How difficult is the AZ-104 Azure Administrator exam?

The AZ-104 exam represents a significant step up in difficulty from foundational Azure certifications and demands hands-on experience with core Azure infrastructure services.

What does the AZ-104 exam test?

The AZ-104 exam tests knowledge of core Azure infrastructure services including virtual machines, networking, storage, identity, and governance through real-world administrative scenarios.

How long should I study for AZ-104?

Most candidates need 6-10 weeks of study for AZ-104 with a mix of theory, hands-on labs, and practice questions. Prior Azure experience can shorten this timeline significantly.

AZ-104 Azure Administrator Study Guide for 2026

By Macdara Ó Murchú · Founder, AzurePrep·Last reviewed 6 April 2026·12 min read·2,486 words

The AZ-104 exam represents a significant step up in difficulty from foundational Azure certifications. It demands hands-on experience with core Azure infrastructure services and real-world administrative scenarios. This comprehensive az-104 study guide for 2026 will walk you through the exam structure, key topics, and practical preparation strategies needed to pass with confidence.

Who Should Take the AZ-104 Exam

The AZ-104 is designed for Azure administrators and infrastructure professionals who manage cloud resources at scale. This certification appeals to several career paths:

IT administrators transitioning to cloud infrastructure
System administrators managing hybrid or cloud-only environments
Infrastructure engineers deploying Azure resources
Cloud administrators maintaining Azure deployments
DevOps engineers focusing on infrastructure automation
Network engineers implementing Azure networking solutions

Unlike the AZ-900 foundational exam, AZ-104 assumes you have practical experience deploying and managing Azure services. The exam tests your ability to handle real production scenarios, not just theoretical knowledge.

6Exam domainsOfficially defined skill areas

700Minimum passing scoreOut of 1000 points

$165Exam cost (USD)One attempt, USD list price

Exam Format and Scoring

Basic Structure

The AZ-104 is a 120-minute associate-level certification exam. Microsoft occasionally includes interactive labs (Azure sandbox environments) within the exam, so you must be prepared for both multiple-choice questions and hands-on scenario challenges.

Passing Score: 700 out of 1000 (approximately 70%)
Question Types: Multiple choice, multiple answer, drag-and-drop, case studies, and interactive labs
Duration: 120 minutes
Cost: $165 USD (varies by region in local currency)
Format: Remote or testing center
Prerequisite: No official prerequisite, but AZ-900 knowledge is recommended

The scoring is weighted across five domains, with some areas receiving significantly more attention than others.

The Five Exam Domains and Weightings

Microsoft structures the AZ-104 exam around five critical domains. Understanding the weightings helps you allocate study time appropriately.

Domain	Weight	Focus Areas
Manage Azure identities and governance	15-20%	RBAC, Entra ID, groups, administrative units, subscriptions
Implement and manage storage	15-20%	Blob storage, file shares, storage accounts, lifecycle policies, replication
Deploy and manage Azure compute resources	20-25%	Virtual machines, VMSS, containers, App Service, AKS basics
Implement and manage virtual networking	15-20%	VNets, NSGs, peering, gateways, DNS, private endpoints
Monitor and maintain Azure resources	10-15%	Azure Monitor, Log Analytics, alerts, backup, disaster recovery

Domain 1: Manage Azure Identities and Governance (15-20%)

This domain covers identity management and organizational governance in Azure. Many organizations struggle with proper RBAC implementation, making this a heavily tested area.

Key Topics:

Role-Based Access Control (RBAC): Understanding built-in roles (Owner, Contributor, Reader), custom roles, and scope inheritance. You must know how role assignments propagate through management groups and subscriptions.
Entra ID (formerly Azure Active Directory): User and group management, synchronization with on-premises Active Directory via Azure AD Connect, password policies, and Multi-Factor Authentication (MFA) configuration.
Administrative Units: Segmenting your Entra ID tenant to delegate administrative tasks to specific admins without granting tenant-wide permissions.
Subscription Management: Moving resources between subscriptions, managing billing accounts, applying policies, and cost allocation.
Azure Policy: Creating policy definitions to enforce organizational standards. You should understand policy effects (Deny, Audit, Append, Modify) and how to remediate non-compliant resources.
Management Groups: Organizing subscriptions hierarchically to apply governance policies at scale.

Study Focus: RBAC is the most tested topic in this domain. Practice assigning roles at different scopes and understanding permission inheritance.

Domain 2: Implement and Manage Storage (15-20%)

Azure Storage is fundamental to any Azure deployment. This domain tests practical storage implementation.

Key Topics:

Storage Account Types: Standard General-Purpose v2, Premium Block Blobs, Premium File Shares, and Premium Page Blobs. Know the performance characteristics and use cases for each.
Blob Storage: Block blobs for unstructured data, append blobs for logging scenarios, page blobs for VHD storage. Understanding blob tiers (Hot, Cool, Archive) and their access patterns is critical.
Azure Files: SMB protocol file shares for legacy application compatibility, NFS shares for Linux workloads. Know how to configure authentication (storage account keys, Entra ID, Kerberos) and how to restrict access via service endpoints.
Storage Lifecycle Policies: Automatically moving blobs between tiers based on age or access patterns. This reduces costs for data that starts hot but becomes infrequently accessed.
Replication Options: Locally-Redundant Storage (LRS), Zone-Redundant Storage (ZRS), Geo-Redundant Storage (GRS), and Read-Access Geo-Redundant Storage (RA-GRS). Understand the trade-off between redundancy and cost.
Shared Access Signatures (SAS): Creating time-limited, permission-limited tokens for accessing storage without exposing account keys.
Storage Security: Service endpoints, private endpoints, storage account firewalls, and Entra ID RBAC integration.

Study Focus: Lifecycle policies and replication options are frequently tested. You should be comfortable explaining when to use each replication strategy based on RTO and RPO requirements.

Domain 3: Deploy and Manage Azure Compute Resources (20-25%)

This is the heaviest weighted domain. It covers virtual machines, scaling, containers, and application hosting.

Key Topics:

Virtual Machines: Creating VMs, configuring sizes, selecting operating systems, managing disks (managed vs. unmanaged), and applying extensions. Know the difference between ephemeral and persistent disks.
Availability Sets and Zones: Understanding fault domains and update domains in availability sets. Availability zones provide better resilience than sets for modern deployments. Know when to use each.
Virtual Machine Scale Sets (VMSS): Deploying identical VMs that scale based on metrics or schedules. VMSS integrates with load balancers and should be your default choice for web farms.
App Service: Deploying web apps, APIs, and mobile backends. Understanding service plans (Free, Shared, Basic, Standard, Premium, Isolated), scaling options, and deployment slots.
Azure Kubernetes Service (AKS): Basic understanding of container orchestration, node pools, and cluster upgrades. You won't need deep Kubernetes knowledge, but familiarity with core concepts helps.
Container Instances: Running containerized applications without managing infrastructure. Know when Container Instances makes sense versus VMSS or AKS.
Batch Processing: Azure Batch for parallel workloads. Understanding job scheduling and compute node management.
Azure Functions and Logic Apps: Serverless execution models for event-driven workloads.

Study Focus: The az-104 study guide for 2026 heavily emphasizes VM management and VMSS. Availability sets versus zones is frequently tested and often misunderstood.

Domain 4: Implement and Manage Virtual Networking (15-20%)

Networking is complex but essential. Many administrators struggle with this domain.

Key Topics:

Virtual Networks (VNets): Creating VNets, designing subnets, understanding address spaces and private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Network Security Groups (NSGs): Creating inbound and outbound rules, understanding stateful filtering, and applying NSGs at subnet or NIC level. Know the difference between Allow and Deny rules and default rules.
VNet Peering: Connecting two VNets directly. Know the difference between regional peering and global peering, and understand transitive peering limitations. VNet peering is heavily tested.
VPN Gateway: Site-to-site VPN for connecting on-premises networks, point-to-site VPN for remote users, and ExpressRoute for dedicated connections. Understand gateway types (VpnGw1, VpnGw2, etc.) and SKUs.
Azure DNS: Creating DNS zones, adding records (A, AAAA, CNAME, MX, TXT), and using private DNS zones for internal name resolution.
Load Balancers: Azure Load Balancer for layer-4 load balancing, Application Gateway for layer-7application-aware routing, and Traffic Manager for global routing.
Private Endpoints: Connecting to PaaS services over private IP addresses instead of public endpoints. This is increasingly important for security.
Service Endpoints: Restricting PaaS service access to specific VNets at the firewall level without using private IP addresses.
Network Watcher: Diagnosing connectivity issues with connection monitor, packet capture, and flow logs.

Study Focus: VNet peering and NSG rule evaluation are the most tested networking topics. Practice designing multi-tier networks with proper segmentation.

Domain 5: Monitor and Maintain Azure Resources (10-15%)

This domain covers observability, backup, and disaster recovery.

Key Topics:

Azure Monitor: The platform for collecting metrics and logs from all Azure resources. Understand metrics (real-time performance data), logs (KQL queries against detailed event data), and diagnostic settings.
Log Analytics: The query engine for Monitor logs. You should be comfortable writing basic Kusto Query Language (KQL) queries to investigate issues.
Alerts: Creating alert rules based on metrics or log queries. Understanding alert states (New, Acknowledged, Closed) and notification actions.
Application Insights: Monitoring application performance and user behavior. Instrumentation for web applications and correlation of requests across components.
Azure Backup: Backing up VMs, databases, and file shares. Understanding recovery points, retention policies, and cross-region restore options. Soft delete for accidental deletion recovery.
Azure Site Recovery: Replicating workloads to a secondary region for disaster recovery. Understanding RPO (Recovery Point Objective) and RTO (Recovery Time Objective), failover procedures, and test failovers.
Update Management: Automating OS patching across Windows and Linux VMs. Integration with Change Tracking & Inventory.
Automation Accounts: Runbooks for automating administrative tasks. Understanding graphical and PowerShell-based runbooks.

Study Focus: The difference between Azure Backup and Site Recovery confuses many candidates. Backup protects against data loss; Site Recovery protects against region failure.

Infrastructure

AZ-900Azure FundamentalsFUND

AZ-104Azure AdministratorASSOC

AZ-305Solutions Architect ExpertEXPERT

Security

AZ-900Azure FundamentalsFUND

AZ-500Security Engineer Assoc.ASSOC

SC-100Cybersecurity ArchitectEXPERT

Developer

AZ-900Azure FundamentalsFUND

AZ-204Developer AssociateASSOC

AZ-400DevOps Engineer ExpertEXPERT

The Most Heavily Tested Topics

Community feedback and official exam materials reveal certain topics appearing more frequently:

RBAC and Role Assignments: Understanding scope inheritance, default role permissions, and custom role creation appears in nearly every exam version. Many questions disguise RBAC concepts within storage or networking scenarios.

VNet Peering: Peering connectivity, addressing requirements, and transitive peering limitations are tested extensively. Many candidates understand peering but miss edge cases around non-transitivity.

Availability Sets vs. Availability Zones: The distinction between these two concepts trips up many candidates. Understand fault domains, update domains, and when zones are required for higher availability.

NSG Rules and Evaluation Order: Knowing how NSGs evaluate inbound and outbound traffic, understanding default rules, and troubleshooting connectivity issues is essential.

Storage Account Redundancy and Failover: Understanding GRS, RA-GRS, and how failover works separates strong candidates from weak ones.

Azure Backup vs. Site Recovery: These serve different purposes and are frequently tested together in scenario-based questions.

Exam Difficulty and Comparison to AZ-900

The AZ-104 is significantly more difficult than AZ-900. While AZ-900 tests conceptual Azure knowledge, AZ-104 expects hands-on experience. Here is a realistic difficulty assessment:

AZ-900 tests what Azure services do
AZ-104 tests how to implement and troubleshoot Azure services
AZ-104 includes scenario-based questions requiring decision-making
AZ-104 may include interactive labs requiring actual Azure portal or CLI commands

Many candidates who easily pass AZ-900 fail AZ-104 due to insufficient practical experience. You cannot pass this exam on theory alone.

Recommended 8 to 12 Week Study Plan

Weeks 1-2: Foundation and Storage

Focus on understanding core concepts before diving into complex scenarios.

Study storage account types, blob storage, and file shares
Create multiple storage accounts in your Azure subscription
Practice creating and managing blob containers
Configure lifecycle policies
Understand replication options through documentation and lab work

Hands-on: Create a storage account, upload blobs, implement lifecycle policies moving blobs from Hot to Cool to Archive tiers.

Weeks 3-4: Networking Fundamentals

Networking is foundational for everything else.

Study VNets, subnets, and address spaces
Understand NSG rules and stateful filtering
Learn VNet peering architecture and limitations
Study load balancers and application gateways

Hands-on: Create two VNets, peer them, create NSGs with specific rules, and test connectivity between subnets.

Weeks 5-6: Identities and Governance

RBAC and Entra ID are prerequisites for understanding compute and storage access.

Study RBAC components: roles, scopes, assignments
Create custom RBAC roles
Understand Entra ID user and group management
Study Azure Policy and policy effects
Learn about management groups

Hands-on: Assign different roles to team members at different scopes, create custom roles, apply policies to subscriptions.

Weeks 7-8: Compute Resources

This is the most heavily tested domain.

Study VM sizing, availability sets, and zones
Understand VMSS configuration and scaling
Study App Service plans and scaling
Learn about containers and AKS basics

Hands-on: Create VMs in an availability set and zone, create VMSS with autoscaling policies, deploy App Service applications.

Weeks 9-10: Advanced Networking and VPN

Return to networking with deeper understanding.

Study VPN Gateway configuration
Understand site-to-site and point-to-site VPNs
Learn about private endpoints and service endpoints
Study Azure DNS and private DNS zones
Study Network Watcher diagnostics

Hands-on: Create a VPN gateway, configure site-to-site VPN, set up private endpoints for storage accounts.

Weeks 11-12: Monitoring, Backup, and Review

Complete your preparation with observability and disaster recovery.

Study Azure Monitor and Log Analytics
Write KQL queries to extract insights
Understand Azure Backup and retention policies
Study Site Recovery and disaster recovery scenarios
Review weak areas and practice questions

Hands-on: Configure backups for VMs, set up Site Recovery replication, create Monitor alerts, write KQL queries in Log Analytics.

Essential Hands-On Labs

Theory alone won't get you through this exam. These labs are non-negotiable:

Lab 1: Create and Configure Virtual Machines

Deploy Windows and Linux VMs with different sizes. Configure managed disks, add extensions, and practice connecting via RDP and SSH. Create availability sets and deploy VMs across them. This lab reinforces compute fundamentals.

Lab 2: Configure VNet Peering and Connectivity

Create two VNets with non-overlapping address spaces. Configure peering between them. Create NSGs with specific rules to allow and deny traffic. Test connectivity between VMs in peered networks. Troubleshoot connectivity issues. This lab is critical for networking proficiency.

Lab 3: Implement Azure Backup

Create VM snapshots, configure Azure Backup policies with different retention schedules, perform restore operations, and understand backup storage costs. Practice restoring individual files from VM backups.

Lab 4: Configure Storage Account Security

Create storage accounts with different redundancy options. Configure service endpoints and private endpoints. Create Shared Access Signatures with specific permissions and time limits. Practice restricting access using storage account firewalls and NSGs.

Lab 5: Create Load Balancing Solutions

Deploy VMs behind an Azure Load Balancer. Configure health probes and load balancing rules. Practice health probe configuration and understand how unhealthy backends are excluded from routing.

Lab 6: Configure Monitoring and Alerts

Create diagnostic settings on VMs to send logs to Log Analytics. Create metrics-based and log-based alert rules. Write KQL queries to extract specific information. Configure action groups for alert notifications.

Lab 7: Site Recovery Configuration

Enable Site Recovery replication for a VM to a secondary region. Configure replication policies. Perform test failovers. Understand the difference between planned and unplanned failovers.

Study Resources and Practice Questions

azureprep.com offers 1000+ free AZ-104 practice questions across multiple exam simulations. The platform includes:

Full-length practice exams with detailed explanations
Domain-specific question banks for focused study
Explanations referencing Microsoft documentation
Performance tracking to identify weak areas
Access to the azureprep.com community for discussion

Beyond practice questions, use these resources:

Microsoft Learn Modules: Official, free, interactive training for each domain
Azure Documentation: Reference for specific features, commands, and limitations
Microsoft Learn Sandbox: Free

Azure environment for hands-on practice without using your own subscription. Perfect for testing configurations and exploring Azure services safely.

Azure Architecture Center: Real-world scenarios and best practices for designing Azure solutions
GitHub Azure Samples: Code examples and templates for common Azure deployment scenarios

Final Exam Tips

Schedule your exam only after consistently scoring 85% or higher on practice tests. During the exam, read questions carefully and eliminate obviously incorrect answers first. Pay attention to keywords like "least cost," "most secure," or "minimum administrative effort" as they guide you toward the correct solution approach.

Time management is crucial - don't spend too long on any single question. Flag difficult questions for review and return to them after completing easier ones. Remember that Azure services evolve rapidly, so focus on fundamental concepts and general service capabilities rather than memorizing specific UI elements.

The AZ-104 Azure Administrator certification validates your ability to manage Azure subscriptions, implement storage solutions, configure virtual networking, and monitor Azure resources. Success requires combining theoretical knowledge with practical experience through hands-on labs and consistent practice with exam-style questions. Focus on understanding the "why" behind each Azure service and configuration option, not just memorizing steps.

Start your preparation today with free practice questions at azureprep.com.