Azure Administrator Exam Guide (AZ-104)
Conquer the AZ-104 Microsoft Azure Administrator certification with this complete study guide covering identity management, governance, storage administration, compute deployment, and virtual networking. This guide provides structured learning paths through all five exam domains with hands-on Azure CLI and PowerShell lab exercises that mirror real administration tasks. Each section includes decision frameworks for choosing between Azure services, configuration best practices, and practice questions designed to test both conceptual understanding and practical skills. Built for IT professionals ready to prove their Azure administration expertise.
Key Features
- All five AZ-104 domains covered with exam-weighted study priorities
- Azure CLI and PowerShell labs for every major topic — learn both interfaces
- Identity and governance deep dives into Entra ID, RBAC, Policy, and Blueprints
- Storage administration covering Blob, File, Table, Queue with redundancy and security options
- Compute management for VMs, App Services, containers, and Azure Functions
- Networking architecture including VNets, NSGs, Load Balancer, Application Gateway, and VPN
- Monitoring and backup strategies using Azure Monitor, Log Analytics, and Recovery Services
Study Plan
Week 1-2: Manage Azure Identities and Governance (20% of exam)
- Entra ID users, groups, and administrative units
- Role-Based Access Control: built-in roles, custom roles, scope assignment
- Azure Policy definitions, initiatives, and compliance remediation
- Management groups, subscriptions, and resource group organization
Week 3-4: Implement and Manage Storage (15% of exam)
- Storage account types, redundancy options (LRS, ZRS, GRS, RA-GRS)
- Blob storage tiers, lifecycle management, and immutability policies
- Azure Files and Azure File Sync for hybrid scenarios
- Storage security: SAS tokens, access keys, stored access policies
Week 5-6: Deploy and Manage Compute Resources (25% of exam)
- VM creation, sizing, availability sets, and scale sets
- ARM templates and Bicep for automated deployments
- Azure App Service plans, deployment slots, and scaling
- Azure Container Instances and Azure Kubernetes Service basics
Week 7-8: Implement and Manage Virtual Networking (20% of exam)
- VNet design, subnets, and IP addressing schemes
- Network Security Groups and Application Security Groups
- VNet peering, VPN Gateway, and ExpressRoute concepts
- Azure Load Balancer, Application Gateway, and Front Door
Week 9-10: Monitor and Maintain Azure Resources (20% of exam)
- Azure Monitor metrics, alerts, and action groups
- Log Analytics workspace queries with KQL
- Azure Backup policies and Recovery Services vaults
- Network Watcher diagnostics and connectivity troubleshooting
Key Topics
| Domain | Weight | Core Services |
|---|---|---|
| Identities and Governance | 20% | Entra ID, RBAC, Policy, Management Groups |
| Storage | 15% | Blob, Files, Tables, Storage Accounts |
| Compute | 25% | VMs, App Service, ACI, VMSS |
| Virtual Networking | 20% | VNets, NSGs, Load Balancer, VPN Gateway |
| Monitoring and Maintenance | 20% | Azure Monitor, Log Analytics, Backup |
Practice Questions
Q1: A company needs to ensure that all resources deployed in their Azure subscription must be in either the East US or West US regions. What is the most efficient approach?
A1: Create an Azure Policy with the built-in "Allowed locations" policy definition. Assign it at the subscription level with the parameter set to East US and West US. Set the effect to "Deny" so non-compliant deployments are blocked at creation time.
Q2: An administrator needs to configure an Azure VM to automatically scale between 2 and 10 instances based on CPU usage, with scale-out at 75% CPU and scale-in at 25% CPU. What resource should they use?
A2: Create a Virtual Machine Scale Set (VMSS) with autoscale rules. Configure a custom autoscale setting with a scale-out rule (metric: Percentage CPU, operator: Greater Than, threshold: 75, action: increase count by 1) and a scale-in rule (threshold: 25, decrease count by 1). Set instance limits to min=2, max=10, default=2.
Q3: A storage administrator needs to give a contractor read-only access to a specific blob container for 30 days without sharing the storage account key. What is the best approach?
A3: Generate a Service SAS token scoped to the specific container with read and list permissions, setting the expiry to 30 days. Alternatively, create a stored access policy on the container for easier revocation, then generate the SAS from that policy. The stored access policy approach is preferred because it allows revoking access before the 30-day expiry if needed.
Q4: An organization needs all Azure resources to have a "CostCenter" tag. Resources without this tag should be flagged but not blocked. How should this be configured?
A4: Assign the built-in Azure Policy "Require a tag on resources" with the tag name parameter set to "CostCenter". Set the effect to "Audit" instead of "Deny". This creates compliance reports showing non-compliant resources without blocking deployments. Use a remediation task to retroactively apply tags.
Lab Exercises
Lab 1: Identity and RBAC Configuration
# Create a new user in Entra ID
az ad user create \
--display-name "Lab User" \
--user-principal-name labuser@example.onmicrosoft.com \
--password "TempP@ss123!"
# Assign Reader role at resource group scope
az role assignment create \
--assignee labuser@example.onmicrosoft.com \
--role "Reader" \
--resource-group my-lab-rg
# List all role assignments for the resource group
az role assignment list --resource-group my-lab-rg --output table
Lab 2: Storage Account with Lifecycle Management
# Create a storage account with GRS redundancy
az storage account create \
--name labstorageacct2026 \
--resource-group my-lab-rg \
--location eastus \
--sku Standard_GRS \
--kind StorageV2
# Create a lifecycle management policy
az storage account management-policy create \
--account-name labstorageacct2026 \
--resource-group my-lab-rg \
--policy '{
"rules": [{
"name": "archiveOldBlobs",
"type": "Lifecycle",
"definition": {
"filters": {"blobTypes": ["blockBlob"]},
"actions": {
"baseBlob": {
"tierToCool": {"daysAfterModificationGreaterThan": 30},
"tierToArchive": {"daysAfterModificationGreaterThan": 180}
}
}
}
}]
}'
Lab 3: VNet Peering Between Two Networks
# Create two VNets
az network vnet create --name vnet-hub --resource-group my-lab-rg --address-prefix 10.0.0.0/16
az network vnet create --name vnet-spoke --resource-group my-lab-rg --address-prefix 10.1.0.0/16
# Create peering from hub to spoke
az network vnet peering create \
--name hub-to-spoke \
--resource-group my-lab-rg \
--vnet-name vnet-hub \
--remote-vnet vnet-spoke \
--allow-vnet-access
# Create peering from spoke to hub (peering must be bidirectional)
az network vnet peering create \
--name spoke-to-hub \
--resource-group my-lab-rg \
--vnet-name vnet-spoke \
--remote-vnet vnet-hub \
--allow-vnet-access
Exam Tips
- Azure CLI vs. PowerShell — know both syntaxes; the exam tests both interfaces
- RBAC scope hierarchy — Management Group > Subscription > Resource Group > Resource; permissions inherit downward
- Storage redundancy — understand the difference between LRS/ZRS/GRS/RA-GRS and when each is appropriate
- NSG rule evaluation — rules are evaluated by priority (lowest number first); deny rules are not special
- Know your load balancers — Layer 4 (Azure Load Balancer) vs. Layer 7 (Application Gateway) is a common question pattern
- Policy vs. RBAC — Policy controls what resources can do; RBAC controls what users can do
Resources
- AZ-104 Exam Skills Outline
- Microsoft Learn: AZ-104 Learning Path
- Azure CLI Reference
- Azure Architecture Center
This is 1 of 11 resources in the Certification Prep Pro toolkit. Get the complete [Azure Administrator (AZ-104) Guide] with all files, templates, and documentation for $49.
Or grab the entire Certification Prep Pro bundle (11 products) for $249 — save 30%.
Top comments (0)