How long does it take to study for AZ-104?
Most candidates need 6-10 weeks of dedicated study for the AZ-104 exam, assuming some prior experience with Azure or general IT administration. The exam tests hands-on skills across identity, storage, compute, networking, and monitoring, so lab practice is essential alongside reading. Candidates with strong on-premises sysadmin backgrounds typically require fewer weeks than those new to cloud environments.
The AZ-104 Microsoft Azure Administrator certification is the most in-demand role-based Azure credential and the standard qualification for professionals who manage Azure environments day-to-day. It validates the skills required to implement, manage, and monitor Azure infrastructure, including identity management, governance, storage, compute, virtual networks, and monitoring. Unlike the AZ-900 fundamentals exam, AZ-104 demands practical, hands-on experience with Azure services.
According to Microsoft's own certification statistics, AZ-104 consistently ranks among the top five most pursued technical certifications globally, and Azure Administrator roles command median salaries of $95,000-$130,000 in the United States. The exam costs $165 USD, contains 40-60 questions, and requires a passing score of 700 out of 1000.
This guide covers all five domains in the official AZ-104 exam objectives, provides study strategies, and explains the concepts and skills most heavily tested on the exam.
Exam Overview and Structure
| Detail | Information |
|---|---|
| Exam Code | AZ-104 |
| Full Name | Microsoft Azure Administrator |
| Number of Questions | 40-60 |
| Time Limit | 120 minutes |
| Passing Score | 700/1000 |
| Cost | $165 USD |
| Prerequisites | AZ-900 recommended but not required |
| Question Types | Multiple choice, case study, drag-and-drop, labs |
| Renewal | Required every 12 months via free online assessment |
The exam is divided into five domains:
- Manage Azure identities and governance (15-20%)
- Implement and manage storage (15-20%)
- Deploy and manage Azure compute resources (20-25%)
- Implement and manage virtual networking (25-30%)
- Monitor and maintain Azure resources (10-15%)
"AZ-104 is not an exam you can pass by reading alone. Microsoft specifically designs questions around scenarios that require you to have actually clicked through the portal, run Azure CLI commands, or written ARM templates. Candidates who skip labs consistently underperform." -- Gregor Suttie, Microsoft MVP and Azure Trainer
Domain 1: Manage Azure Identities and Governance (15-20%)
Azure Active Directory (Azure AD / Entra ID)
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. Administrators must understand how to manage users, groups, and external identities.
Key concepts tested in this domain:
- User accounts: Creating and managing user accounts in Entra ID, including bulk operations via CSV import and PowerShell
- Group types: Security groups (for assigning permissions) and Microsoft 365 groups (for collaboration). Dynamic groups use rules to automatically assign membership based on user attributes.
- Guest access: Inviting external users (B2B) through Azure AD B2B collaboration
- Role-Based Access Control (RBAC): Assigning Azure roles at different scopes (management group, subscription, resource group, resource)
- Administrative Units: Delegating admin tasks to specific subsets of the organization
Azure Subscriptions and Management Groups
The Azure hierarchy works as follows: Management Groups > Subscriptions > Resource Groups > Resources.
Management Groups allow you to apply governance policies and RBAC assignments across multiple subscriptions simultaneously. They support up to six levels of hierarchy below the root.
Subscriptions serve as billing and management boundaries. An administrator may manage multiple subscriptions and must understand how to move resources between subscriptions.
Azure Policy
Azure Policy helps enforce organizational standards and assess compliance at scale. Policies can audit, deny, append, or deploy configurations. Policy definitions can be grouped into initiatives (policy sets) for comprehensive compliance management.
"Azure Policy is one of the most underestimated tools in the Azure governance toolkit. It is the mechanism by which organizations enforce compliance at scale without relying on human review of every resource deployment." -- Karl Ots, Azure Governance MVP
Resource Locks
Resource locks prevent accidental deletion or modification. There are two lock types:
- CanNotDelete: Users can read and modify but cannot delete the resource
- ReadOnly: Users can read but cannot modify or delete the resource
Domain 2: Implement and Manage Storage (15-20%)
Azure Storage Account Types
| Storage Account Type | Supported Services | Use Case |
|---|---|---|
| Standard general-purpose v2 | Blob, File, Queue, Table | Most common; recommended for most scenarios |
| Premium block blobs | Blob only | High-transaction workloads requiring low latency |
| Premium file shares | File only | Enterprise file shares, NFS workloads |
| Premium page blobs | Blob (page blobs) | Azure virtual machine disks |
Blob Storage Access Tiers
Blob storage supports three access tiers that balance cost against retrieval speed:
- Hot tier: Highest storage cost, lowest access cost. For frequently accessed data.
- Cool tier: Lower storage cost, higher access cost. For data accessed less than once per month.
- Archive tier: Lowest storage cost, highest access cost and retrieval time (hours). For data rarely accessed, with rehydration required before reading.
Storage Security
Administrators must configure storage security through multiple mechanisms:
- Shared Access Signatures (SAS): Time-limited, permission-scoped tokens for delegating access to storage resources without sharing account keys
- Storage access keys: Master keys that grant full access to a storage account; should be rotated regularly
- Azure AD authentication: Role-based access using Entra ID identities, preferred over key-based access
- Private endpoints: Network-level isolation connecting storage accounts to a virtual network without public internet exposure
Domain 3: Deploy and Manage Azure Compute Resources (20-25%)
Virtual Machine Deployment
The AZ-104 exam heavily tests virtual machine administration. Key areas include:
- Selecting appropriate VM sizes (compute-optimized, memory-optimized, storage-optimized series)
- Configuring availability sets and availability zones for high availability
- Creating and managing VM extensions for post-deployment configuration
- Understanding the difference between managed and unmanaged disks
- Configuring VM scale sets for automatic horizontal scaling
Azure App Service
Azure App Service is a PaaS platform for hosting web applications. Administrators must understand:
- Creating and configuring App Service plans (pricing tiers F1 through P3)
- Deployment slots for staging environments and blue-green deployments
- Auto-scaling rules based on metrics like CPU percentage and request count
- Custom domain configuration and SSL/TLS certificate binding
Azure Container Instances and AKS
The exam includes container workloads. Azure Container Instances (ACI) provides simple, serverless container execution. Azure Kubernetes Service (AKS) provides managed Kubernetes for orchestrated container workloads. Administrators should understand when to choose each service and basic AKS cluster management.
"Virtual machine scale sets are one of the most heavily tested compute topics on AZ-104. Candidates must understand not just how to create them but how scaling policies work, how to configure rolling upgrades, and how to troubleshoot instances that fail health checks." -- Microsoft Certified Trainer community guidance
Domain 4: Implement and Manage Virtual Networking (25-30%)
Virtual Networks and Subnets
Azure Virtual Networks (VNets) are the fundamental networking building block. Key exam topics:
- Creating VNets with appropriate address spaces (CIDR notation required)
- Subnetting within VNets and understanding reserved IP addresses per subnet
- Network Security Groups (NSGs): Stateful packet filters applied to subnets or individual NICs. Rules are evaluated by priority (lower number = higher priority).
- Application Security Groups (ASGs): Logical groupings of VMs for NSG rule simplification
VNet Connectivity
- VNet Peering: Connecting VNets within the same or different regions. Traffic between peered VNets stays on the Microsoft backbone. Peering is non-transitive by default.
- VPN Gateway: Site-to-site VPN for connecting on-premises networks to Azure VNets using IPsec/IKE tunnels
- ExpressRoute: Private, dedicated connectivity between on-premises networks and Azure through a connectivity provider, bypassing the public internet
- Azure Bastion: Managed jump host service providing RDP/SSH access to VMs without exposing public IP addresses
Azure DNS and Load Balancing
Azure DNS hosts DNS zones within Azure. Administrators must configure DNS records for Azure services and custom domains.
Load balancing options and their use cases:
| Service | Layer | Use Case |
|---|---|---|
| Azure Load Balancer | Layer 4 (TCP/UDP) | Internal or public load balancing for VMs |
| Application Gateway | Layer 7 (HTTP/HTTPS) | Web application load balancing with WAF capability |
| Azure Front Door | Layer 7 (global) | Global HTTP load balancing with CDN and WAF |
| Traffic Manager | DNS-based | Cross-region traffic routing and failover |
Domain 5: Monitor and Maintain Azure Resources (10-15%)
Azure Monitor
Azure Monitor is the central monitoring platform for Azure resources. It collects:
- Metrics: Numerical, time-series data about resource performance (CPU percentage, disk IOPS, network throughput)
- Logs: Structured data from Azure resources, applications, and operating systems, stored in Log Analytics workspaces
- Activity log: An audit trail of all subscription-level operations (who did what, when, from where)
Alerts and Notifications
Administrators configure alert rules that trigger based on metric thresholds or log query results. Alert rules specify:
- A target scope (subscription, resource group, specific resource)
- A condition (metric threshold or log query)
- An action group (who to notify and how: email, SMS, webhook, Azure Function)
Azure Backup and Site Recovery
Azure Backup provides cloud-native backup for VMs, databases, files, and on-premises workloads. Azure Site Recovery (ASR) provides disaster recovery orchestration, enabling VM replication between Azure regions or from on-premises to Azure.
Recommended Study Plan
A structured 8-week study plan for AZ-104:
- Weeks 1-2: Identity and governance domain. Complete Microsoft Learn path for AZ-104 identity modules. Lab: Create users, groups, assign RBAC roles.
- Weeks 3-4: Storage and compute domains. Focus on blob access tiers, SAS tokens, VM creation, and App Service. Lab: Deploy a VM scale set with custom auto-scaling rules.
- Weeks 5-6: Virtual networking domain (the heaviest domain). Lab: Deploy a hub-and-spoke VNet topology with NSGs, VNet peering, and a VPN Gateway.
- Week 7: Monitoring domain and review. Set up Azure Monitor alerts, configure Log Analytics workspace, review all weak areas.
- Week 8: Practice exams and lab review. Target 80%+ on practice tests before scheduling the real exam.
Frequently Asked Questions
How many questions are on the AZ-104 exam? The AZ-104 exam contains 40-60 questions including multiple choice, case studies, and sometimes a hands-on lab section. Case studies present a scenario with multiple related questions. Labs require you to complete tasks directly in a live Azure environment within the exam interface.
Does AZ-104 expire? Microsoft role-based certifications require annual renewal through a free online assessment available on Microsoft Learn 180 days before expiration. You do not need to pay or retake the full exam to renew, but you must complete the renewal assessment before the expiration date.
What is the best way to practice for AZ-104? The most effective preparation combines Microsoft Learn modules (free), hands-on Azure labs (use the free $200 credit from a new Azure account or free-tier resources), and quality practice exams. John Savill's AZ-104 study playlist on YouTube is widely recommended by the community. Aim for at least 20-30 hours of hands-on lab time before taking the exam.
References
- Microsoft. (2025). Exam AZ-104: Microsoft Azure Administrator. https://learn.microsoft.com/en-us/credentials/certifications/exams/az-104/
- Microsoft. (2025). AZ-104 Study Guide. https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-104
- Suttie, G. (2024). AZ-104 Azure Administrator Exam Guide. Packt Publishing.
- Savill, J. (2025). AZ-104 Microsoft Azure Administrator Study Cram. YouTube / NTFAQGuy channel.
- Global Knowledge. (2025). IT Skills and Salary Report. https://www.globalknowledge.com/us-en/resources/resource-library/articles/it-skills-and-salary-report/
- Microsoft Azure. (2025). Azure Documentation: Virtual Networks. https://learn.microsoft.com/en-us/azure/virtual-network/