Azure Cert Prep·

Microsoft Azure Administrator (AZ-104) Study Guide: Every Domain, Every Skill

A complete domain-by-domain breakdown of the AZ-104 exam: the five official skill areas, the services that get over-tested, the modern Azure terminology you must use (Entra ID, not Azure AD), and the topics you can safely deprioritize.

What this guide covers

The Microsoft Certified: Azure Administrator Associate (AZ-104) is the mid-level Azure certification — the one that proves you can deploy, manage, and monitor identity, storage, compute, networking, and observability resources at a production-administrator level. It's a 100-minute exam, 40–60 questions, and the pass mark is 700 out of 1000.

This guide walks through the five official AZ-104 skill domains by their current weight, names the Azure services you must recognize cold, flags the questions that get over-tested, and calls out the legacy terminology that will trip up candidates who studied with old (AZ-100 / AZ-103-era) material.

A note on terminology before you start

Microsoft renamed several products since the previous version of the exam. Studying with old material is the single biggest cause of confusion on test day. Internalize these now:

  • Microsoft Entra ID is the current name for what used to be called Azure Active Directory (Azure AD). The rename happened in 2023. You will see "Entra ID" in the exam, the portal, and modern docs — but old study guides still say "Azure AD." They mean the same product.
  • Entra ID is not Active Directory Domain Services. Different protocols (OAuth/SAML vs Kerberos/LDAP), no OUs, no Group Policy. Don't conflate them.
  • Azure Compute Gallery replaced Shared Image Gallery (functionally identical, just renamed).
  • Azure Update Manager replaced the older Automation-based Update Management feature.
  • Azure Monitor Agent (AMA) replaced the legacy Log Analytics agent, which was retired in August 2024.

Use the new names. The exam does.

Domain 1 — Manage identities and governance (20–25%)

The biggest single domain, and the one where almost every question starts with "You have a Microsoft Entra ID tenant that contains..."

You need to know cold:

  • Entra ID identity types: cloud-only, synchronized (from on-prem AD via Entra Connect), and guest users (B2B collaboration).
  • Group membership types: Assigned, Dynamic User, Dynamic Device. Dynamic groups require Entra ID P1 minimum.
  • Entra ID license tiers and what each unlocks: Free, Microsoft 365 Apps, P1 (Conditional Access, dynamic groups, SSPR with on-prem write-back), P2 (Privileged Identity Management, Identity Protection, access reviews). Conditional Access is the single feature most commonly tested at the P1 boundary; PIM is the P2 marker.
  • Conditional Access signals: user, location (named/trusted IP ranges), cloud app, device state, sign-in risk. Multiple signals combine into one policy.
  • Azure RBAC's four-element model: security principal (who) × role definition (what) × scope (where) × assignment (binding). Built-in roles you must distinguish: Owner (full + manage access), Contributor (full minus access), Reader, User Access Administrator (manages role assignments only). The exam often asks "least-privilege role" — Contributor is the right answer when the user shouldn't be able to grant access to others.
  • Hierarchy and inheritance: Tenant Root → Management Group → Subscription → Resource Group → Resource. Policy and RBAC assignments inherit downward. Tags do not inherit by default — propagation requires Azure Policy's "Inherit a tag" rule.
  • Azure Policy effects: Audit, Deny, Append, Modify, DeployIfNotExists, AuditIfNotExists. Deny is the one you'll be asked about for "prevent non-compliant deployments."
  • Resource locks: CanNotDelete (modify OK, delete blocked) vs ReadOnly (no modify, no delete). Locks at parent scopes inherit downward.

Common trap: confusing RBAC roles with Entra ID directory roles. RBAC controls Azure resources; directory roles (e.g., Global Administrator, User Administrator) control the Entra ID tenant itself. They're separate systems with separate role lists.

Domain 2 — Implement and manage storage (15–20%)

The smallest domain by weight but the one where students drop points on replication-option questions because the four-letter acronyms (LRS / ZRS / GRS / GZRS) blur together.

You need to know cold:

  • Storage account performance tiers: Standard (HDD-backed) vs Premium (SSD-backed, separate account kinds for BlockBlob / FileStorage / Page Blob).
  • Replication options at the Standard tier:
    • LRS — 3 copies in one datacenter. Cheapest. Survives disk/rack failure.
    • ZRS — 3 copies across 3 Availability Zones in one region. Survives a full AZ outage.
    • GRS — LRS in primary + async copy to paired region. Survives a regional outage. Reads from secondary require RA-GRS.
    • GZRS — ZRS in primary + async copy to paired region. Survives AZ outage AND regional outage. Reads from secondary require RA-GZRS.
  • Blob access tiers: Hot (frequent access), Cool (≥30-day retention, lower storage cost), Cold (≥90-day, even cheaper), Archive (≥180-day, offline, hours to rehydrate). Lifecycle Management policies automate tier transitions.
  • Azure Files vs Blob: Files = managed SMB/NFS shares (mountable from cloud and on-prem). Blob = object storage with HTTPS/REST access. Pick the one the question's access pattern requires.
  • Security primitives: storage account access keys (full control — rotate via Key Vault), Shared Access Signatures (account-level, service-level, user-delegation), Private Endpoints (most secure — private IP inside your VNet, traffic never traverses the internet).
  • Soft delete and versioning protect against accidental deletion. Defaults: 7-day blob soft delete, container soft delete optional.

Common trap: picking GRS when the question requires AZ-loss survivability. GRS is multi-region but its primary copy is LRS — so a primary-region AZ failure can affect availability before failover. Use GZRS for both.

Domain 3 — Deploy and manage Azure compute resources (20–25%)

Co-largest domain with identities. Heavy on scenario-based "which compute service" and "which configuration achieves this SLA" questions.

You need to know cold:

  • VM availability constructs and their SLAs:
    • Single VM with Premium SSD: 99.9%.
    • Two+ VMs in an Availability Set (multi-fault-domain, multi-update-domain, single datacenter): 99.95%.
    • Two+ VMs across Availability Zones + zone-redundant managed disks: 99.99%.
    • The 99.99% SLA requires both — VMs across AZs and ZRS-managed disks. Many candidates forget the disk requirement.
  • VM Scale Sets (VMSS): Uniform orchestration (identical VMs, legacy default) vs Flexible orchestration (mixed sizes, can incorporate standalone VMs, now Microsoft's recommended default).
  • Disk SKUs: Standard HDD, Standard SSD, Premium SSD (most common production choice), Premium SSD v2, Ultra Disk (extreme IOPS, separate billing).
  • App Service: managed PaaS, deployment slots for zero-downtime swap and A/B testing. Slots are the answer for "test a new version then promote with no downtime."
  • Container services: ACI (single containers, no orchestration, fastest start), Container Apps (managed serverless, scale to zero), AKS (managed Kubernetes). ACR is the private registry.
  • Functions Consumption plan timeout: 10 minutes maximum.
  • Bastion is the answer for "RDP/SSH to a VM with no public IP, without a self-managed jump-box."

Common trap: confusing Availability Sets (single-datacenter, 99.95%) with Availability Zones (multi-datacenter, 99.99%). The exam will use both terms in distractors.

Domain 4 — Implement and manage virtual networking (15–20%)

The networking domain rewards crisp service-layer recognition. The four load-balancing services are the #1 distractor source.

You need to know cold:

  • VNets and subnets: 5 reserved IPs per subnet (network, default gateway, two DNS, broadcast). Plan CIDR accordingly.
  • NSG rules: priority 100–4096, lower wins, first match wins. Default rules: VNet-to-VNet allow inbound, Load Balancer inbound allow, internet outbound allow, everything else denied.
  • Application Security Groups (ASGs): group NICs by role (web, db, app) so NSG rules reference roles, not IPs. Adding/removing VMs from the ASG doesn't require rule edits.
  • VNet peering is non-transitive: A↔B and B↔C does not give A↔C. Hub-and-spoke topologies use a Network Virtual Appliance, Azure Firewall, or Route Server in the hub for transit.
  • Hybrid connectivity: Site-to-Site VPN (encrypted tunnel over internet, slower), Point-to-Site VPN (individual client to VNet), ExpressRoute (dedicated private circuit, fastest, most expensive).
  • The four load-balancing services and their distinct purposes:
    • Azure Load Balancer — Layer 4 (TCP/UDP), regional, public or internal.
    • Application Gateway — Layer 7 (HTTP/HTTPS), regional, supports URL-path routing, WAF, SSL termination.
    • Azure Front Door — Layer 7, global (anycast), built-in WAF and CDN.
    • Traffic Manager — DNS-based global routing. Not in the data path — it returns DNS responses and clients connect directly to endpoints.
  • NAT Gateway for deterministic outbound internet connectivity from a subnet without per-VM public IPs.

Common trap: picking Traffic Manager when the question implies request-level routing. Traffic Manager only does DNS. If the question mentions "URL-based routing," "SSL termination," or "WAF" — that's Application Gateway (regional) or Front Door (global).

Domain 5 — Monitor and maintain Azure resources (10–15%)

The smallest domain, but every question is about distinct telemetry types and recovery services that students conflate.

You need to know cold:

  • Azure Monitor's four telemetry types and what each captures:
    • Metrics — numeric time-series, near-real-time, retained ~93 days.
    • Logs — structured log data in a Log Analytics workspace, queried with Kusto Query Language (KQL).
    • Activity Log — subscription-level audit of management operations (who created/deleted what), retained 90 days by default.
    • Resource Logs — per-resource diagnostic logs, must be enabled via a diagnostic setting to flow to Log Analytics / Storage / Event Hub.
  • Diagnostic settings route Resource Logs to three valid destinations: Log Analytics workspace, Storage account, Event Hub.
  • Alerts: metric alerts (numeric thresholds), log alerts (KQL-based), activity log alerts (management-plane events). Action groups deliver notifications (email, SMS, webhook, runbook).
  • Azure Backup vs Azure Site Recovery (ASR) — students confuse these constantly:
    • Backup = point-in-time restore. Recovery Services vault stores backup data. Sources: Azure VMs, Azure Files, SQL/SAP HANA in Azure VMs, on-prem via MARS agent.
    • ASR = disaster recovery / failover to a secondary region. Recovery plans orchestrate failover order. Test failover validates without disrupting production.
  • Cross-region restore is available when the Recovery Services vault uses Geo-Redundant Storage.
  • Azure Service Health shows incidents and planned maintenance scoped to your resources. Differs from Azure Status (the public site listing all services worldwide).

Common trap: picking Azure Backup when the question describes regional failover. Backup is point-in-time restore. ASR is the failover/DR product.

What's NOT on the AZ-104

A lot of free study material covers things that aren't really tested. Don't waste time deep-diving on:

  • Solution architecture patterns — that's AZ-305 territory (Solutions Architect Expert).
  • Power BI, Azure Synapse, Data Factory — out of scope, those are data-platform exams.
  • Detailed Azure Active Directory B2C — Entra ID for employees and guests is in scope; B2C is a separate exam track.
  • Deep DevOps tooling (Azure Pipelines internals, GitHub Actions YAML) — AZ-400.
  • Container Apps internals beyond "what is it for" — covered briefly, not in depth.
  • Cost-optimization deep dives — Reserved Instances, Savings Plans, Spot VMs appear at most once each.

The seven services you cannot afford to confuse

If you only memorize one thing from this guide, make it the difference between these similar-sounding services. The exam tests these distinctions on at least 5–8 questions:

  1. Azure Load Balancer (L4) vs Application Gateway (L7 regional) vs Front Door (L7 global) vs Traffic Manager (DNS).
  2. Availability Sets (single DC, 99.95%) vs Availability Zones (multi-DC, 99.99%).
  3. NSG (subnet/NIC firewall) vs ASG (NIC role grouping) vs Azure Firewall (managed L7 firewall NVA).
  4. Azure Backup (point-in-time restore) vs Azure Site Recovery (regional failover).
  5. Activity Log (management plane) vs Resource Logs (data plane).
  6. Service Endpoints (VNet-aware public endpoint firewall) vs Private Endpoints (private IP in your VNet).
  7. Owner (full + manage access) vs Contributor (full minus access) vs User Access Administrator (manage access only).

How to study efficiently

The AZ-104 rewards scenario recognition over service depth. You don't need to know every Azure CLI flag or portal blade — you need to recognize 60+ services and pick the right one for a "You have an Azure subscription that contains..." stem. The best study loop is:

  1. Read Microsoft Learn or a structured course module for one domain.
  2. Immediately drill 20–30 scenario questions on that domain.
  3. When you get one wrong, read the explanation and add the distractor pattern to a notes file ("I keep picking GRS when GZRS is correct because I forget AZ-loss survivability").
  4. After all five domains, run a full simulated exam under timed conditions.
  5. In the final week, focus drills on whichever domain is furthest below 75%.

Quizify's Microsoft AZ-104 track is built for exactly this loop. Per-domain focus mode lets you drill Networking alone, then Identities alone, then Compute alone — and per-domain analytics tell you exactly where your score is leaking before you sit the real exam. Multi-select "Select TWO" and "Select THREE" questions appear in the mix because they appear on the real exam too.

The bottom line

The AZ-104 is the most reasonable mid-level cloud certification in the industry, but only if you study current Azure terminology and the five official skill domains. Skip the architect-level depth (that's AZ-305), avoid old AZ-103 study material that still calls Entra ID "Azure AD," and drill scenario questions per domain until your weakest domain is at least 75%.

Start drilling Microsoft AZ-104 questions →