AZ-104 is the credential Microsoft uses to validate that a candidate can administer a production Azure environment without breaking it. The exam does not reward memorization. It rewards candidates who understand why a specific configuration works and why the alternatives fail. This guide lays out a study plan that matches the question patterns, not the marketing copy.
The plan assumes 10 to 15 study hours per week over 10 weeks. Adjust down if you already manage Azure at work. Adjust up if you are new to identity management, networking, or Windows administration.
What the Exam Actually Measures
Microsoft's official skills outline shows five domains. The weighting matters more than the topic count.
| Domain | Weight | Question Concentration |
|---|---|---|
| Manage Azure identities and governance | 20-25% | RBAC scope, Conditional Access, Policy effects |
| Implement and manage storage | 15-20% | Access tiers, SAS tokens, lifecycle rules |
| Deploy and manage Azure compute resources | 20-25% | VM extensions, App Service plans, container apps |
| Implement and manage virtual networking | 15-20% | NSG precedence, VNet peering, route tables |
| Monitor and maintain Azure resources | 10-15% | Log Analytics, backup vault, recovery services |
Two domains stand out: identity governance and compute. Together they carry 40 to 50 percent of scoring weight. Weak performance in either is usually what causes failure. Treat these as your non-negotiable mastery targets before the booking.
"The candidates who fail AZ-104 almost always underestimate how much of the exam lives inside the identity domain. Scope inheritance, Conditional Access logic, and custom role JSON are tested on almost every form." — John Savill, Microsoft MVP
Week-by-Week Plan
The schedule below balances reading, labs, and retrieval practice. Active recall is prioritized over passive re-reading because the exam tests recognition under pressure. The active recall vs passive review breakdown at Pass4Sure explains the cognitive science behind why this works.
| Week | Focus | Deliverable |
|---|---|---|
| 1 | Azure fundamentals refresh, portal navigation | 20 flashcards on subscription structure |
| 2 | Identities, Azure AD, Conditional Access | Lab: configure MFA + Conditional Access |
| 3 | RBAC, Policy, Blueprints | Custom role JSON from memory |
| 4 | Storage accounts, blob tiers, SAS | Lab: lifecycle rule with archive transition |
| 5 | Compute: VMs, scale sets, availability sets | Lab: VMSS with autoscale rules |
| 6 | Networking: VNets, peering, NSG precedence | Diagram a hub-and-spoke from scratch |
| 7 | Load balancers, Application Gateway, Front Door | Decision tree for routing services |
| 8 | Monitoring: Log Analytics, alerts, action groups | KQL queries for failed sign-ins |
| 9 | Backup, ASR, recovery | Lab: VM restore from recovery point |
| 10 | Full practice exams + weak area review | 3 mock exams at 80% or higher |
Identity and Governance Deep Dive
The identity domain tests four concepts more than any others: Azure AD versus Azure AD DS, RBAC scope hierarchy, Conditional Access evaluation, and Policy effects.
Azure AD versus AD DS
Candidates routinely lose points by treating these as interchangeable. They are not.
| Feature | Azure AD (Entra ID) | Azure AD Domain Services |
|---|---|---|
| Protocols | OAuth 2.0, SAML, OpenID Connect | LDAP, Kerberos, NTLM |
| Structure | Flat tenant with groups | Domains, OUs, Group Policy |
| VM join | Azure AD Join, hybrid join | Classic domain join |
| Use case | Cloud SaaS, modern apps | Legacy apps requiring domain |
| Pricing | Per user tier | Flat managed service fee |
When the exam asks about legacy LDAP bind authentication or Group Policy inheritance, the correct answer is almost always Azure AD DS, even if Azure AD is mentioned in the scenario.
RBAC Scope Inheritance
Permissions flow down: Management Group to Subscription to Resource Group to Resource. Assignments are additive. There is no deny except through Policy. A user with Contributor at the subscription level automatically has Contributor on every child resource group unless a Policy restricts specific operations.
The highest-permission role wins in conflict. A Reader assignment at the resource level does not restrict a Contributor assignment at the subscription level. This catches candidates every form.
Conditional Access Evaluation
Conditional Access policies are evaluated together and combined with AND logic on the conditions, OR logic on the assignments, and strictest control wins on the access outcome. If one policy requires MFA and another blocks access, the user is blocked. Candidates memorizing individual policies often miss this combination logic.
Storage Domain: The Hidden Complexity
Storage looks simple until the exam asks about lifecycle rules that move blobs between tiers conditionally, or SAS token hierarchy, or immutable blob policies under legal hold. Practice questions drawn from the spaced repetition frameworks at When Notes Fly help lock in the configuration rules that look similar but produce different outcomes.
Access tiers and their rehydration behavior are tested in every form:
- Hot: frequently accessed, highest storage cost, lowest access cost
- Cool: infrequent access, 30-day minimum, lower storage cost
- Cold: rare access, 90-day minimum, introduced in 2023
- Archive: offline, 180-day minimum, rehydration takes up to 15 hours
Rehydration from Archive to Hot takes high-priority or standard-priority options. High priority completes within one hour but costs more. Standard priority completes within 15 hours. This detail appears on most exam forms.
SAS tokens come in three types: service-level, account-level, and user delegation. User delegation SAS is the correct answer when the scenario emphasizes auditability and Azure AD integration because it is signed with Azure AD credentials rather than the storage account key.
Compute Domain: Where Configuration Matters
The compute domain tests VM sizing, extensions, availability architecture, and App Service plans. The App Service plan is the single most confused topic on the exam.
An App Service plan is the compute. Web apps are tenants on that compute. Scaling the plan scales every app hosted on it. Moving an app between plans moves the tenant between compute blocks. Candidates who understand this win every App Service question.
"App Service plans are one of the most confused concepts for AZ-104 candidates because they conflate the pricing tier with the compute allocation. Understanding that the plan is the actual compute and apps are tenants on it clarifies every question about scaling, slots, and pricing." — Thomas Maurer, Microsoft Senior Cloud Advocate
VM availability architecture has a precise hierarchy:
- Availability Zones: physically separate datacenters within a region, 99.99% SLA when VMs span two or more zones
- Availability Sets: fault domains and update domains within a single datacenter, 99.95% SLA
- Single VM with Premium SSD: 99.9% SLA
- Virtual Machine Scale Sets: automatic scaling, can span zones for highest availability
The exam tests which option matches a stated uptime requirement. 99.99 points to zones, 99.95 to sets, 99.9 to single VM with Premium SSD.
Networking Domain: Precedence and Peering
NSG rule precedence is number-based. Lower priority numbers evaluate first. Default rules allow intra-VNet traffic at priority 65000, Azure load balancer at 65001, and deny everything at 65500. Custom rules must use priorities between 100 and 4096.
VNet peering is non-transitive. If VNet-A peers with VNet-B and VNet-B peers with VNet-C, traffic does not flow from A to C. Candidates miss this almost every form. The hub-and-spoke pattern solves it by forcing traffic through a network virtual appliance or Azure Firewall in the hub.
A productive study environment matters here because networking requires diagram-heavy practice. Many candidates report that working from a dedicated desk with minimal interruption, similar to the deep-work setups covered at Down Under Cafe's study environment guides, produces better retention on spatial topics like VNet topology.
Monitoring, Backup, and Recovery
The monitoring domain centers on Log Analytics workspaces, Azure Monitor alerts, and the distinction between metric alerts and log alerts.
- Metric alerts: near real-time, use numeric data from resources
- Log alerts: query-based using KQL, higher latency, more flexible
- Activity log alerts: fire on subscription-level events like resource creation
Backup uses the Recovery Services vault. Azure Backup supports VM backup, Azure Files backup, SQL in VM backup, and SAP HANA backup. The soft delete retention of 14 days is enabled by default and cannot be disabled in some configurations.
Azure Site Recovery handles replication for disaster recovery, not backup. Candidates confuse these routinely. Backup is for point-in-time restore. ASR is for regional failover.
Practice Exam Strategy
Target three providers: Microsoft MeasureUp, Tutorials Dojo, and Whizlabs. Each uses a different question style, and exposure to all three covers the real exam's variation.
| Provider | Strength | Target Score |
|---|---|---|
| MeasureUp | Closest to Microsoft question phrasing | 80%+ |
| Tutorials Dojo | Best explanations, detailed breakdowns | 80%+ |
| Whizlabs | Highest volume, scenario variety | 75%+ |
A practice exam hit rate under 65 percent is a clear signal to push the booking by two to three weeks. Booking the exam out of optimism rather than readiness is the top cause of repeated failure.
"Test-takers who track their weak areas after every practice exam pass at nearly twice the rate of those who repeat full exams without targeted review. The pattern is consistent across Microsoft, AWS, and Google Cloud certifications." — Jon Bonso, Tutorials Dojo
Career Signaling After AZ-104
AZ-104 is a recognized entry to cloud administration roles. Salary survey data from Dice and Global Knowledge consistently place certified Azure administrators in the $100,000 to $135,000 range in the United States, with higher figures in major metros.
To convert the certification into an offer, the resume and LinkedIn profile need to reflect cloud work rather than generic sysadmin experience. The resume writing templates at Evolang offer structures specifically tuned for cloud infrastructure roles, and the career frameworks at the Pass4Sure IT career roadmap map the post-certification path from junior administrator to principal engineer.
Cognitive demands matter too. Cloud administration rewards working memory under pressure, pattern recognition, and sustained attention on dense documentation. The cognitive demands of technical certifications at What's Your IQ provide a useful frame for candidates deciding between administration, architecture, and engineering tracks.
Freelancers and consultants pursuing AZ-104 for independent work should also consider the formation side. Registering a consulting entity properly at the start avoids tax and liability problems later, and the business formation guides at Corpy cover the options across jurisdictions.
Exam Day Tactics
The exam is 40 to 60 questions over 120 minutes, including case studies. Case studies appear first in some formats and cannot be revisited once submitted, which is a detail candidates miss.
Tactical rules that raise scores:
- Answer every question. There is no penalty for wrong answers.
- Flag uncertain questions for review but commit an answer before flagging.
- Case studies first. Read the tabs before the questions.
- If stuck, eliminate clearly wrong options and pick the answer that matches Microsoft's preferred pattern (managed services over custom, built-in over custom roles, Policy over scripts).
- Watch for "requires the least administrative effort" phrasing. This always points to managed or built-in options.
Credential verification after passing uses the Microsoft Learn profile and a shareable badge. For third-party verification workflows and scannable credential links, services like the QR code generators at QR Bar Code produce shareable links that recruiters can validate instantly.
Common Failure Modes
The patterns that cause repeat failures are consistent across candidate pools:
- Over-reliance on video courses without lab time
- Booking before hitting 75 percent on practice exams
- Skipping the identity domain because it "looks like generic AD"
- Treating networking as memorization instead of spatial reasoning
- Ignoring case study navigation mechanics until exam day
Candidates who address these before booking almost always pass on the first attempt. Those who ignore them report a second or third attempt cycle.
References
Microsoft. Exam AZ-104: Microsoft Azure Administrator — Skills Measured. Microsoft Learn, 2024. https://learn.microsoft.com/en-us/certifications/exams/az-104/
Maurer, Thomas, and Jan-Henrik Peters. Exam Ref AZ-104 Microsoft Azure Administrator. Microsoft Press, 2022. ISBN: 978-0137408245.
Karimi, Hamid Reza, et al. "Cloud computing skills and certification in enterprise IT." Journal of Cloud Computing, vol. 12, no. 1, 2023. DOI: 10.1186/s13677-023-00460-4.
Savill, John. AZ-104 Microsoft Azure Administrator Study Cram v2. NTFAQGuy Technical Training, 2024.
Bonso, Jon. AZ-104 Microsoft Azure Administrator Practice Exams. Tutorials Dojo, 2024. https://tutorialsdojo.com/microsoft-azure/
Roediger, Henry L., and Jeffrey D. Karpicke. "Test-enhanced learning: taking memory tests improves long-term retention." Psychological Science, vol. 17, no. 3, 2006, pp. 249-255. DOI: 10.1111/j.1467-9280.2006.01693.x.
Global Knowledge. 2024 IT Skills and Salary Report. Global Knowledge Research, 2024.