AZ-104 Overview — Format, What’s Tested & How to Prepare

Exam snapshot

• Certification: Microsoft Azure Administrator (AZ-104)
• Audience: Admins/engineers operating Azure workloads day-to-day (identity, compute, storage, networking, monitoring)
• Experience target: ~6–12 months hands-on with Azure services and the Portal/CLI
• Format: Multiple choice/multiple response, case sets, drag-and-drop, and short task-style questions
• Timing: ~2 hours total appointment; question count varies by delivery form
• Passing: Scaled score 700 (0–1000)

How to use this hub: Skim this Overview, then study the Syllabus objective-by-objective. Keep the Cheatsheet open for last-mile recall, and validate with Practice under timed conditions.

What AZ-104 measures (by domain)

1) Manage Azure identities, governance & access

• Microsoft Entra ID tenants, users, groups, administrative units
• Role-Based Access Control (built-in roles, custom roles, scopes), PIM basics
• Subscriptions, management groups, policies/initiatives, tags, locks, landing-zone guardrails

2) Implement & manage storage

• Storage accounts, redundancy (LRS/ZRS/GRS/GZRS), lifecycle & access tiers
• Blob (containers, immutability, SAS), Files (SMB/NFS, AD/Entra auth)
• Encryption, keys, endpoints, private access, cost & performance tuning

3) Deploy & manage compute

• VMs and scale sets (images, extensions, availability sets/Zones)
• Azure Compute Gallery, update/fault domains, backup & restore
• Containers at admin level (ACR, ACI) and basics of App Service administration

4) Configure & manage virtual networking

• VNets/subnets, IP addressing, NSGs/ASGs, routing/UDRs
• Private Endpoints/Private Link, service endpoints, DNS, Bastion
• Load balancing (LB/App Gateway/Front Door at admin depth), VPN/ExpressRoute fundamentals

5) Monitor, back up & maintain

• Azure Monitor (metrics, alerts, action groups), Log Analytics & KQL basics
• Update management, change tracking, inventory, Desired State/Guest Config overview
• Backup/restore and recovery points; availability & resilience considerations

What’s actually hard on AZ-104

• Scope creep: RBAC vs Policy vs Locks—know what each controls and where (resource → resource group → subscription → management group).
• Private access patterns: When to choose Private Endpoint vs service endpoints; DNS plumbing for private access (zones, split-horizon).
• Resilience knobs: Availability Sets vs Zones vs Scale Sets; SKU/region support and how it affects designs.
• Storage trade-offs: Redundancy classes, access tiers, lifecycle rules, and cost/perf impacts.
• Monitoring workflows: Metric vs log alerts, action groups, and “where the data lives” (workspace vs resource).

Readiness checklist

• I can assign RBAC at the correct scope and verify effective permissions.
• I can harden storage (private access, shared keys vs SAS, role-based auth).
• I can place subnets and secure with NSGs/ASGs; I understand UDRs and routing gotchas.
• I can choose redundancy (Zones, LRS/ZRS/GRS, zone-redundant SKUs) for a target SLA.
• I can wire up monitoring (metrics/logs, alerts, action groups) and read basic KQL.
• I can back up and restore VMs and storage with appropriate policies/retention.

Study plan (2–3 weeks, part-time)

Week 1 — Identity & Governance + Storage

1. Syllabus: Identities/RBAC/Policy.
2. Lab: create a sandbox subscription, RGs, tags, policies/initiatives, and RBAC assignments.
3. Storage: create 2–3 storage accounts (different redundancy), enable lifecycle rules, set up a Private Endpoint and test access.

Week 2 — Networking + Compute

1. VNets/Subnets/NSGs, UDRs, hybrid DNS (custom + Private DNS).
2. Deploy VMs/Scale Sets with Zones; attach data disks; configure extensions; enable backups.
3. Load balancing: internal vs public, health probes/rules; try App Gateway or Front Door end-to-end.

Week 3 — Monitoring & Review

1. Azure Monitor + Log Analytics: build dashboards, alerts (metric + log), and action groups; practice KQL queries.
2. Resilience review: redundancy options, region/zone implications; run a simple restore drill.
3. Full Practice set, then targeted sprints on weak domains.

Exam-day tactics

• First pass fast: Answer what you know; flag the rest and circle back.
• Sketch the scope: For networking/storage scenarios, diagram resources, scopes, and endpoints.
• Eliminate safely: Remove answers that violate least privilege, break SLA, or ignore zone-awareness.
• Think operations: Prefer solutions that are operationally simple, cost-sensible, and auditable.

Continue to the next step

• Objectives, task-by-task: Syllabus →
• Condensed defaults & gotchas: Cheatsheet →
• Exam-style drills with timing and review mode: Practice →