The Microsoft Azure Administrator Associate certification, known by its exam code AZ-104, is aimed at professionals who manage cloud services that span storage, networking, compute, identity, and governance in Microsoft Azure. It replaces the earlier AZ-103 exam and reflects current industry needs for Azure administrators. Candidates are expected to have at least six months of hands-on experience with Azure and a solid understanding of core services and their functions.
The AZ-104 certification validates your ability to implement, manage, and monitor Azure environments. The exam is scenario-based, assessing both theoretical knowledge and practical experience. It requires a working knowledge of PowerShell, Azure CLI, the Azure portal, and ARM templates. This part focuses on preparing your mindset, understanding foundational concepts, and mastering Azure identity and governance.
Preparing for the AZ-104 Exam
To succeed in the AZ-104 exam, approach it as a test of real-world administrative skills rather than purely theoretical knowledge. Begin with understanding the structure of the exam and its domains. The five major domains include managing identities and governance, implementing and managing storage, deploying compute resources, configuring networking, and monitoring Azure resources.
Each domain carries a different weight, so you should tailor your preparation accordingly. For example, managing identities and governance covers up to 25% of the exam. You should develop both conceptual clarity and practical proficiency across all domains, and especially for those that carry higher weight.
Utilize a blend of documentation, lab exercises, and sample questions. As you study, build your own cheat sheet that outlines common commands, important service features, and decision-making frameworks. Avoid memorizing static facts. Instead, focus on understanding patterns and use cases.
Azure Identity and Governance Overview
Azure identity management is primarily handled through Microsoft Entra ID, formerly known as Azure Active Directory. It is a cloud-based identity and access management service. Understanding Entra ID is essential because almost all Azure services tie into it for authentication and authorization.
Identity in Azure is centered around user accounts, groups, service principals, and roles. Users and groups can be created manually or synchronized from on-premises directories. Service principals are identities used by applications or services, while managed identities provide automated identity management for Azure services.
Governance tools help maintain compliance and organize resources efficiently. These include Azure Policy, resource locks, role-based access control (RBAC), tags, and management groups. Together, these tools allow administrators to enforce configuration standards, control access, prevent accidental deletion or modification, and categorize resources for billing or reporting.
Managing Users and Groups in Microsoft Entra ID
Begin by learning how to create users manually through the Azure portal and programmatically using CLI or PowerShell. Understand how to modify user properties such as licenses, roles, and group memberships. External users, often part of business-to-business (B2B) collaboration, can be added and managed similarly.
Groups are used to streamline permission management. You should know the difference between security groups and Microsoft 365 groups. Practice assigning licenses at the group level and configuring dynamic group rules that automatically include or exclude users based on attributes.
Azure also allows self-service password reset, which must be configured through authentication methods and policies. Multifactor authentication (MFA) can be enforced either conditionally or as a tenant-wide policy. Conditional Access policies are used to define when and how MFA is triggered, based on user role, device state, location, or app sensitivity.
Role-Based Access Control (RBAC) in Azure
RBAC is essential to implement the principle of least privilege. Built-in roles like Reader, Contributor, and Owner offer varying levels of access. Custom roles can be defined with precise permissions using Azure Resource Manager.
Permissions can be assigned at four scopes: management group, subscription, resource group, and individual resource. The inheritance model flows downward—permissions assigned at a higher level apply to all nested resources unless explicitly overridden.
You should learn how to evaluate existing role assignments and use Azure tools to troubleshoot access issues. This includes understanding how effective permissions are calculated, how deny assignments work, and how to audit access using activity logs.
Implementing Azure Governance Tools
Azure Policy enables you to define rules for resource configurations. Policies can restrict resource types, enforce tag requirements, or require encryption on storage accounts. Multiple policies can be grouped into an initiative to apply a broader governance strategy.
Locks are simple but powerful tools that protect critical resources from accidental changes. Read-only locks allow viewing but block modification. Delete locks prevent removal of resources. Apply them at resource, resource group, or subscription level.
Tags are key-value pairs used to categorize resources. These are especially useful for billing, reporting, and automation. For example, you can tag resources with values such as environment type, department name, or cost center.
Management groups allow you to organize subscriptions hierarchically. Policies and access control can be applied at this level, affecting all child subscriptions. This is particularly useful in large enterprises managing multiple teams or departments.
Cost Management and Alerts
Administrators are responsible not just for deploying resources but also for managing their financial impact. Azure provides tools like cost analysis, budgets, and alerts. You can create budget alerts based on thresholds and get recommendations from Azure Advisor to optimize spending.
Resource tagging also supports cost management. For instance, you can generate cost reports based on tags such as “Project” or “Team.” This helps stakeholders monitor their resource usage and stay within budget.
Another essential area is monitoring unused or underutilized resources. Azure Advisor flags such cases, allowing you to shut down or resize services like VMs or databases.
Key Identity and Governance Tools
Here is a list of tools and services you should become familiar with:
portal – for manual tasks and visual management
azure cli – for scripting and automation
powershell – for complex scripting and advanced automation
graph api – for programmatic access to identity data
arm templates – for deploying RBAC and policy configurations
azure monitor – for auditing changes and tracking access
Practice Exercises
Create a new user in Entra ID using PowerShell
Assign a built-in role to a user at the resource group level
Write a policy definition that restricts VMs to a specific SKU
Apply a resource lock to prevent deletion of a storage account
Use cost analysis to identify the top five resources by cost
Configure MFA using a conditional access policy for all admins
Identity and governance form the foundation of a secure and well-structured Azure environment. Mastering these topics early on enables you to configure services consistently and securely. Many of the tasks related to storage, compute, and networking build upon these identity and policy configurations. Take time to get comfortable with the concepts and tools described here before moving on to more advanced modules.
Understanding Azure Storage in AZ-104
Storage is a core service in Azure, enabling users to persist and access data in multiple formats. The AZ-104 exam covers storage accounts, containers, file shares, replication, access control, and data transfer methods. A solid grasp of these concepts is essential for deploying and maintaining scalable cloud solutions.
Azure offers various types of storage services tailored for different use cases. These include blob storage for unstructured data, file storage for shared access, queue storage for messaging between components, and table storage for NoSQL data. Mastering these services helps ensure that you can choose the appropriate solution for each scenario.
Types of Storage Accounts
Azure provides several types of storage accounts:
general-purpose v2: Supports all features including blobs, files, queues, and tables. This is the most commonly used account type for most scenarios.
general-purpose v1: Offers limited features and should only be used for backward compatibility.
blob storage account: Optimized specifically for storing blobs, such as images and videos.
premium storage: Offers low-latency and high-performance capabilities, primarily for IOPS-intensive workloads.
You should also understand how to choose between performance tiers (standard vs. premium) and redundancy options (LRS, ZRS, GRS, RA-GRS).
Configuring Storage Accounts
Creating a storage account involves specifying its name, region, performance tier, redundancy setting, and access tier (hot or cool). Redundancy options define how data is replicated and protected:
locally redundant storage (LRS): Three replicas within a single data center.
zone-redundant storage (ZRS): Replicas across different availability zones.
geo-redundant storage (GRS): Replication to a secondary region for disaster recovery.
read-access geo-redundant storage (RA-GRS): Same as GRS, but with read access to the secondary region.
Each choice affects both cost and availability. Understanding these options helps you choose the right configuration for your workloads.
Access Control for Storage
Azure offers multiple ways to control access to storage:
shared access signature (SAS): Grants limited-time access to specific resources.
access keys: Provide full access and should be stored securely.
identity-based access: Integrates with Microsoft Entra ID to allow fine-grained control using RBAC.
stored access policies: Allow you to group shared access signatures and revoke them collectively.
Identity-based access is considered more secure and scalable, especially in enterprise environments. Using role assignments, you can allow a user to access blob data without having to manage keys.
Azure Blob Storage
Blob storage is used for storing large amounts of unstructured data like documents, videos, or backups. There are three types of blobs:
block blobs: Used for storing text and binary data.
append blobs: Ideal for logs that require appending data.
page blobs: Used for virtual hard drives attached to Azure virtual machines.
A blob storage container organizes blobs and defines their access level (private, blob-level public, or container-level public). Each container supports versioning, soft delete, and snapshots.
Soft delete protects against accidental deletion by allowing you to recover deleted blobs within a retention period. Snapshots allow point-in-time captures of blob data, which are useful for backup and recovery scenarios.
Azure File Storage
Azure Files provides shared file storage in the cloud that can be accessed via SMB or NFS protocols. It is commonly used for lift-and-shift scenarios, user profiles, and application configuration.
Features of Azure File Storage include:
standard and premium tiers
encryption at rest and in transit
NTFS support with Active Directory authentication
integration with Azure Backup and Azure File Sync
File shares can be accessed from Azure VMs or on-premises systems, making them highly versatile. Azure File Sync allows you to cache cloud file shares on local Windows servers.
Storage Tools and Utilities
Several tools are available for managing storage:
azure portal: Provides a graphical interface for storage management.
azcopy: A command-line utility optimized for high-performance data transfers.
storage explorer: A GUI tool for managing blob containers, queues, and file shares.
azure cli and powershell: Used for scripting storage operations such as creating shares, generating SAS tokens, and setting access policies.
You should practice using these tools in a sandbox environment. For example, use AzCopy to upload files to a blob container, or use Azure CLI to configure lifecycle rules.
Lifecycle Management and Data Tiering
Blob lifecycle management is an automated way to move data between access tiers or delete it when it’s no longer needed. Rules can be created based on blob age, last access time, or prefix.
Azure supports the following blob tiers:
hot: For frequently accessed data.
cool: For infrequently accessed data, stored for at least 30 days.
archive: For rarely accessed data, stored for at least 180 days.
Lifecycle rules help optimize cost by moving data from hot to cool or archive as it ages. You can also delete blobs automatically after a defined retention period.
Azure Storage Redundancy and Object Replication
Redundancy ensures data durability and high availability. Azure allows you to replicate data within the same region or across regions. Object replication allows you to replicate blobs from one storage account to another in a different region.
Replication is configured at the storage account level and can be monitored through metrics and logs. Object replication requires setting up a replication policy that specifies source and destination containers.
Common Administrative Tasks
create a general-purpose v2 storage account with GRS redundancy
generate a SAS token with read-only permissions and expiry date
mount an Azure file share to a Windows server
configure blob lifecycle rules to delete data after 365 days
monitor storage account metrics such as availability, latency, and capacity
set up a backup policy for Azure file shares using Recovery Services Vault
Key Concepts to Remember
understand how access tiers affect cost and performance
know when to use blob storage versus file storage
secure access using RBAC instead of shared keys
apply lifecycle rules to manage data automatically
choose the right redundancy option for business continuity
understand how AzCopy and Storage Explorer fit into your workflow
Azure storage is foundational to most cloud applications. The AZ-104 exam requires a working knowledge of configuring, managing, and securing storage accounts. You should also be able to automate these tasks and ensure that your storage strategies are cost-efficient and scalable. Hands-on practice with storage tools is critical to mastering this topic.
Overview of Azure Compute Resources
Azure compute services provide the foundation for hosting workloads in the cloud. These include virtual machines, containers, and serverless platforms. In the AZ-104 exam, you’re expected to be familiar with deploying and managing these resources using the Azure portal, ARM templates, Azure CLI, and PowerShell.
The compute domain emphasizes infrastructure deployment, configuration, availability, and automation. You must understand how to work with both IaaS (like virtual machines and VM scale sets) and PaaS (like Azure App Services).
Deploying Virtual Machines
Virtual machines (VMs) are among the most commonly used Azure services. They allow you to host operating systems and applications just like in a traditional on-premises environment. Key considerations when deploying VMs include:
choosing the right VM size and series
selecting an operating system image from the marketplace
configuring OS disk and data disks
setting availability options (zones or sets)
assigning network interfaces and public IPs
enabling backup and monitoring
When creating a VM, you also define authentication methods (password or SSH key), storage configuration, and tagging for organization.
VM Availability and Redundancy
Azure offers features to ensure high availability for virtual machines:
availability sets: Protect against hardware failures by distributing VMs across fault and update domains within a data center
availability zones: Distribute VMs across different physical locations within a region, offering higher fault tolerance
proximity placement groups: Place resources physically closer to reduce network latency
These options are important for business continuity and disaster recovery planning.
Managing Virtual Machines
Once deployed, virtual machines must be managed through various tools. You can:
start, stop, restart, and deallocate VMs
resize a VM to scale up or down
attach or detach data disks
use Azure Bastion for secure RDP/SSH access
enable Azure Monitor to collect performance and diagnostic data
configure Azure Disk Encryption for securing data at rest
You should also know how to move VMs across resource groups, subscriptions, and regions using the portal or CLI. This supports reorganization or cost optimization.
Using ARM Templates and Bicep for Automation
Infrastructure as Code (IaC) is essential in modern cloud administration. ARM templates (JSON format) and Bicep files (simplified syntax) allow you to define infrastructure in a declarative way.
With these tools, you can:
create reusable infrastructure templates
define resources with parameters and variables
use conditionals and loops
deploy templates from Azure CLI or PowerShell
export existing infrastructure as templates
convert between ARM and Bicep formats
This automation approach ensures consistency and accelerates deployments across environments.
Azure Virtual Machine Scale Sets
VM scale sets allow you to deploy and manage a group of identical VMs with autoscaling capabilities. Use cases include application hosting, batch processing, and stateless front-end services.
Features of scale sets:
automatic scaling based on metrics (CPU, memory, schedule)
integration with load balancers and Application Gateway
support for both Windows and Linux
custom VM images or Azure marketplace images
automatic OS updates and repair
Understanding how to configure and scale virtual machine scale sets is crucial for high-performance and resilient systems.
Azure Containers and Container Services
Containers offer lightweight, portable environments for running applications. Azure provides several services to manage containers:
azure container instances (ACI): Run containers without managing VMs
azure kubernetes service (AKS): Managed Kubernetes orchestration for complex containerized applications
azure container apps: Serverless container hosting with scaling and event-driven features
azure container registry (ACR): Private registry for storing container images
You should understand how to:
create and deploy containers using ACI and AKS
configure scaling and health monitoring
connect container workloads to virtual networks
authenticate with ACR using service principals or managed identities
Containers are ideal for microservices architecture, continuous deployment, and applications requiring scalability.
Azure App Service
App Service provides a PaaS environment for hosting web apps, REST APIs, and mobile back ends. It abstracts infrastructure management and supports multiple languages and frameworks.
Core features include:
easy deployment using GitHub, DevOps, or ZIP uploads
built-in load balancing and autoscaling
custom domain and SSL certificate support
diagnostic logging and monitoring
backup and restore functionality
deployment slots for testing in production-like environments
App Service plans determine pricing and performance (shared, basic, standard, premium). You can scale vertically (larger plans) or horizontally (more instances).
Configuring App Service Networking and Security
App Services can be connected to private virtual networks using VNet Integration or private endpoints. This allows secure communication with back-end resources.
Security best practices include:
restricting access with IP restrictions or authentication
using Azure Front Door or Application Gateway for enhanced security
enabling HTTPS with TLS certificates
setting up custom domains with DNS configuration
configuring managed identities to access Azure services securely
Monitoring and Scaling Compute Resources
Azure Monitor integrates with compute services to track performance, generate alerts, and diagnose issues. Key metrics include CPU, memory, disk I/O, and network usage.
You can:
create alert rules for anomalies
use log analytics to analyze trends
enable autoscaling rules based on metrics or schedules
set action groups to notify teams or trigger remediation workflows
Scaling is supported across VMs, VM scale sets, and App Services. You must understand how to plan and configure scaling to meet performance demands while optimizing cost.
Backup and Disaster Recovery for Compute Resources
Azure provides several tools for protecting compute resources:
azure backup: Backs up VM OS disks and data disks to a Recovery Services vault
site recovery: Replicates VMs to a secondary region for disaster recovery
snapshot: Captures point-in-time state of a disk
custom scripts: Automate VM-level backup or replication with scheduled tasks
For App Services, you can configure backup schedules and retention directly from the portal. Restoring can be done to the original or a different app.
Practice Scenarios
create a virtual machine with a custom image and size
configure disk encryption and backup policy for a VM
deploy a container image from Azure Container Registry to Azure Container Instances
create an App Service with custom DNS and SSL binding
scale a VM scale set based on CPU usage
deploy infrastructure using a Bicep file
configure diagnostic logging and alerts for an App Service
automate VM provisioning with a parameterized ARM template
In this, you’ve explored how to deploy, manage, and automate compute resources in Azure, including virtual machines, containers, and App Services. These services form the backbone of most Azure environments and require both conceptual understanding and practical experience.
You’re encouraged to spend time in a test environment creating and managing these resources through the portal, CLI, and templates. The more hands-on experience you gain, the more prepared you’ll be for the AZ-104 exam.
Understanding Azure Virtual Networking
Virtual networks in Azure provide the backbone for communication between Azure resources and external environments. They are similar to traditional on-premises networks but are defined and managed through Azure.
Key elements of virtual networking include:
virtual networks (VNets): Logical isolation of the Azure cloud dedicated to a subscription
subnets: Subdivision of a VNet to organize and secure workloads
network interfaces (NICs): Attached to VMs and provide connectivity
IP addressing: Includes dynamic and static public and private IPs
VNets support both IPv4 and IPv6 addresses and can span multiple availability zones within a region.
Configuring and Managing VNets
You can create and configure virtual networks using the Azure portal, PowerShell, CLI, or ARM templates. Key configuration tasks include:
defining address space and subnet ranges
assigning NICs to VMs within subnets
enabling VNet peering for cross-VNet communication
configuring DNS settings at the VNet level
assigning service endpoints for secure Azure service access
VNet peering allows low-latency, high-throughput connectivity between VNets in the same or different regions without requiring a VPN gateway.
Network Security Groups (NSGs) and Access Control
Network security groups are essential for controlling inbound and outbound traffic at the subnet or NIC level. NSGs use rules that define source/destination, protocol, port, and direction.
Best practices for NSGs include:
least privilege access
separate NSGs for front-end and back-end tiers
monitoring effective rules using Network Watcher
combining with Application Security Groups (ASGs) for role-based traffic management
NSGs are stateless by default, meaning you must define rules for both inbound and outbound traffic as needed.
Securing Access to VNets
Azure provides multiple methods for securing access to virtual networks:
azure bastion: Allows secure RDP/SSH connectivity to VMs without exposing public IPs
service endpoints: Extend VNet to Azure services like Storage or SQL, ensuring traffic stays within Azure backbone
private endpoints: Provide private IP addresses for Azure PaaS resources, isolating access to internal networks
VPN gateways: Enable encrypted connections between on-premises networks and Azure
expressroute: Offers dedicated private connections from your datacenter to Azure
These solutions allow administrators to build secure, scalable hybrid networks.
DNS and Name Resolution in Azure
Azure supports name resolution using:
azure-provided DNS: Default resolution for all VMs within a VNet
custom DNS: Allows integration with on-premises DNS servers
private DNS zones: Host DNS records that are not accessible over the public internet
You can configure name resolution per VNet and link DNS zones to VNets as needed. This is particularly important when using services like App Service, AKS, and Private Link.
Load Balancing in Azure
Azure offers several load balancing solutions:
azure load balancer: Works at Layer 4 (TCP/UDP) for distributing traffic across VMs
azure application gateway: Operates at Layer 7 (HTTP/HTTPS) with support for path-based routing and SSL termination
azure front door: Global HTTP(S) load balancing with CDN integration
traffic manager: DNS-based load balancing for directing client traffic to optimal endpoints based on policies
Each load balancer serves different needs depending on protocol, routing complexity, and geographic requirements.
Monitoring Azure Resources
Azure Monitor provides unified observability across resources. Key components include:
metrics: Near real-time numeric data, such as CPU and memory usage
logs: Structured event data collected by Azure Log Analytics
alerts: Triggers based on thresholds, activity logs, or queries
action groups: Define notifications and automation responses to alerts
workbooks: Custom dashboards for visualizing metrics and logs
insights: Specialized monitoring for specific services like VMs, Storage, and App Service
Using Azure Monitor is critical for performance tuning and troubleshooting.
Using Azure Network Watcher
Network Watcher helps diagnose and visualize network issues. Its features include:
connection monitor: Continuously tests and verifies network connectivity
IP flow verify: Checks if traffic is allowed or denied by NSG rules
next hop: Shows where traffic will route from a VM
security group view: Displays effective NSG rules
packet capture: Captures network packets for deep inspection
Network Watcher is especially useful when dealing with intermittent connectivity or suspected routing problems.
Backup and Recovery
Azure offers two primary services for data protection:
azure backup: Backs up VMs, Azure Files, and on-premises workloads
site recovery: Enables replication and failover of VMs to another Azure region
Key backup tasks include:
creating a Recovery Services Vault
configuring a backup policy
executing backups and verifying restore points
performing restores to original or alternate locations
With Site Recovery, you can set up disaster recovery for VMs, define recovery plans, and simulate failovers for testing.
Disaster Recovery and Failover
To ensure business continuity, you should understand:
replicating VMs across regions
configuring Site Recovery and selecting target resources
monitoring replication health and alerts
executing failovers and failback procedures
maintaining compliance with recovery time objectives (RTO) and recovery point objectives (RPO)
Disaster recovery planning involves regular testing and documentation of recovery workflows.
Alerts and Automation
Using Azure Monitor alerts, you can:
detect performance degradation
notify administrators or DevOps teams
trigger logic apps, runbooks, or webhooks
create escalation paths with action groups
set severity levels and suppression rules
Automation helps respond quickly to issues and enforces standards across large environments.
Practice Scenarios
create and peer two VNets in different regions
configure NSGs for tiered access (front-end, mid-tier, back-end)
create and test private endpoints for Azure Storage
deploy a load balancer and verify VM traffic distribution
set up alerts for high CPU usage on a VM
configure automated backup of a virtual machine
simulate failover using Azure Site Recovery
query logs for NSG rule matches using Azure Monitor
This part provided a comprehensive overview of Azure’s networking, security, monitoring, and recovery capabilities. These skills are vital for managing a robust Azure environment and ensuring uptime, security, and performance.
You should now have a solid understanding of virtual networks, NSGs, private access, load balancing, diagnostics, and backup strategies. Practicing these skills in a test environment will deepen your expertise and prepare you for success in the AZ-104 exam.
Final Thoughts
Reaching the end of your AZ-104 preparation journey is an achievement in itself. This certification is not just a validation of your knowledge—it’s a reflection of your dedication to mastering Microsoft Azure and becoming a capable cloud administrator. Whether you’re entering the field or leveling up your career, the AZ-104 credential holds strong value in today’s cloud-first IT landscape.
The AZ-104 exam covers a wide range of Azure services, from identity and governance to virtual networking, storage, compute resources, and monitoring. Preparing for this exam demands a solid balance of theoretical understanding and practical application. Reading about concepts is important, but the exam—and real-world Azure work—requires that you can implement and troubleshoot those concepts effectively.
As you wrap up your study efforts, focus on these key takeaways:
Don’t spread yourself too thin. Prioritize the core objectives of the exam such as identity management, deploying virtual machines, configuring storage, and monitoring Azure resources. These areas often carry more weight in the exam and are critical for success in a real job role.
Nothing replaces hands-on practice. Create and manage virtual machines, configure backup policies, set up network security groups, deploy ARM templates, and explore the monitoring tools. Real interaction with the portal will cement your understanding better than any reading material.
Practice exams are more than a gauge of readiness—they are tools for deep learning. Review each question and understand why each answer is correct or incorrect. This reflection process strengthens both your knowledge and your test-taking skills.
As the exam day approaches, resist the urge to cram. Instead, do short, focused reviews of key concepts and use your cheat sheet to refresh commands and procedures. On exam day, read each question carefully and manage your time thoughtfully. Trust in the effort you’ve put into preparation.
Earning the AZ-104 certification is a milestone, but it’s also a foundation. It prepares you to take on more advanced certifications and roles in cloud architecture, security, and DevOps. Use it as a launchpad to grow your skills and expand your influence as an Azure professional.
Passing the AZ-104 exam is very achievable with focused, consistent effort. It requires clarity in your study plan, commitment to hands-on practice, and a clear understanding of Azure’s foundational services. Keep your learning steady, don’t rush the process, and most importantly—stay curious. The cloud evolves constantly, and every exam you pass is just another step in your continuous learning journey.
Take pride in the progress you’ve made and push forward with confidence. You’re well on your way to becoming a certified Microsoft Azure Administrator—and opening the door to greater opportunities in the cloud world.