Prepare for AZ-104 with a practical Microsoft Azure Administrator study guide updated for the 17 April 2026 skills measured. This guide maps each official objective to Microsoft Learn, adds exam-angle notes, and gives you a clear study order for identity, governance, storage, compute, networking, monitoring, backup, and recovery.

AZ-104 Microsoft Azure Administrator Checked: 27 June 2026 Skills measured from 17 April 2026

AZ-104 Study Guide 2026: Microsoft Azure Administrator

A practical, objective-by-objective AZ-104 study guide for the current Microsoft Azure Administrator exam. It maps the official skills measured to Microsoft Learn resources and explains what each objective means in real exam scenarios.

Use it as a study roadmap: start with the exam scope, review the high-yield traps, then work through each domain with hands-on Azure practice.

Quick answer

AZ-104 is best studied as an administrator exam, not a memory test. Start with identity, RBAC and governance, then move into storage, compute, networking, monitoring, backup and recovery.

Best practical approach: Use Microsoft Learn as the source of truth, then practise each objective in the Azure portal, Azure CLI, PowerShell or Bicep. The exam usually rewards knowing which Azure feature solves the operational scenario, not just recognising the feature name.
  • High-yield first: RBAC, Azure Policy, storage access, NSGs, private endpoints, VM availability, App Service scaling and Azure Monitor.
  • Do hands-on labs: Create resources, break them, troubleshoot them, then clean them up.
  • Watch the wording: Many questions are about least privilege, cost control, recovery requirements or network isolation.
  • Use this guide: Work through the objective tables as a checklist against the official Microsoft Learn study guide.

How to use this AZ-104 guide

For exam preparation

Read each official objective, open the linked Microsoft Learn page, and then practise the task in the Azure portal, Azure CLI, PowerShell, or Bicep. AZ-104 rewards applied administration knowledge, not only memorised definitions.

For quick revision

Use the “likely exam angle” column to check whether you can make the right operational decision: which scope to use, which access method is safer, which redundancy option fits the scenario, or which troubleshooting tool confirms the problem.

Why this guide is different: Microsoft Learn is the source of truth for the exam scope. This article adds a practical layer on top: objective mapping, study order, common traps, and administrator-focused explanations.

AZ-104 exam at a glance

AZ-104 is the certification exam for Microsoft Azure Administrator Associate. The current Microsoft study guide lists five measured skill areas: identities and governance, storage, compute, virtual networking, and monitoring/maintenance. The exam is scenario-heavy, so you should practise configuration, troubleshooting, access control, and recovery tasks rather than only reading definitions.

Start with identity, RBAC, and governance. These topics affect almost every Azure resource and often appear inside storage, compute, and networking scenarios.
Practise storage and networking together. Many questions combine private endpoints, service endpoints, firewalls, DNS, SAS, keys, and identity-based access.
Finish with compute, monitoring, backup, and recovery. Focus on when to use VMs, VM scale sets, App Service, containers, Azure Monitor, Azure Backup, and Site Recovery.

Common AZ-104 exam traps

  • RBAC vs Azure Policy: RBAC controls who can do something; Azure Policy controls what can be deployed or configured.
  • Role assignment scope: Assign at the narrowest scope that satisfies the requirement.
  • Locks vs permissions: Resource locks can block changes even when a user has RBAC permissions.
  • Budgets: Budgets send alerts; they do not automatically stop resources unless automation is added.
  • Service endpoint vs private endpoint: Service endpoints still use public service endpoints; private endpoints use private IPs and usually need private DNS.
  • NSG rule priority: Lower number means higher priority. Check both subnet and NIC NSGs.
  • Storage redundancy: LRS, ZRS, GRS, GZRS, RA-GRS, and RA-GZRS solve different failure and read-access requirements.
  • Backup vs Site Recovery: Backup restores data or workloads; Site Recovery supports disaster recovery failover.

Official exam scope

Source of truth: The Microsoft Learn AZ-104 study guide remains the official source for the current skills measured. Use this article as a practical companion and revision checklist, not as a replacement for Microsoft Learn.

Microsoft describes AZ-104 candidates as Azure administrators who implement, manage, and monitor an organization’s Azure environment, including virtual networks, storage, compute, identity, security, and governance. You should be comfortable with operating systems, networking, servers, virtualization, PowerShell, Azure CLI, the Azure portal, ARM templates or Bicep, and Microsoft Entra ID.

Official references: Microsoft Learn AZ-104 study guide · AZ-104 exam page · Azure Administrator Associate certification

Manage Azure identities and governance20–25%
Implement and manage storage15–20%
Deploy and manage Azure compute resources20–25%
Implement and manage virtual networking15–20%
Monitor and maintain Azure resources10–15%
Exam reality: AZ-104 is not a theory-only exam. Expect portal, CLI/PowerShell, configuration, troubleshooting, least-privilege, cost, monitoring, networking, storage, and recovery scenarios. Microsoft says the bullets illustrate how the skill is assessed and related topics may also appear.
20–25%

Manage Azure identities and governance

Manage Microsoft Entra users and groups

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Create users and groups Microsoft Learn: Create users and groups Microsoft Entra user and group management Know when to create cloud users, groups, dynamic groups, and role-assignable groups. Expect portal-style questions about required fields, group membership, and admin roles. Learn presents this as identity objects, group membership, assignment, and administration tasks in Microsoft Entra ID.
Manage user and group properties Microsoft Learn: Manage user and group properties Edit identity attributes, membership, owners, and settings Be ready to identify where to update profile details, group owners, membership type, and group properties. Exam questions often test what can be changed after creation. Learn shows group and user configuration through Entra admin center steps and property pages.
Manage licenses in Microsoft Entra ID Microsoft Learn: Manage licenses in Microsoft Entra ID License assignment to users and groups Understand direct vs group-based licensing, license assignment errors, and how users inherit service plans. Expect scenario questions about assigning Microsoft cloud service licenses. Learn represents licensing as user/group assignment plus service plan enablement and troubleshooting.
Manage external users Microsoft Learn: Manage external users B2B guest users and external collaboration Know guest user invitation, collaboration settings, access reviews at a high level, and when to use external identities. Exam angle: choose the right external access method. Learn explains external identity lifecycle, invitations, redemption, and collaboration controls.
Configure self-service password reset (SSPR) Microsoft Learn: Configure self-service password reset (SSPR) Password reset registration, methods, and scope Know who can use SSPR, authentication methods, registration requirements, and writeback conceptually. Expect questions about enabling SSPR for selected groups. Learn presents SSPR as policy configuration, authentication methods, user registration, and reset flow.

Manage access to Azure resources

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Manage built-in Azure roles Microsoft Learn: Manage built-in Azure roles Azure RBAC built-in role selection Know Owner vs Contributor vs Reader vs User Access Administrator. Expect least-privilege questions where the answer is a built-in role, not a custom role. Learn lists built-in roles by category with allowed actions and typical assignment use cases.
Assign roles at different scopes Microsoft Learn: Assign roles at different scopes Role assignment inheritance at management group, subscription, resource group, and resource scope Understand that permissions inherit downward and that narrower scopes reduce blast radius. Expect questions asking where to assign a role for least privilege. Learn shows role assignment workflow: scope, role, member, review, and assignment.
Interpret access assignments Microsoft Learn: Interpret access assignments Check effective access and role assignments Be able to inspect why a user has access through direct assignment or group inheritance. Exam angle: determine effective permission from overlapping assignments. Learn demonstrates the Check access blade and role assignment review.

Manage Azure subscriptions and governance

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Implement and manage Azure Policy Microsoft Learn: Implement and manage Azure Policy Policy definitions, initiatives, assignments, compliance, and remediation Know the difference between Azure Policy and RBAC. Expect deny, audit, modify, append, and deployIfNotExists style scenario questions. Learn represents governance as policy definitions assigned at scopes with compliance evaluation.
Configure resource locks Microsoft Learn: Configure resource locks Delete and read-only locks Know that locks override user permissions and protect resources from accidental changes or deletion. Expect questions about CanNotDelete vs ReadOnly. Learn shows management locks and their effect on resource operations.
Apply and manage tags on resources Microsoft Learn: Apply and manage tags on resources Tagging for organization, automation, and cost reporting Know tag inheritance is not automatic unless policy or automation applies it. Exam angle: use tags for cost allocation and resource classification. Learn presents tag creation, update, limitations, and policy-based enforcement.
Manage resource groups Microsoft Learn: Manage resource groups Resource group lifecycle and deployment scope Understand resource group location vs resource location, moving resources, deleting groups, and grouping by lifecycle. Expect operational admin scenarios. Learn shows resource group creation, access, locks, tags, and deletion.
Manage subscriptions Microsoft Learn: Manage subscriptions Subscription administration, access, billing, and organization Know how subscriptions isolate billing and governance. Expect questions about using multiple subscriptions for environments, billing, or administrative boundaries. Learn frames subscriptions as containers for resources, billing, policy, and RBAC scopes.
Manage costs by using alerts, budgets, and Azure Advisor recommendations Microsoft Learn: Manage costs by using alerts, budgets, and Azure Advisor... Cost Management budgets, alerts, and optimization recommendations Know budgets do not stop resources by themselves; they notify. Expect questions on cost alerts, Advisor recommendations, and rightsizing unused resources. Learn shows budgets, alerts, cost analysis, and Advisor as cost-control tools.
Configure management groups Microsoft Learn: Configure management groups Hierarchy above subscriptions for governance at scale Understand when to use management groups for policy/RBAC across many subscriptions. Expect hierarchy and inheritance questions. Learn represents management groups as a governance tree for policy and access assignments.
15–20%

Implement and manage storage

Configure access to storage

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Configure Azure Storage firewalls and virtual networks Microsoft Learn: Configure Azure Storage firewalls and virtual networks Storage account network access controls Know public network access, selected networks, service endpoints, private endpoints, and trusted Azure services. Exam questions often ask why access is blocked. Learn shows firewall rules, VNet rules, IP allowlists, and private connectivity options.
Create and use shared access signature (SAS) tokens Microsoft Learn: Create and use shared access signature (SAS) tokens Delegated storage access using SAS Understand service SAS, account SAS, user delegation SAS, permissions, start/expiry time, and HTTPS-only access. Expect secure temporary-access scenarios. Learn explains SAS types, signing methods, permissions, and security recommendations.
Configure stored access policies Microsoft Learn: Configure stored access policies Reusable SAS constraints for containers and shares Know stored access policies let you revoke or change SAS behavior centrally. Exam angle: choose stored access policy when multiple SAS tokens need common control. Learn represents stored access policies as container-level policy objects tied to service SAS.
Manage access keys Microsoft Learn: Manage access keys Storage account key rotation and shared key access Know each storage account has two keys to support rotation. Expect questions about regenerating keys and avoiding shared key when Entra auth is possible. Learn shows key viewing, rotation, and connection string considerations.
Configure identity-based access for Azure Files Microsoft Learn: Configure identity-based access for Azure Files Azure Files authentication with identity providers Know when to use identity-based authentication for SMB Azure file shares and how it differs from storage keys. Expect hybrid identity questions. Learn presents AD DS, Microsoft Entra Kerberos, and permission layers for Azure Files.

Configure and manage storage accounts

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Create and configure storage accounts Microsoft Learn: Create and configure storage accounts Storage account kind, performance, access, and configuration Know account type, region, redundancy, performance tier, hierarchical namespace, and access settings. Expect create/configure portal questions. Learn shows the storage account creation workflow and key configuration choices.
Configure Azure Storage redundancy Microsoft Learn: Configure Azure Storage redundancy LRS, ZRS, GRS, GZRS, RA-GRS, and RA-GZRS Be able to choose redundancy based on availability, region failure protection, and read access. Expect cost vs durability tradeoff questions. Learn compares redundancy options, replication scope, and failover implications.
Configure object replication Microsoft Learn: Configure object replication Asynchronous block blob replication between storage accounts Know prerequisites such as versioning and change feed, and that replication is for block blobs. Expect replication-policy questions. Learn presents source/destination accounts, replication rules, and supported scenarios.
Configure storage account encryption Microsoft Learn: Configure storage account encryption Storage Service Encryption and customer-managed keys Know Microsoft-managed vs customer-managed keys, infrastructure encryption, and Key Vault integration. Exam angle: satisfy encryption-control requirements. Learn explains encryption at rest and key-management options.
Manage data by using Azure Storage Explorer and AzCopy Microsoft Learn: Manage data by using Azure Storage Explorer and AzCopy GUI and command-line data movement tools Know when to use AzCopy for bulk copy/sync and Storage Explorer for interactive management. Expect tool-selection questions. Learn shows upload, download, copy, sync, and authentication patterns for storage data operations.

Configure Azure Files and Azure Blob Storage

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Create and configure a file share in Azure Files Microsoft Learn: Create and configure a file share in Azure Files SMB/NFS file shares in Azure Storage Know quota, access tier, snapshots, identity access, and mounting concepts. Exam questions may ask how to expose shared files to VMs. Learn shows file share creation, quota settings, and access configuration.
Create and configure a container in Azure Blob Storage Microsoft Learn: Create and configure a container in Azure Blob Storage Blob containers and access levels Know private vs anonymous access, uploading blobs, and container-level organization. Expect basic blob administration scenarios. Learn represents containers as logical blob groupings with access and management settings.
Configure storage tiers Microsoft Learn: Configure storage tiers Hot, cool, cold, and archive access tiers Choose tiers based on access frequency, retrieval time, and cost. Expect scenario questions about archive rehydration and lifecycle transitions. Learn compares tier costs, latency, availability, and supported account types.
Configure soft delete for blobs and containers Microsoft Learn: Configure soft delete for blobs and containers Protection from accidental deletion Know retention period and recovery behavior for deleted blobs and containers. Exam angle: restore accidentally deleted data. Learn shows soft delete enablement and recovery flow.
Configure snapshots and soft delete for Azure Files Microsoft Learn: Configure snapshots and soft delete for Azure Files Point-in-time protection for Azure file shares Know share snapshots preserve file share state and can support restore. Expect difference between snapshots, backup, and soft delete. Learn represents file protection through snapshots, share-level restore, and retention features.
Configure blob lifecycle management Microsoft Learn: Configure blob lifecycle management Rule-based movement and deletion of blobs Know lifecycle rules can tier, archive, or delete blobs based on age, last access, or prefix. Expect automation/cost-control questions. Learn shows lifecycle policy rules, filters, actions, and scheduling.
Configure blob versioning Microsoft Learn: Configure blob versioning Automatic previous versions for blobs Know versioning protects against overwrites and works with soft delete and replication scenarios. Exam angle: recover previous object versions. Learn presents version IDs, restore options, and feature interactions.
20–25%

Deploy and manage Azure compute resources

Automate deployment of resources by using ARM templates or Bicep files

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Interpret an Azure Resource Manager template or a Bicep file Microsoft Learn: Interpret an Azure Resource Manager template or a Bicep ... Declarative infrastructure-as-code structure Read resources, parameters, variables, outputs, dependencies, and modules. Expect questions asking what a template will deploy. Learn explains Bicep syntax and how it compiles to ARM templates.
Modify an existing Azure Resource Manager template Microsoft Learn: Modify an existing Azure Resource Manager template Edit JSON ARM templates safely Know parameters, variables, resources, functions, and dependencies. Exam angle: adjust a template to change SKU, name, or location. Learn represents ARM templates as JSON sections with schema, parameters, resources, and outputs.
Modify an existing Bicep file Microsoft Learn: Modify an existing Bicep file Edit Bicep resources, params, modules, and outputs Expect syntax questions around params, existing resources, dependencies, loops, and modules. Know Bicep is easier than raw JSON templates. Learn shows Bicep file structure and resource declarations.
Deploy resources by using an ARM template or a Bicep file Microsoft Learn: Deploy resources by using an ARM template or a Bicep file Resource deployment to Azure scopes Know deployment commands from portal, CLI, and PowerShell; understand validation and what-if conceptually. Exam angle: choose deployment method. Learn shows deployment commands and target scopes for IaC files.
Export a deployment as an ARM template or convert an ARM template to a Bicep file Microsoft Learn: Export a deployment as an ARM template or convert an ARM... Template export and Bicep decompile Know exported templates are a starting point, not perfect production IaC. Expect conversion/export scenario questions. Learn presents ARM-to-Bicep decompile and limitations of generated files.

Create and configure virtual machines

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Create a virtual machine Microsoft Learn: Create a virtual machine VM creation and base configuration Know region, image, size, disks, admin access, networking, NSG, and availability options. Expect portal workflow questions. Learn shows VM creation steps and core VM properties.
Configure encryption at host for Azure virtual machines Microsoft Learn: Configure encryption at host for Azure virtual machines End-to-end encryption for VM data at host Know encryption at host protects temp disks and caches in addition to managed disks. Exam angle: meet strict encryption requirement. Learn explains prerequisites and enablement for encryption at host.
Move a virtual machine to another resource group, subscription, or region Microsoft Learn: Move a virtual machine to another resource group, subscr... Resource move constraints and Azure Resource Mover Know that moving between resource groups/subscriptions differs from regional move. Expect questions about dependencies and unsupported move cases. Learn represents moves as validated operations with resource-specific limitations.
Manage virtual machine sizes Microsoft Learn: Manage virtual machine sizes Resize VMs and understand size families Choose size based on CPU, memory, disk, GPU, and workload. Exam angle: resize VM and understand deallocation may be required. Learn categorizes VM sizes by workload family and capability.
Manage virtual machine disks Microsoft Learn: Manage virtual machine disks Managed disks, OS/data disks, performance, and snapshots Know disk types, attach/detach, resize, snapshots, and encryption. Expect performance/cost disk SKU questions. Learn presents managed disk lifecycle and performance options.
Deploy virtual machines to availability zones and availability sets Microsoft Learn: Deploy virtual machines to availability zones and availa... VM availability and fault isolation Know availability zones protect from datacenter failure; availability sets use fault/update domains. Expect HA design questions. Learn compares availability options and SLA impact.
Deploy and configure Azure Virtual Machine Scale Sets Microsoft Learn: Deploy and configure Azure Virtual Machine Scale Sets Autoscaling groups of VMs Know scale sets provide identical VM instances, autoscale, and load balancing. Exam angle: choose VMSS for scalable compute. Learn represents VMSS as orchestration for scalable VM workloads.

Provision and manage containers in the Azure portal

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Create and manage an Azure Container Registry Microsoft Learn: Create and manage an Azure Container Registry Private registry for container images Know ACR stores images and integrates with Container Apps, ACI, AKS, and identity access. Expect push/pull and SKU questions. Learn shows registry creation, image push, repository, and access management.
Provision a container by using Azure Container Instances Microsoft Learn: Provision a container by using Azure Container Instances Serverless single-container or simple group workloads Choose ACI for quick, isolated containers without orchestration. Exam angle: run container image with CPU/memory and restart policy. Learn presents ACI as simple container execution from portal or CLI.
Provision a container by using Azure Container Apps Microsoft Learn: Provision a container by using Azure Container Apps Managed container apps with scaling and revisions Know Container Apps for microservices, HTTP ingress, KEDA-based scaling, and revisions. Expect choose-service questions vs ACI/App Service. Learn shows creating apps, environments, ingress, scaling, and revisions.
Manage sizing and scaling for containers, including ACI and Container Apps Microsoft Learn: Manage sizing and scaling for containers, including ACI ... CPU, memory, replicas, scale rules Know ACI uses requested CPU/memory, while Container Apps can scale replicas based on triggers. Exam angle: configure scaling behavior. Learn represents scaling through container resources, min/max replicas, and event-based rules.

Create and configure Azure App Service

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Provision an App Service plan Microsoft Learn: Provision an App Service plan Hosting plan for App Service apps Know pricing tier controls compute, features, and scale. Expect questions about where apps run and how plans affect cost. Learn presents App Service plans as compute containers for one or more apps.
Configure scaling for an App Service plan Microsoft Learn: Configure scaling for an App Service plan Scale up/out for App Service Know scale up changes tier/size and scale out changes instance count. Exam angle: solve performance or availability requirements. Learn shows manual scale and autoscale options.
Create an App Service Microsoft Learn: Create an App Service Deploy web apps to managed Azure hosting Know runtime stack, region, plan, deployment method, and basic app settings. Expect create-web-app workflow questions. Learn presents App Service creation and deployment as a managed PaaS task.
Configure certificates and TLS for an App Service Microsoft Learn: Configure certificates and TLS for an App Service HTTPS, TLS bindings, and certificates Know managed certificates vs uploaded certificates and SNI SSL binding. Expect custom domain HTTPS questions. Learn shows certificate import/create and TLS binding to custom domains.
Map an existing custom DNS name to an App Service Microsoft Learn: Map an existing custom DNS name to an App Service Custom domain mapping Know CNAME vs A records, domain verification, and TXT records. Exam angle: configure a web app with custom hostname. Learn shows DNS record creation and App Service domain validation.
Configure backup for an App Service Microsoft Learn: Configure backup for an App Service App and database backup for supported tiers Know backup schedule, storage account requirement, and restore options. Exam angle: protect and restore web app configuration/content. Learn presents backups as scheduled app snapshots stored in Azure Storage.
Configure networking settings for an App Service Microsoft Learn: Configure networking settings for an App Service Inbound/outbound App Service networking Know VNet integration, private endpoint, access restrictions, and hybrid connections conceptually. Expect network-isolation questions. Learn separates inbound access control from outbound VNet integration features.
Configure deployment slots for an App Service Microsoft Learn: Configure deployment slots for an App Service Staging slots and swap Know slots support testing, warm-up, and rollback through swaps. Expect slot setting vs swapped setting questions. Learn shows slot creation, deployment, swap, and traffic routing.
15–20%

Implement and manage virtual networking

Configure and manage virtual networks in Azure

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Create and configure virtual networks and subnets Microsoft Learn: Create and configure virtual networks and subnets VNet address spaces, subnets, and IP planning Know CIDR, subnet sizing, reserved addresses, and subnet association with NSGs/routes. Expect address-overlap and subnet planning questions. Learn shows VNet and subnet creation plus basic VM connectivity.
Create and configure virtual network peering Microsoft Learn: Create and configure virtual network peering Private connectivity between VNets Know peering is non-transitive by default, supports gateway transit options, and requires non-overlapping address spaces. Expect connectivity design questions. Learn shows bidirectional peering setup and connectivity testing.
Configure public IP addresses Microsoft Learn: Configure public IP addresses Public IP resources, SKU, allocation, and association Know static vs dynamic, Basic vs Standard concepts, and where public IPs attach. Exam angle: expose resources securely. Learn represents public IP as a separate resource used by NICs, load balancers, gateways, and Bastion.
Configure user-defined routes Microsoft Learn: Configure user-defined routes Route tables and next-hop control Know UDRs override system routes and are associated to subnets. Expect questions about routing traffic through NVAs or firewalls. Learn shows route table creation, subnet association, and effective route behavior.
Troubleshoot network connectivity Microsoft Learn: Troubleshoot network connectivity Connectivity diagnostics and effective routes/security Use Network Watcher tools for connectivity checks, IP flow verify, next hop, and packet capture. Expect diagnose-why-VM-cannot-connect scenarios. Learn presents troubleshooting as step-by-step tests through Network Watcher.

Configure secure access to virtual networks

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Create and configure NSGs and application security groups Microsoft Learn: Create and configure NSGs and application security groups Layer 3/4 traffic filtering and workload grouping Know NSG rule priority, direction, source/destination, service tags, ASGs, and default rules. Expect allow/deny evaluation questions. Learn explains NSG rules, default rules, priority, and association to subnet or NIC.
Evaluate effective security rules in NSGs Microsoft Learn: Evaluate effective security rules in NSGs Understand resulting access after multiple NSG assignments Know subnet and NIC NSGs combine, lower priority number wins, and default deny inbound applies. Exam angle: determine whether traffic is allowed. Learn shows effective security rules and IP flow verification.
Implement Azure Bastion Microsoft Learn: Implement Azure Bastion Secure RDP/SSH through browser without public IP Know Bastion requires AzureBastionSubnet and removes need for public IP on VMs. Expect secure administration scenario questions. Learn presents Bastion architecture, SKU concepts, and connection workflow.
Configure service endpoints for Azure PaaS Microsoft Learn: Configure service endpoints for Azure PaaS Extend VNet identity to selected Azure service public endpoints Know service endpoints keep service public IPs but restrict access to selected VNets. Exam angle: choose service endpoint vs private endpoint. Learn explains supported services, subnet configuration, and service firewall integration.
Configure private endpoints for Azure PaaS Microsoft Learn: Configure private endpoints for Azure PaaS Private Link access to PaaS over private IP Know private endpoints assign a NIC/private IP in your VNet and often require private DNS. Expect secure PaaS access questions. Learn presents Private Link architecture, private endpoint NICs, and DNS integration.

Configure name resolution and load balancing

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Configure Azure DNS Microsoft Learn: Configure Azure DNS Public DNS zones and record sets Know DNS zones, record types, delegation, and Azure-hosted public DNS. Expect custom domain/name-resolution questions. Learn represents Azure DNS through zones, record sets, and name-server delegation.
Configure an internal or public load balancer Microsoft Learn: Configure an internal or public load balancer Layer 4 load balancing for TCP/UDP Know frontend IP, backend pool, health probe, and load-balancing rules. Exam angle: choose internal vs public load balancer. Learn shows load balancer components and traffic distribution model.
Troubleshoot load balancing Microsoft Learn: Troubleshoot load balancing Probe, backend, rule, and connectivity diagnostics Know unhealthy probes remove instances from rotation. Expect questions about why traffic does not reach backend VMs. Learn presents troubleshooting through probes, metrics, rules, and backend health checks.
10–15%

Monitor and maintain Azure resources

Monitor resources in Azure

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Interpret metrics in Azure Monitor Microsoft Learn: Interpret metrics in Azure Monitor Numerical platform and resource metrics Know metrics are near real-time numeric time-series data. Expect questions interpreting CPU, availability, latency, and aggregation charts. Learn explains metric namespaces, dimensions, aggregation, and metric explorer.
Configure log settings in Azure Monitor Microsoft Learn: Configure log settings in Azure Monitor Diagnostic settings and log destinations Know diagnostic settings send resource logs/metrics to Log Analytics, Storage, or Event Hubs. Exam angle: capture logs for compliance or analysis. Learn shows categories, destinations, retention considerations, and resource-level configuration.
Query and analyze logs in Azure Monitor Microsoft Learn: Query and analyze logs in Azure Monitor Kusto Query Language in Log Analytics Know basic KQL filtering, summarizing, and time range concepts. Expect simple query interpretation questions. Learn represents log analysis through Log Analytics workspaces and KQL queries.
Set up alert rules, action groups, and alert processing rules Microsoft Learn: Set up alert rules, action groups, and alert processing ... Azure Monitor alerting workflow Know signal, condition, action group, severity, and processing rules. Exam angle: notify admins when metric/log condition is met. Learn shows alert rule types and how actions are triggered.
Configure and interpret monitoring of VMs, storage accounts, and networks by using Azure Monitor Insights Microsoft Learn: Configure and interpret monitoring of VMs, storage accou... Resource-specific insight workbooks and monitoring experiences Know VM Insights, Storage insights, and Network insights help visualize health and performance. Expect choose-monitoring-tool questions. Learn presents Insights as curated monitoring views built on Azure Monitor data.
Use Azure Network Watcher and Connection Monitor Microsoft Learn: Use Azure Network Watcher and Connection Monitor Network diagnostics and end-to-end connectivity monitoring Know Connection Monitor tracks reachability and latency between endpoints. Expect troubleshoot connectivity and monitor network path questions. Learn shows test groups, endpoints, probes, and network diagnostics.

Implement backup and recovery

Official objective bulletMicrosoft Learn documentationTopic coveredMain points / likely exam angleHow Microsoft Learn represents it
Create a Recovery Services vault Microsoft Learn: Create a Recovery Services vault Vault for Azure Backup and Site Recovery Know Recovery Services vault stores backup data and ASR metadata. Exam angle: prerequisite for backing up Azure VMs or configuring replication. Learn shows vault creation, region selection, redundancy, and protection setup.
Create an Azure Backup vault Microsoft Learn: Create an Azure Backup vault Newer vault type for supported backup workloads Know Backup vault is used by newer Azure Backup workloads and differs from Recovery Services vault. Expect identify-correct-vault questions. Learn explains Backup vault architecture, supported datasources, and management model.
Create and configure a backup policy Microsoft Learn: Create and configure a backup policy Backup schedule and retention Know policy defines frequency and retention. Expect questions about daily/weekly/monthly retention and applying policies to VMs. Learn shows policy creation and VM protection configuration.
Perform backup and restore operations by using Azure Backup Microsoft Learn: Perform backup and restore operations by using Azure Backup Protect and recover Azure resources Know restore options such as create new VM, restore disks, or replace existing disk where supported. Expect recovery scenario questions. Learn presents backup jobs, recovery points, and restore workflows.
Configure Azure Site Recovery for Azure resources Microsoft Learn: Configure Azure Site Recovery for Azure resources Disaster recovery replication for Azure VMs Know ASR replicates workloads to another region for DR. Exam angle: configure replication, target region, and recovery plan conceptually. Learn shows enabling replication for Azure VMs and prerequisites.
Perform a failover to a secondary region by using Site Recovery Microsoft Learn: Perform a failover to a secondary region by using Site R... Planned/unplanned failover and failback concepts Know test failover vs failover, commit, and reprotect. Expect DR operation ordering questions. Learn represents failover as controlled recovery steps using recovery points and plans.
Configure and interpret reports and alerts for backups Microsoft Learn: Configure and interpret reports and alerts for backups Backup monitoring, alerts, and reports Know how to monitor backup jobs, failures, alerts, and reports. Exam angle: notify admins of failed backups and review compliance. Learn shows Backup Center, Azure Monitor alerts, logs, and reports.

Fast revision checklist

  • Know Microsoft Entra users, groups, SSPR, guest users, and licensing.
  • Understand Azure RBAC roles, scopes, inheritance, and effective access.
  • Use Azure Policy, tags, locks, management groups, and budgets for governance.
  • Choose the right storage redundancy, access control, SAS, keys, and firewall settings.
  • Know blob tiers, lifecycle management, versioning, snapshots, and soft delete.
  • Read basic ARM and Bicep files and understand deployment scope.
  • Configure VMs, disks, availability, scale sets, containers, and App Service.
  • Plan VNets, subnets, peering, routes, NSGs, Bastion, service endpoints, and private endpoints.
  • Troubleshoot connectivity using effective routes, NSG rules, Network Watcher, and Connection Monitor.
  • Use Azure Monitor metrics, logs, alerts, insights, Backup, and Site Recovery.

Suggested study order

Start with identity and RBAC because they affect almost every Azure resource. Then study storage and networking, because many AZ-104 questions combine access, routing, endpoints, and security rules. Finish with compute, monitoring, backup, and disaster recovery. For each objective, open the linked Microsoft Learn page and practice the portal workflow or CLI command at least once.

How this compares with the official Microsoft study guide

The official Microsoft Learn study guide should always be treated as the source of truth. It defines the current skills measured and provides Microsoft’s own learning links. This article is designed to sit beside it, not replace it: it turns the official bullets into a practical checklist with exam-angle notes and direct study actions.

Microsoft Learn gives you

  • Official exam audience profile
  • Skills measured and exam weightings
  • Microsoft learning paths and documentation
  • Updates when the exam objectives change

This guide adds

  • Objective-by-objective study mapping
  • Plain-English exam interpretation
  • Likely scenario and troubleshooting angles
  • A revision checklist and practical study order

AZ-104 FAQ

Is Microsoft Learn enough to pass AZ-104?

Microsoft Learn is the best official foundation, but most candidates should also practise hands-on tasks and use scenario-style practice questions. AZ-104 often tests operational judgement, not only facts.

What should I study first for AZ-104?

Start with Microsoft Entra ID, Azure RBAC, subscriptions, management groups, Azure Policy, locks, and tags. These governance concepts appear across many other domains.

Is AZ-104 more about networking or administration?

It is an administrator exam, but networking is a major part of Azure administration. You need to understand VNets, subnets, peering, NSGs, routes, DNS, load balancers, Bastion, service endpoints, private endpoints, and Network Watcher.

How should I practise for AZ-104?

For each objective, read the linked Microsoft Learn page, perform the task in a sandbox or lab subscription, then write down the decision rule: when to use that feature, what it costs or protects, and how to troubleshoot it.

Primary source: This guide is aligned to Microsoft’s official AZ-104 skills measured as of 17 April 2026. Always confirm the latest changes on the official Microsoft Learn AZ-104 study guide before booking the exam.