AZ-104 has five domains. Treating them as equally important is the most common preparation mistake — and the one most likely to cause failure. Two domains account for 55-60% of the exam. Candidates who spread study time evenly across all five are underinvesting in the questions that determine whether they pass.
This breakdown identifies where the exam concentrates, what specific knowledge gets tested repeatedly, and where to invest the most time.
The Domain Breakdown
| Domain | Weight |
|---|---|
| Manage Azure identities and governance | 20-25% |
| Implement and manage storage | 15-20% |
| Deploy and manage Azure compute resources | 20-25% |
| Implement and manage virtual networking | 15-20% |
| Monitor and maintain Azure resources | 10-15% |
The top two domains by question density: identities/governance and compute. Together they represent 40-50% of the exam. Add networking and you're at 55-70%. The monitoring domain at 10-15% is real but smaller — candidates who max out on identities, compute, and networking have the best chance of passing.
Domain 1: Manage Azure Identities and Governance (20-25%)
This domain is where candidates with Windows Active Directory background have a significant advantage — and where candidates without that background need focused study.
Azure Active Directory vs Active Directory Domain Services
Azure Active Directory (Azure AD / Entra ID) is a cloud-based identity and access management service. Despite the similar name, it's not the same as on-premises Active Directory Domain Services. The exam tests this distinction directly.
| Feature | Active Directory DS | Azure Active Directory |
|---|---|---|
| Protocol | LDAP, Kerberos, NTLM | OAuth 2.0, SAML, OpenID Connect |
| Structure | Domains, OUs, GPOs | Flat structure (no OUs, no GPOs) |
| Management | Group Policy | Conditional Access, Intune |
| Scope | On-premises | Cloud and SaaS applications |
| Join type | Domain join | Azure AD Join, Azure AD Register |
The exam presents scenarios where candidates must identify whether a solution requires Azure AD, Azure AD DS (a managed version of traditional AD), or a hybrid configuration. "A company needs to join virtual machines to a domain and apply group policies" — Azure AD DS, not Azure AD alone.
Role-Based Access Control (RBAC)
RBAC on AZ-104 is more complex than most candidates expect. The exam tests:
Scope hierarchy: Management Group → Subscription → Resource Group → Resource. Permissions assigned at a higher scope inherit down. A contributor role on a subscription grants contributor on all resource groups within it.
Built-in roles:
Owner: full access including permission management
Contributor: full resource management, cannot change permissions
Reader: view-only
User Access Administrator: can manage access but not resources
Custom roles: candidates must understand that custom roles are defined in JSON, specify allowed and not-allowed actions, and can be scoped to specific resource types. The exam tests when custom roles are appropriate (when built-in roles are either too permissive or too restrictive for the specific scenario).
The most commonly missed concept: role assignments are additive. A user who is both Contributor on a resource group and Reader on a specific resource gets Contributor-level access to that resource — the higher permission wins. There is no "deny" capability in standard RBAC assignment (Azure Policy handles deny scenarios).
Azure Policy
Policy is tested in detail, including:
Policy definitions: JSON-based rules defining conditions and effects
Policy initiatives: collections of policy definitions applied together
Effects: Audit (log non-compliance without blocking), Deny (block non-compliant deployments), DeployIfNotExists (automatically deploy required resources), Modify (automatically add or modify properties)
Remediation tasks: how to bring existing non-compliant resources into compliance
Common exam scenario: "A company wants to ensure all virtual machines have a specific tag before they can be deployed." Effect: Deny with a condition on the tag. "A company wants to identify storage accounts without HTTPS enforced, but not block their creation." Effect: Audit.
Resource Locks
Resource locks are frequently tested because candidates confuse the two types:
CanNotDelete: resources can be modified but not deleted
ReadOnly: resources cannot be modified or deleted (equivalent to Reader-level access)
Lock behavior: locks apply to all users including owners. Even subscription owners cannot delete a resource with CanNotDelete lock without first removing the lock. Locks cascade from resource groups to resources within them.
Domain 2: Implement and Manage Storage (15-20%)
Storage questions center on Blob Storage and file storage configuration details that are easy to miss in surface-level study.
Blob Storage Access Tiers
| Tier | Access cost | Storage cost | Minimum storage |
|---|---|---|---|
| Hot | Lowest | Highest | None |
| Cool | Higher than Hot | Lower than Hot | 30 days |
| Cold | Higher than Cool | Lower than Cool | 90 days |
| Archive | Highest | Lowest | 180 days |
The exam tests lifecycle management policies that automatically transition blobs between tiers. "A company stores application logs in Blob Storage. Logs older than 30 days are rarely accessed. Logs older than 365 days are never accessed and should be retained for compliance." This maps to: move to Cool after 30 days, move to Archive after 365 days, using a lifecycle management policy.
Archive tier specifics: blobs in Archive are offline and cannot be read directly. They must be rehydrated (moved to Hot or Cool) before access, which takes up to 15 hours for standard priority or 1 hour for high priority. The exam tests this rehydration requirement.
Shared Access Signatures
SAS tokens are heavily tested. Candidates need to understand:
Account SAS: access to multiple services (Blob, Queue, Table, File) and multiple resource types
Service SAS: access to a single storage service
User delegation SAS: scoped to Blob or Data Lake Gen2, signed with Azure AD credentials rather than storage account key
SAS security: SAS tokens inherit the permissions of the signing key. A SAS signed with a storage account key can only be revoked by regenerating that key (which breaks all SAS tokens signed with it). User delegation SAS can be revoked by revoking the delegating user's Azure AD permissions.
Domain 3: Deploy and Manage Azure Compute Resources (20-25%)
Compute is the largest domain by questions and the most varied in topic coverage.
Virtual Machine Configuration
VM sizing: the exam presents scenarios requiring the correct VM SKU selection. General purpose (Dsv5 series) for balanced workloads, compute optimized (Fsv2 series) for CPU-intensive applications, memory optimized (Esv5 series) for database workloads, storage optimized (Lsv3 series) for high disk throughput.
Availability configurations:
Availability Sets: protect against hardware failures within a datacenter. Separate VMs across fault domains (different physical racks) and update domains (groups that are rebooted during maintenance). SLA: 99.95% for two or more VMs.
Availability Zones: protect against entire datacenter failures. Distribute VMs across three physically separated datacenters within a region. SLA: 99.99% for two or more VMs.
VM Scale Sets: automatically scale VM count based on load. Can be zone-redundant. Combines availability and elasticity.
The exam consistently tests the distinction: Availability Sets for hardware failure protection within a single datacenter, Availability Zones for datacenter-level failure protection.
Azure App Service
App Service questions appear frequently. The exam tests plan tiers and their implications:
| Plan | Autoscale | Custom domains/SSL | Deployment slots |
|---|---|---|---|
| Free/Shared | No | No | No |
| Basic | No | Yes | No |
| Standard | Yes | Yes | 5 |
| Premium | Yes | Yes | 20 |
| Isolated | Yes | Yes | 20 |
Deployment slots: staging environments for App Service that allow zero-downtime deployments through slot swapping. When you swap a staging slot with production, the warm-up of the staging environment happens before the swap, eliminating cold start for users. Standard plan gets 5 slots — the exam often tests minimum plan requirements for deployment slots.
App Service plans: multiple App Service apps can share a single plan. If the plan is on a Standard instance, all apps on that plan share the plan's CPU and memory. The exam tests when to use separate plans vs shared plans.
"App Service plans are one of the most confusing concepts for AZ-104 candidates because they conflate the pricing tier with the compute allocation. Understanding that the plan is the actual compute, and apps are tenants on that compute, clarifies every question about scaling, slots, and pricing." — Thomas Maurer, Microsoft Senior Cloud Advocate
Azure Container Instances and Azure Kubernetes Service
The exam distinguishes when to use each:
Azure Container Instances (ACI): single containers or simple multi-container groups. No orchestration, no node management, billed per second of container runtime. Best for burst scenarios, simple workloads, or batch jobs.
Azure Kubernetes Service (AKS): managed Kubernetes cluster. Node pools of VMs running containerized workloads. Best for complex microservices applications, workloads requiring advanced networking, or applications that need horizontal pod autoscaling.
AZ-104 tests AKS at a configuration level: cluster creation, node pools, networking (Azure CNI vs Kubenet), integration with Azure Container Registry, and identity configuration for cluster access.
Domain 4: Implement and Manage Virtual Networking (15-20%)
Networking is the domain where candidates with network engineering backgrounds pull ahead. For everyone else, this requires focused study on Azure-specific networking concepts.
VNet Architecture
Address spaces and subnets: Azure VNets use CIDR notation. Each VNet has one or more address spaces; subnets divide the address space. Azure reserves 5 IP addresses in every subnet (first 4 and last 1), which reduces the usable addresses in small subnets.
Network Security Groups (NSGs): stateful firewalls applied to subnets or network interfaces. Rules have priority numbers (lower number = higher priority). Default rules allow VNet-to-VNet traffic and block internet inbound. The exam tests rule evaluation: if two rules match, the lower priority number wins.
Application Security Groups (ASGs): logical groupings for VMs that allow NSG rules to reference groups instead of IP addresses. "Allow traffic from the web tier to the application tier" becomes cleaner than maintaining IP lists.
VNet Peering and VPN Gateways
VNet Peering: connects two VNets so resources can communicate using private IP addresses. Peering is non-transitive — if VNet A peers with VNet B, and VNet B peers with VNet C, A and C cannot communicate through B unless configured explicitly (using route tables or a hub-spoke topology with transit).
Azure VPN Gateway: encrypted connectivity between Azure VNets and on-premises networks. Types:
Route-based VPN: more flexible, supports point-to-site and multiple connections
Policy-based VPN: static routing, only site-to-site VPN, one connection
SKU selection matters: the VpnGw1 SKU supports 650 Mbps aggregate throughput. The exam occasionally tests maximum connection or throughput requirements that require specific SKUs.
Azure DNS
Private DNS zones: name resolution for resources within VNets without exposing DNS publicly. Requires linking the private zone to a VNet. Auto-registration can automatically create DNS records for VMs joined to the linked VNet.
Azure DNS vs custom DNS: the exam tests when Azure-provided DNS is sufficient and when custom DNS servers are required. Custom DNS is needed for on-premises name resolution, split-horizon DNS, or integration with existing DNS infrastructure.
Domain 5: Monitor and Maintain Azure Resources (10-15%)
This domain rewards candidates who have spent time in the Azure Portal's monitoring features. Abstract study doesn't capture the specificity of what's tested.
Azure Monitor: the umbrella monitoring service. Collects metrics (numerical, real-time performance data) and logs (structured event data) from Azure resources, VMs, and custom sources.
Log Analytics workspace: where logs are stored and queried. KQL (Kusto Query Language) is used for querying. The exam tests basic KQL concepts: time ranges, filtering, counting, aggregating.
Azure Alerts: triggered by metric thresholds, log query results, activity log events, or health alerts. Alert rules specify the signal, condition, and action group. Action groups define what happens when an alert fires: email, SMS, Azure Function, Logic App, webhook.
Azure Backup:
Recovery Services Vault stores backup data
Backup policies define frequency and retention
VMs can be backed up to Recovery Services Vault directly
Azure Backup for on-premises uses MARS agent or MABS
The Most Effective Study Approach for AZ-104
Prerequisite assessment: before studying, work through the Microsoft Learn AZ-104 learning paths. They cover the exact content the exam tests. If you can complete a learning path module without significant confusion, you're ready for practice questions on that topic.
Lab time is not optional: AZ-104 includes questions about configuration sequences, error conditions, and behavioral details that only become clear through hands-on work. Azure provides free sandbox environments through Microsoft Learn — use them.
Practice exam scoring guide:
Below 65% on practice: identify weak domains and spend 1-2 more weeks studying
65-74%: you're borderline — focus on your weakest domain
75%+: schedule the exam
High-ROI focus areas: in order of question density and impact on pass rate:
Azure AD/Entra ID: RBAC, conditional access, MFA, users and groups
Virtual Machines: availability options, extensions, custom script extension
VNet configuration: NSGs, peering, private endpoints
App Service: plans, slots, deployment configuration
Azure Monitor: alert rules, action groups, Log Analytics
PowerShell and CLI Commands Tested in AZ-104
The commands section is where candidates with console-only experience lose points they should be winning. AZ-104 expects you to recognize the correct command for a task, identify errors in a given command, and know when to use Azure PowerShell vs Azure CLI vs the portal.
High-frequency Azure CLI commands on AZ-104:
# Create a resource group
az group create --name myRG --location eastus
# Create a virtual machine
az vm create --resource-group myRG --name myVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keys
# Resize a VM
az vm resize --resource-group myRG --name myVM --size Standard_DS2_v2
# Deallocate a VM (required before resize in some cases)
az vm deallocate --resource-group myRG --name myVM
# Start a VM
az vm start --resource-group myRG --name myVM
# Create a storage account
az storage account create --name mystorageaccount --resource-group myRG --location eastus --sku Standard_LRS
# Create a blob container
az storage container create --name mycontainer --account-name mystorageaccount
# Assign an RBAC role
az role assignment create --assignee user@example.com --role "Contributor" --scope /subscriptions/{subscription-id}/resourceGroups/myRG
High-frequency Azure PowerShell commands:
# Create a resource group
New-AzResourceGroup -Name myRG -Location eastus
# Get VM status
Get-AzVM -Name myVM -ResourceGroupName myRG -Status
# Stop (deallocate) a VM
Stop-AzVM -Name myVM -ResourceGroupName myRG
# Set VM size
$vm = Get-AzVM -ResourceGroupName myRG -Name myVM
$vm.HardwareProfile.VmSize = "Standard_DS2_v2"
Update-AzVM -ResourceGroupName myRG -VM $vm
# Create a network security group rule
Add-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg -Name "AllowHTTP" -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80 -Access Allow
What the exam tests specifically: candidates frequently confuse cmdlet naming between PowerShell (noun-verb style: New-AzVM, Get-AzResourceGroup, Remove-AzStorageAccount) and CLI (az service command style: az vm create, az group show, az storage account delete). Questions present a command and ask whether it will succeed — the most common error type is using PowerShell syntax in an Azure CLI context or vice versa.
NSG Flow Logs: What AZ-104 Asks About Them
NSG Flow Logs capture information about IP traffic flowing through Network Security Groups. AZ-104 tests them at an operational level — how to enable them and what the logs contain.
Enabling NSG Flow Logs:
Navigate to Network Security Groups → select the NSG
Under Monitoring: NSG flow logs → Create
Select a storage account for log storage (required)
Optionally configure Traffic Analytics (requires Log Analytics workspace)
Set retention period (0 = retain indefinitely, 1-365 = retain for N days)
Flow log record structure: each record contains:
Version number
Tuple:
sourceIP-sourcePort-destinationIP-destinationPort-protocolTraffic flow direction (I = inbound, O = outbound)
Traffic decision (A = allowed, D = denied)
Flow state (B = begin, C = continuation, E = end) — in version 2 logs
Exam scenarios for NSG Flow Logs:
"A network administrator needs to determine if traffic from an external IP address is being blocked by NSG rules." Enable NSG Flow Logs on the relevant NSG and look for records with the source IP showing decision "D" (denied).
"A company wants to analyze network traffic patterns across all their VNets to identify potential security threats." Enable NSG Flow Logs with Traffic Analytics — Traffic Analytics processes the flow logs and provides visualizations of traffic patterns, top talkers, and anomalous traffic in Log Analytics.
Traffic Analytics vs Flow Logs: Flow Logs are raw data stored in blob storage. Traffic Analytics processes that data and presents insights in Log Analytics with built-in dashboards. Traffic Analytics costs more (Log Analytics workspace ingestion charges) but provides faster threat detection and built-in security visualizations.
Azure Policy vs RBAC: Decision Scenarios with Specific Examples
AZ-104 tests the Policy vs RBAC distinction in multiple scenario formats. The key principle: RBAC controls WHO can perform actions; Policy controls WHAT configurations are permitted.
| Scenario | RBAC or Policy? | Reasoning |
|---|---|---|
| Allow only the network team to create NSGs | RBAC | Controls which users can perform the action |
| Require all NSGs to have a specific tag | Policy (Deny effect) | Controls configuration regardless of who creates it |
| Allow a developer to read storage but not delete | RBAC | Controls what the user can do |
| Prevent storage accounts from allowing public blob access | Policy (Deny effect) | Configuration control — even admins cannot create non-compliant resources |
| Automatically add a required tag to all newly created VMs | Policy (Modify effect) | Automated remediation of configuration |
| Grant a service principal access to Key Vault secrets | RBAC (Key Vault RBAC) | Access control for a specific user/identity |
The additive vs restrictive distinction: RBAC is additive — you grant access. Policy is restrictive — you define what's not permitted. These work together: a user might have RBAC permission to create storage accounts, but a Policy can prevent them from creating storage accounts with public access even though they have the RBAC permission to create storage accounts generally.
Azure Policy Deny vs Audit effect:
Deny: prevents creation or modification of non-compliant resources. Blocks the operation. Use when the configuration must not exist.
Audit: logs non-compliant resources without blocking creation. Creates a compliance record. Use when you want visibility without enforcement (for resources that already exist, or when you're phasing in enforcement).
DeployIfNotExists effect — the AZ-104 wildcard: if a VM is created without a monitoring agent, DeployIfNotExists can automatically deploy the monitoring agent extension. This is tested as the answer when the question requires automatic remediation rather than just detection.
"App Service plans are one of the most confusing concepts for AZ-104 candidates because they conflate the pricing tier with the compute allocation. Understanding that the plan is the actual compute, and apps are tenants on that compute, clarifies every question about scaling, slots, and pricing." — Thomas Maurer, Microsoft Senior Cloud Advocate
References
Microsoft. Exam AZ-104: Microsoft Azure Administrator — Skills Measured. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/certifications/exams/az-104/
Maurer, Thomas, and Jan-Henrik Peters. Exam Ref AZ-104 Microsoft Azure Administrator. Microsoft Press, 2022. ISBN: 978-0137408245. (Official Microsoft Press exam reference with scenario-based examples)
Microsoft. AZ-104 Microsoft Azure Administrator Learning Path. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/training/paths/az-104-administrator-prerequisites/
Savill, John. AZ-104 Microsoft Azure Administrator Study Cram. YouTube/NTFAQGuy, 2024. (Microsoft MVP; comprehensive video review covering all exam domains)
Bonso, Jon (Tutorials Dojo). AZ-104 Microsoft Azure Administrator Practice Exams. Tutorials Dojo, 2024. https://tutorialsdojo.com/microsoft-azure/
Microsoft. Azure Virtual Network Documentation — Concepts. Azure Documentation, 2024. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
Frequently Asked Questions
Which domains should I focus on most for AZ-104?
Identities/governance (20-25%) and compute (20-25%) together account for 40-50% of the exam. Networking adds another 15-20%. These three domains determine whether most candidates pass or fail. The monitoring domain at 10-15% requires less study investment relative to its weight.
How is Azure RBAC tested on AZ-104?
AZ-104 tests RBAC scope hierarchy (management group → subscription → resource group → resource), built-in roles (Owner, Contributor, Reader, User Access Administrator), custom role creation, and the additive permission model. The exam distinguishes between scenarios requiring custom roles vs built-in roles.
What is the difference between Azure AD and Active Directory Domain Services on AZ-104?
Azure AD uses modern protocols (OAuth, SAML, OpenID Connect) with a flat structure. AD DS uses LDAP/Kerberos with domain/OU/GPO hierarchy. The exam tests which one applies to specific scenarios — Azure AD for cloud identity, Azure AD DS for domain join and group policy requirements.
Are hands-on labs required to pass AZ-104?
Yes, effectively. AZ-104 tests configuration details that are difficult to learn by reading alone — NSG rule precedence, VNet peering behavior, App Service plan implications. Microsoft Learn's free sandbox labs and the Azure free tier provide hands-on practice without billing costs.
What practice exam score should I target before booking AZ-104?
Target 75% on Tutorials Dojo or Whizlabs practice exams. AZ-104 passing score is 700/1000. 75% practice performance correlates with a reliable pass. Below 65% on practice indicates knowledge gaps that need additional study before attempting the real exam.