisites. However, the AZ-900 or equivalent knowledge of Azure fundamentals is strongly recommended. Candidates who attempt the AZ-104 without understanding basic cloud concepts and Azure architecture spend valuable study time filling foundational gaps instead of developing administrative skills.
How long is the AZ-104 certification valid?
The AZ-104 (Microsoft Azure Administrator Associate) certification is valid for one year from the date of passing. Microsoft requires annual renewal through a free online assessment available on Microsoft Learn. Failure to renew results in the certification expiring from your transcript.
What is the typical salary for an AZ-104 certified professional?
According to the 2024 Global Knowledge IT Skills and Salary Survey, Azure Administrator certified professionals in North America report average salaries between $130,000 and $155,000. In the United Kingdom, the range is approximately GBP 55,000-75,000. Salaries vary significantly based on industry, company size, total experience, and geographic location.
References
- Microsoft. "Exam AZ-104: Microsoft Azure Administrator." Microsoft Learn, 2024.
- Microsoft. "Azure Administrator Certification Study Guide." Microsoft Learn, 2024.
- Global Knowledge. "IT Skills and Salary Report 2024." Global Knowledge, 2024.
- Savill, John. "AZ-104 Complete Study Guide." John Savill's Technical Training, YouTube, 2024.
- Maurer, Thomas. "Azure Governance Best Practices." Microsoft Tech Community, 2023.
- Suttie, Gregor. "AZ-104 Study Notes and Lab Scenarios." Scottish Summit Blog, 2024.
- Gartner. "Cloud Infrastructure and Platform Services Market Forecast." Gartner Research, 2024.