The Microsoft AZ-104: Azure Administrator Associate certification is designed to validate a professional’s ability to manage cloud services in Microsoft Azure. It focuses on key administrative tasks such as configuring, managing, and monitoring identity, governance, storage, compute, and networking resources within Azure. This exam is a cornerstone for individuals who support the infrastructure and operations within an Azure environment.
Azure administrators are responsible for implementing and maintaining services that support cloud operations. This includes the configuration of resources, user access control, backup strategies, performance tuning, and cost management. The AZ-104 certification demonstrates that the holder possesses a strong foundation in managing Azure infrastructure efficiently, securely, and in alignment with best practices.
Target Audience and Professional Relevance
The AZ-104 certification is intended for IT professionals who are actively managing Azure resources and infrastructure. This includes roles such as system administrators, infrastructure engineers, cloud support technicians, and network administrators who interact with Azure on a regular basis.
For those transitioning from on-premises infrastructure management to cloud-based environments, the AZ-104 serves as an excellent entry point into the Microsoft Azure ecosystem. It equips professionals with essential cloud administration skills and prepares them to take on more complex Azure roles in the future. Earning this certification signals a commitment to staying current with modern IT practices and cloud technologies.
Career-wise, certified Azure administrators often move into higher-level cloud architecture, security, or DevOps positions. Many organizations prioritize hiring certified professionals because the credential demonstrates practical, real-world knowledge of Azure services and operations.
Skills and Knowledge Required
To be successful in the AZ-104 exam, candidates should have hands-on experience with Azure. This includes practical knowledge in areas such as:
- Managing Azure identities using Microsoft Entra ID (formerly Azure Active Directory)
- Configuring and managing virtual networks, including subnets and security rules
- Implementing storage solutions such as blob storage, file shares, and backup vaults
- Deploying virtual machines and managing compute resources
- Monitoring resources using Azure Monitor and related tools
- Applying governance and compliance measures through policies, resource locks, and role-based access control (RBAC)
While Microsoft does not list formal prerequisites, it recommends that candidates have at least six months of experience with Azure administration and a solid understanding of core Azure services.
Additionally, knowledge of PowerShell, Azure CLI, and the Azure portal is highly beneficial. Familiarity with networking, virtualization, identity management, and backup and recovery concepts helps in understanding the breadth of topics covered in the exam.
Exam Format and Duration
The AZ-104 exam consists of 40 to 60 questions and has a duration of 120 minutes. The format includes various types of questions, such as:
- Multiple-choice and multiple-response
- Drag-and-drop configuration tasks
- Scenario-based case studies
- Interactive questions involving Azure interface simulations
Candidates are scored on a scale of 1 to 1000, with 700 being the minimum passing score. There is no penalty for incorrect answers, which means it’s advantageous to attempt all questions.
The exam is regularly updated to align with the evolution of Azure services. Microsoft publishes an outline that details the domains and their relative weights in the exam. The exam can be scheduled through an official exam provider and is available both online and at test centers.
Cost and Global Recognition
The AZ-104 exam typically costs USD 165, though prices may vary slightly depending on your region. Despite the cost, it is considered a valuable investment by IT professionals due to its high return in terms of career growth and job opportunities.
Microsoft Azure certifications are recognized globally. Earning the AZ-104 helps differentiate candidates in competitive job markets by providing a standardized and validated measure of Azure expertise. It also opens the door to more advanced Microsoft certifications that build upon the AZ-104’s foundational knowledge.
Importance of Hands-On Experience
One of the key components of AZ-104 preparation is practical experience. Azure is a dynamic platform where theoretical understanding must be complemented by hands-on application. Candidates are expected to perform administrative tasks efficiently, which means knowing how to:
- Navigate the Azure portal
- Use Azure PowerShell and CLI for automation.
- Configure services and troubleshoot issues in real-time
- Optimize resources for performance and cost-efficiency
Working in a sandbox or a free-tier Azure subscription can provide valuable exposure. Microsoft also offers interactive labs that mimic real-world scenarios and help reinforce learning through experience.
Why the AZ-104 Certification Matters
Cloud adoption continues to grow across industries, making cloud-related certifications increasingly valuable. The AZ-104 certification specifically addresses the operational and administrative aspects of Azure, ensuring certified professionals can:
- Manage and monitor Azure infrastructure effectively
- Implement governance and compliance strategies.
- Troubleshoot common Azure service issues
- Optimize cost and performance across the workload.s
For organizations, hiring AZ-104 certified professionals means having staff who can support and maintain a secure, scalable, and well-governed Azure environment. For individuals, it provides recognition, job security, and a pathway to more advanced cloud careers.
In summary, the AZ-104 certification is a vital credential for IT professionals involved in Azure administration. It offers:
- A solid foundation in managing Azure services
- Practical skills in computing, networking, identity, and storage
- Recognition by employers and peers
- A springboard to more advanced certifications
Preparing for the AZ-104 requires a mix of theoretical study and hands-on experience. With the right preparation strategy, this certification can significantly enhance your professional credibility and open new career opportunities in the cloud domain.
Overview of Identity and Access Management in Azure
Azure identity and access management play a vital role in securing and organizing cloud infrastructure. It ensures that users, groups, and applications have appropriate access to Azure resources. Microsoft Entra ID, previously known as Azure Active Directory, serves as the foundation for identity services in Azure. It provides tools for authentication, access management, directory services, and identity protection.
Administrators rely on Microsoft Entra ID to manage user and group identities, configure access control through roles, and enforce governance using policies and structures. The ability to control who has access, and to what, forms the backbone of enterprise-grade cloud management.
Creating and Managing Users and Groups
Managing users and groups is a core administrative task in Microsoft Entra ID. Users can be created individually through the portal, scripted using PowerShell, or synchronized from on-premises directories via Azure AD Connect. Group management allows administrators to organize users based on function or department, simplifying permission management and resource access.
Groups in Microsoft Entra ID include security groups, which manage access to Azure resources, and Microsoft 365 groups, used primarily for collaboration. Dynamic groups use attribute-based rules to automatically include or exclude users, reducing manual administration. Group-based licensing helps streamline the assignment of service access and features.
External or guest users can also be managed through Azure AD B2B, enabling secure collaboration with users outside the organization. Guest user access can be controlled using access reviews, conditional access policies, and identity governance tools.
Managing Role Assignments and Permissions
Role-Based Access Control (RBAC) enables precise control over who can perform actions within Azure. Roles define a set of permissions, and assignments grant those permissions at specific scopes such as the management group, subscription, resource group, or resource level.
Azure provides built-in roles like Owner, Contributor, and Reader, each designed for different levels of access. Service-specific roles allow more granular control, and custom roles can be created when necessary.
Understanding and interpreting role assignments are essential. Administrators should regularly review who has what permissions and at what scope. Tools such as the Azure portal, CLI, and PowerShell can be used to assign roles and verify effective access.
Implementing and Managing Azure Policies
Azure Policy helps enforce governance by defining rules that resources must comply with. Policies can restrict resource types, enforce tag usage, control locations, and ensure configuration standards are met.
Policies are assigned at different scopes and evaluated automatically. When a resource violates a policy, Azure can deny the request, log the event, or attempt to remediate the issue using policy initiatives or assignments with remediation tasks.
Administrators must be able to create and manage policy definitions, assign them to the correct scopes, and review compliance results. Proper use of Azure Policy ensures consistency, regulatory compliance, and operational standards across the environment.
Applying Resource Locks and Tags
Resource locks prevent accidental deletion or modification of critical resources. Two types of locks are available: ReadOnly and CanNotDelete. These locks override user permissions and are essential for protecting key assets like virtual machines, storage accounts, and production services.
Tags allow administrators to organize resources by applying metadata to them. Tags consist of key-value pairs that help with categorization, cost tracking, and automation. Examples include tagging by department, environment, or project.
Managing resource tags and locks helps ensure that resources are not only organized but also protected. Best practices include enforcing tagging policies and applying locks to sensitive resources through automation or policy enforcement.
Organizing with Management Groups and Subscriptions
Azure Management Groups provide a way to organize subscriptions into a hierarchy for governance and policy application. Policies, role assignments, and budgets can be applied at the management group level and inherited by all associated subscriptions.
Multiple subscriptions help isolate workloads, manage billing, and control access. Administrators can move resources between subscriptions and group them logically for operational efficiency.
Understanding the use of management groups and subscriptions is critical for scaling Azure environments. It allows for better cost control, policy enforcement, and delegation of responsibilities.
Monitoring Costs and Budgets
Cost management in Azure includes monitoring usage, setting budgets, and receiving alerts when thresholds are crossed. Tools like Azure Cost Management and Azure Advisor provide recommendations to optimize spending and reduce waste.
Budgets can be set at different scopes, and alerts can notify stakeholders before overspending occurs. Azure Advisor analyzes usage patterns and offers guidance on right-sizing, reserved instance purchasing, and unused resource clean-up.
Managing Azure costs effectively ensures that the environment remains economically viable and aligned with business goals. This includes regularly reviewing consumption reports and leveraging alerts to enforce spending limits.
Automating Resource Deployment with ARM Templates and Bicep
Automation is a critical component of modern cloud infrastructure management. In Azure, administrators can deploy resources consistently using infrastructure as code (IaC) through Azure Resource Manager (ARM) templates and Bicep files. These tools allow users to define Azure resources in JSON (ARM) or a simplified domain-specific language (Bicep), ensuring repeatable and consistent deployments.
Understanding how to interpret and modify ARM templates or Bicep files is essential for the AZ-104 exam. Templates include sections for parameters, variables, resources, and outputs. Administrators must know how to deploy resources using these templates, either from the portal, Azure CLI, or PowerShell.
In real-world scenarios, these templates support rapid provisioning of environments across development, testing, and production. They also facilitate collaboration among teams and support version control through integration with source repositories.
Exporting a deployment to an ARM template or converting ARM to Bicep allows administrators to reverse-engineer configurations and document infrastructure state. Mastery of these tools improves automation, accuracy, and scalability in resource management.
Creating and Configuring Virtual Machines
Virtual machines (VMs) are one of the core compute offerings in Azure. They allow users to run Windows or Linux operating systems in isolated environments. Administrators must understand how to create, configure, and manage VMs through the portal, command-line tools, or automation templates.
Creating a virtual machine involves selecting an image, choosing a size, setting authentication, and configuring network settings. After deployment, administrators can add disks, configure network security groups, and enable diagnostic settings.
Moving a VM between resource groups, subscriptions, or regions requires planning, especially for dependencies and downtime. It can be performed using the Azure portal or scripting tools like PowerShell or Azure CLI.
VM sizing is crucial for performance and cost efficiency. Azure offers a wide range of VM series optimized for general-purpose, compute-intensive, memory-intensive, and storage-intensive workloads. Understanding how to scale VMs and manage availability with zones and sets is key for resilient architectures.
Using Azure Disk Encryption and Security Features
Securing virtual machines involves protecting the data at rest using Azure Disk Encryption. This feature integrates with Azure Key Vault to encrypt Windows and Linux VM disks with BitLocker or DM-Crypt technologies.
Administrators should know how to enable disk encryption during or after VM creation, rotate keys, and monitor encryption status. Security features also include Just-In-Time (JIT) VM access, update management, and endpoint protection integrations.
These security layers ensure that virtual machines comply with industry regulations and organizational policies, minimizing exposure to threats and unauthorized access.
Deploying and Managing VM Scale Sets
Azure Virtual Machine Scale Sets (VMSS) allow administrators to deploy and manage a group of identical VMs. These are useful for workloads that require scalability and high availability. VMSS automatically distributes VMs across availability zones and manages load balancing and health monitoring.
Administrators must know how to configure VM scale sets, define scaling rules, and monitor performance metrics. Scale sets can integrate with Azure Load Balancer and Application Gateway to ensure traffic is efficiently distributed.
Updates and patching can be orchestrated using rolling upgrade policies, reducing downtime and maintaining service continuity. VMSS supports both platform images and custom images, offering flexibility in deployment strategies.
Provisioning and Managing Containers
Containers provide a lightweight and efficient way to deploy applications. Azure supports containers through Azure Container Instances (ACI), Azure Container Apps, and Azure Kubernetes Service (AKS). While AKS is not the focus of the AZ-104 exam, understanding ACI and Azure Container Apps is essential.
Azure Container Instances allow rapid deployment of containers without managing infrastructure. Administrators can specify images, environment variables, ports, and volume mounts. ACI is ideal for short-lived or event-driven workloads.
Azure Container Apps offer features like autoscaling, Dapr integration, and microservice orchestration. These are suited for scalable and modern application deployments.
Managing container registries is also a key responsibility. Azure Container Registry (ACR) allows organizations to store and manage container images securely. Administrators must understand how to create ACRs, push and pull images, and integrate with CI/CD pipelines.
Configuring Azure App Service
Azure App Service is a fully managed platform for building, deploying, and scaling web apps. It supports .NET, Java, PHP, Python, and Node.js applications. App Service plans define the region, scaling options, and pricing tier.
Administrators need to know how to create App Service plans, deploy web apps, and configure settings such as authentication, custom domains, TLS/SSL bindings, and deployment slots.
Scaling options include manual, scheduled, or autoscaling based on metrics. Deployment slots allow seamless application updates by swapping environments with minimal downtime.
App backups can be configured for disaster recovery, and monitoring tools provide insights into performance and availability. Configuring VNet integration and hybrid connectivity further extends App Service capabilities.
Managing App Deployment and Maintenance
App Services support various deployment methods, including local Git, GitHub Actions, Azure DevOps, and FTP. Continuous Deployment (CI/CD) is a best practice for automating the release pipeline.
Administrators must understand how to manage configurations using App Settings and Connection Strings. These can be secured with Key Vault references and deployment slots to isolate environments.
TLS certificates are used to secure custom domain traffic. They can be issued by Azure or uploaded from third-party providers. Renewing and managing these certificates ensures uninterrupted, secure access.
Application performance can be optimized by enabling Application Insights, which provides telemetry and usage data. Regular updates, scaling reviews, and resource governance ensure reliable and cost-effective web app hosting.
Maintaining and Scaling Compute Resources
Monitoring compute resources includes tracking usage, availability, and performance. Azure Monitor and Log Analytics provide insights that help in identifying bottlenecks or underutilized resources.
Scaling options vary depending on the service. Virtual machines can be resized manually or configured for auto-shutdown and startup. App Services and containers can be auto-scaled based on demand metrics.
Maintenance includes applying updates, restarting services, and implementing disaster recovery strategies. Azure Update Management and Recovery Services Vault provide centralized tools for these operations.
Proper compute resource management ensures the environment remains responsive, secure, and within budget. It also supports business continuity through planned scaling and failover configurations.
Creating and Configuring Virtual Networks
Virtual networks in Azure are fundamental to enabling communication between resources. Administrators must understand how to create and configure virtual networks (VNets), subnets, and address spaces that meet organizational requirements. VNets are isolated network environments in Azure, and subnets allow segmentation of resources for better organization and security.
Creating a virtual network involves defining IP address ranges using CIDR notation, choosing a region, and establishing subnet divisions. Resources like virtual machines, application services, and databases are deployed within these networks.
Proper configuration includes associating network security groups, managing routing tables, and understanding limits such as the number of subnets or IP addresses. Azure provides built-in capabilities for peering and hybrid connectivity.
Implementing Virtual Network Peering and Public IPs
Virtual network peering enables communication between virtual networks in the same or different regions. This is often used for cross-region replication, segmentation of environments, or resource isolation with internal connectivity.
Peering allows resources to communicate using private IP addresses and is a cost-effective alternative to VPN connections. Administrators must configure both ends of the peering and ensure proper permissions.
Public IP addresses are used to expose resources to the internet. Azure provides dynamic and static IP options. Understanding when and how to assign public IPs is essential for services like load balancers and virtual machines.
Configuring Routing and Troubleshooting Connectivity
User-defined routes give administrators more control over how traffic flows in a virtual network. These routes override Azure’s default system routes and are useful in scenarios involving network appliances or forced tunneling.
Routing configuration must consider address prefixes, next-hop types, and effective route tables. Troubleshooting tools like Network Watcher can help diagnose connectivity issues using packet capture, connection troubleshooting, and flow logs.
Having a clear understanding of routing behavior and diagnostic methods is essential for managing a secure and reliable virtual network architecture.
Securing Virtual Networks with NSGs and ASGs
Network security groups (NSGs) control inbound and outbound traffic to Azure resources by applying security rules. Administrators can associate NSGs with subnets or network interfaces.
Rules are evaluated based on priority and define allowed or denied traffic using parameters such as source, destination, port, and protocol. Understanding how to interpret effective security rules helps in troubleshooting unexpected traffic behavior.
Application security groups (ASGs) simplify rule management by allowing dynamic grouping of resources. They work with NSGs to create more maintainable and scalable security models.
Implementing Azure Bastion and Private Access
Azure Bastion provides secure RDP and SSH connectivity to virtual machines without exposing public IP addresses. It acts as a jump server within the browser, enhancing security by removing the need for public inbound access.
To use Bastion, administrators must deploy the Bastion host in the same virtual network as the target VMs. Configuration includes setting up a subnet named AzureBastionSubnet and assigning permissions.
Private endpoints provide secure access to Azure PaaS services over the private virtual network. Services such as Azure Storage, SQL, and Web Apps can be accessed securely without traversing the public internet.
These features are part of a zero-trust architecture and help enforce tighter network boundaries in the cloud environment.
Managing DNS and Load Balancing Solutions
Azure DNS allows hosting of DNS domains and managing records without the need for traditional DNS servers. It provides fast resolution and global scalability. Custom DNS settings can be configured for virtual networks or individual VMs.
Internal and public load balancers distribute network traffic across multiple resources to ensure high availability and performance. Internal load balancers are used for traffic within virtual networks, while public load balancers handle internet-facing applications.
Administrators must understand how to create backend pools, health probes, and load balancing rules. Troubleshooting tools and metrics help diagnose performance issues or traffic misrouting.
Proper configuration of DNS and load balancing ensures seamless user experiences and resilient service architectures.
Interpreting Metrics and Logs with Azure Monitor
Azure Monitor provides comprehensive telemetry for analyzing the performance and health of Azure resources. It collects data from various sources such as metrics, logs, and activity data.
Metrics are numerical values representing resource health or usage, such as CPU utilization or memory usage. Logs provide detailed records of events and changes across resources. Together, they help administrators identify trends, set thresholds, and optimize resource performance.
Setting up custom dashboards and workbooks helps visualize key performance indicators. Regular monitoring enables proactive management of workloads and immediate detection of anomalies.
Configuring Log Settings and Alerts
Logs in Azure Monitor can be configured at different levels, including subscription, resource group, and individual resources. Administrators can route logs to Log Analytics, Event Hub, or storage accounts for retention and analysis.
Alert rules can be defined to notify administrators of specific conditions or thresholds. For instance, an alert may trigger if CPU usage exceeds 80% for five consecutive minutes. Alerts are connected to action groups, which determine notification channels like email, SMS, or automation scripts.
Advanced alerting includes dynamic thresholds and action rules that reduce noise and focus attention on high-priority events. These capabilities help maintain system health and service-level objectives.
Analyzing Resource Insights and Network Traffic
Azure Monitor Insights offers pre-configured dashboards for services like virtual machines, storage accounts, and application gateways. These provide targeted views and analytics tailored to specific resources.
VM Insights show performance metrics, installed applications, and dependency maps. Storage Insights offers capacity trends, latency, and transaction details. These insights are crucial for understanding resource behavior and capacity planning.
Network Watcher is used to monitor traffic flow, diagnose connection issues, and visualize network topology. Connection Monitor checks connectivity between endpoints, helping troubleshoot service dependencies and regional latency.
Collectively, these tools empower administrators to make data-driven decisions and ensure smooth operations.
Creating and Managing Backup Vaults
Azure Backup provides centralized management of backups using Recovery Services vaults and Backup vaults. Recovery Services vaults support VM backups, file backups, and workload-specific protection like SQL databases.
Administrators must configure backup policies, define retention periods, and set schedules for backup jobs. Backup jobs can be monitored from the Azure portal or using reports and alerts.
Backup vaults, a newer offering, support modernized backup features and management interfaces. Both vault types store recovery points that can be used for restoring data or entire virtual machines.
Proper backup management ensures that critical data can be recovered in case of accidental deletion, corruption, or disaster.
Performing Backup and Restore Operations
Backup operations include creating recovery points, restoring entire VMs, restoring individual files, and verifying the integrity of backups. Azure allows on-demand or scheduled backups.
Restoration can be performed at the original location or an alternate location, offering flexibility in disaster recovery scenarios. Administrators must monitor job completion status and resolve failures using logs and diagnostics.
Testing restore processes is a best practice to ensure that backup configurations meet business recovery objectives. Periodic drills verify that the system is prepared for real-world recovery demands.
Configuring Site Recovery and Failover
Azure Site Recovery (ASR) is a disaster recovery solution that replicates Azure virtual machines to a secondary region. It supports failover and failback scenarios to maintain service continuity during outages.
Administrators configure replication policies, select target regions, and perform initial replication. ASR continuously synchronizes changes to maintain consistency.
In the event of a regional failure, failover can be triggered manually or automatically. After recovery, a failback process restores services to the original region. Site Recovery supports critical applications that require high availability and minimal downtime.
Monitoring and Reporting Backup Health
Monitoring backups includes tracking success rates, failed jobs, and resource compliance. Azure provides built-in dashboards and integration with Log Analytics to view trends over time.
Alerts can be set for missed or failed backups, ensuring immediate action. Reports offer insights into storage usage, recovery point counts, and policy compliance.
Ongoing monitoring and auditing of backup jobs ensure that the backup strategy remains effective and aligned with regulatory requirements. These practices safeguard data and support business continuity planning.
Final Thoughts
Preparing for the Microsoft Azure Administrator Associate (AZ-104) certification is a comprehensive journey that requires a clear understanding of Azure services, real-world hands-on experience, and disciplined study practices. This exam validates your ability to manage Azure environments effectively, including infrastructure, networking, storage, security, and governance.
Throughout this guide, we’ve explored the core modules of the AZ-104 exam, delved into the technical skills expected from an Azure administrator, and reviewed the best strategies and tools for preparation. By mastering topics like identity and governance, virtual networking, compute resources, storage management, and monitoring, you are equipping yourself with the foundational skills necessary to not only pass the exam but to thrive in a cloud-based administrative role.
Beyond just passing the certification, the real value lies in understanding how to apply Azure solutions in real-world environments—automating deployments, securing resources, troubleshooting network issues, optimizing costs, and maintaining high availability.
As you move forward, remember that continuous learning is essential. Azure evolves rapidly, and staying current with updates, features, and best practices will keep your skills sharp and relevant. Make use of available learning platforms, community forums, documentation, and practice labs. Certification is not the end—it’s a stepping stone toward deeper specialization and broader roles in cloud architecture, DevOps, and security.
Approach your preparation with confidence, consistency, and curiosity. With the right mindset and methodical preparation, you’ll be well-positioned to not only succeed in the AZ-104 exam but also to make a meaningful impact in any Azure-based administrative role.