How to pass Microsoft Azure Administrator (AZ-104)
21 min read5 domains coveredFree practice, no sign-up
The Microsoft Azure Administrator (AZ-104) certifies that you can run an Azure environment day to day: managing identities and governance, storage, compute, virtual networking, and the monitoring and recovery that keeps it all healthy. It is not an architecture exam and not a developer exam. It is the operator's exam, and most questions put you in the seat of the administrator who has to make a working configuration choice under a stated requirement.
It suits practitioners who already touch Azure in a hands-on role: cloud administrators, infrastructure engineers, support engineers, and IT generalists moving estates onto Azure who need to prove they can implement and manage resources correctly rather than just describe them. The exam mixes standalone multiple-choice and multiple-response items with case studies, and a meaningful share are yes/no statement checks where one precise fact decides the answer. That format punishes fuzzy knowledge: you either know that a Cost Management budget never stops resources, or you guess.
What makes AZ-104 pass-or-fail is precision on the defaults and limits Azure actually enforces. The exam rarely asks what a service is for. It asks what happens at the boundary: which redundancy option replicates where, whether you can change an account type in place, what a deny assignment overrides, how often Policy re-evaluates, which licence tier unlocks self-service password reset. Knowing the service exists is the easy half. Knowing its exact behaviour under the named condition is the half that is marked.
AZ-104 is an operator's exam that tests precise Azure defaults and limits: most questions hinge on one exact behaviour at a boundary, so the administrator who knows what Azure actually enforces beats the one who only knows what each service is for.
Difficulty
Intermediate
Best for
Hands-on Azure administrators, infrastructure and support engineers, and IT generalists who implement, manage, and monitor Azure identities, storage, compute, networking, and recovery, and need to prove they can operate the platform under real requirements.
Prerequisites
None enforced. Microsoft assumes around six months of hands-on Azure administration: comfort with the portal, CLI, and PowerShell, plus a working understanding of identities, networking, storage, and virtualisation. That practical exposure, not theory, is what carries the precision questions.
Typically 40 to 60 questions
Questions
120 min
Time allowed
700 / 1000
Pass mark
$165
Exam cost (USD)
242
Practice questions
How this exam thinks
One habit decides this exam: read the question for the exact requirement, then pick the configuration or behaviour Azure actually enforces under that condition, not the one that sounds reasonable. The exam frames most items as a concrete administrative situation with a named constraint (a region, a licence tier, a redundancy need, a security boundary) and rewards the answer that matches Azure's documented default or limit. Several options usually sound plausible; only one is what the platform really does.
The tie-breaker is precision over intuition. Many traps are built from a sensible-sounding assumption that Azure does not honour: that a budget stops spend, that you can switch a storage account type in place, that a removed NSG rule drops live connections, that a role assignment beats a deny assignment. When two answers feel right, the correct one is the documented behaviour at the boundary, so anchor on the default, the licence requirement, the precedence rule, or the hard limit rather than on what would be convenient. For yes/no statement items, treat the statement as guilty until proven correct: find the single fact it turns on and check it before you commit.
The rest is the operator's reflex the whole exam shares: choose the managed, requirement-fit, cost-aware option. Use the built-in capability over a hand-rolled one (Azure Backup over scripts, Bastion over a public RDP port, managed identities over stored keys), pick the redundancy and tier that meet the stated durability or budget without overspending, and scope access with the least privilege that still satisfies the requirement. Name the constraint, then choose the setting Azure built for it.
What each domain tests and how to study it
The AZ-104 blueprint is split across 5 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Given an identity, access, or governance requirement, configure Entra users and groups, assign the least-privilege RBAC role, and apply the tag, policy, lock, or budget that enforces the stated constraint.
In one sentenceThe control-plane domain: who can sign in, what they are allowed to do, and the guardrails that keep a subscription compliant and on budget.
Recall check: answer these from memory first
When a role assignment grants access and a deny assignment blocks the same action for the same user, which one wins and why?
What does a Cost Management budget actually do when it reaches 100 percent of its amount, and what does it never do?
Which Entra ID tier is the minimum for self-service password reset, and what can the Free tier do instead?
Besides resource create or update and assignment changes, what triggers Azure Policy to re-evaluate existing resources, and how often?
What it tests. The largest domain by weight, covering the governance backbone of an Azure tenancy. Managing Microsoft Entra users and groups, including the licence tiers that gate features such as self-service password reset; controlling access with Azure role-based access control, including how role assignments, deny assignments, and scope inheritance combine; and governing subscriptions with tags, Azure Policy, resource locks, and Cost Management budgets. The exam leans hard on precedence and defaults here: which control wins when two apply, what a budget does and does not do, and when Policy actually evaluates compliance.
How to study it. Drill the precedence and default rules, because that is what the questions turn on, not definitions. Fix that deny assignments are evaluated before role assignments and override them, that a resource lock blocks delete or write regardless of RBAC, and that a Cost Management budget only notifies and never stops resources. Learn the SSPR licensing line precisely: Entra ID Free allows cloud-only password change but not self-service password reset, which needs Microsoft 365 Business Standard or Entra ID P1 or P2. Memorise the Policy evaluation triggers, including the standard compliance cycle that re-runs every 24 hours even when nothing changes. For RBAC, practise reading a requirement and naming the single built-in role and scope that grant exactly enough.
Easy to confuse
Role assignment versus deny assignment. A role assignment grants a principal permission to act at a scope; a deny assignment blocks specified actions and is evaluated first, so it overrides any role assignment. If both apply to the same user and action, access is blocked, not allowed.
Cost Management budget versus resource lock. A budget is a notification and tracking tool that alerts on threshold breach but never stops resources or caps spend; a resource lock actively prevents deletion or modification of a resource. One warns you, the other physically blocks the operation.
Cloud-only password change versus self-service password reset. Password change is the known-password scenario and is available on Entra ID Free; self-service password reset is the forgotten-password scenario and requires Microsoft 365 Business Standard or higher, or Entra ID P1 or P2. The licence tier is the deciding fact.
Worked example from the AZ-104 bank
lock_openFree sampleManage Azure Identities and Governancehard
A resource has both a role assignment granting a user access and a deny assignment that applies to the same user and action. When Azure Resource Manager evaluates the request, the role assignment is checked first and grants access, so the deny assignment is ignored. Is this statement correct?
AYes
BNocheck_circle Correct
Deny assignments are evaluated first and override role assignments. The grounding states deny assignments are evaluated before role assignments and that if a deny assignment applies, access is blocked regardless of role assignments. Deny assignments take precedence, so the request is blocked, not allowed.
Why A is wrong: Answering Yes assumes role assignments are checked first and win, but the grounding gives deny assignments precedence and evaluates them before role assignments.
Why B is correct: Correct. The grounding states deny assignments are evaluated before role assignments and that if a deny assignment applies, access is blocked regardless of role assignments.
What you must be able to do. Given a durability, access, or cost requirement, choose the storage account type and redundancy, secure access with the right mechanism, and configure tiers and lifecycle rules to meet the constraint.
In one sentenceThe storage domain: pick the right redundancy and account type, grant access the safe way, and let tiers and lifecycle rules manage cost automatically.
Recall check: answer these from memory first
What is the single difference between GRS and GZRS, and where does the secondary region copy always sit?
Can you change an existing storage account to a different type in place, and if not, what does moving the data require?
In a Blob lifecycle policy, what scopes the rule to a subset of blobs, and what decides when the action fires?
With both versioning and soft delete enabled, what happens to a blob when you delete it without a version ID?
What it tests. Configuring and managing Azure Storage correctly. Securing access with shared access signatures, access keys, and Microsoft Entra authorisation, and knowing which fits a given trust and rotation requirement; choosing storage account types, redundancy options, and networking; and configuring Azure Files and Blob Storage with access tiers and lifecycle management. The exam probes the exact behaviours: how GRS and GZRS differ, that account type is fixed at creation, how versioning interacts with soft delete, and which part of a lifecycle policy scopes which blobs it touches.
How to study it. Learn the redundancy ladder by where each replica lives. LRS keeps three copies in one datacentre; ZRS spreads across zones in one region; GRS and GZRS add a paired secondary region, and the only difference between them is the primary-region method (GRS uses LRS in the primary, GZRS uses ZRS), while the secondary is always LRS. Fix that an account type is chosen at creation and cannot be changed in place, so a switch means a new account and a data copy. For Blob, separate the three lifecycle pieces: a filter (name prefix or index tags) scopes which blobs, a condition (last modified, last accessed, creation time) gates when, and an action sets the tier or deletes. Learn that with versioning plus soft delete enabled, deleting a blob makes the current version a previous version rather than entering the soft delete window.
Easy to confuse
GRS versus GZRS. Both replicate to a paired secondary region, and the secondary always uses LRS for both. They differ only in how the primary region replicates: GRS uses LRS in the primary, GZRS uses ZRS, so GZRS adds zone resilience in the primary.
Lifecycle filter versus condition. A filter (name prefix or blob index tags) specifies which blobs a rule includes; a condition (creation, last modified, or last accessed time) specifies when the action runs. The filter chooses the subset, the condition chooses the timing.
Shared access signature versus access key. An account access key grants full control over the whole account and is hard to scope; a shared access signature is a scoped, time-limited, permission-limited token derived for delegated access. Use a SAS for least-privilege, expiring grants rather than handing out the master key.
Worked example from the AZ-104 bank
lock_openFree sampleImplement and Manage Storagehard
An architect compares geo-redundant storage and geo-zone-redundant storage for a critical account. Both replicate to a paired secondary region. What is the primary difference between GRS and GZRS?
AHow data is replicated within the account primary regioncheck_circle Correct
BWhether the secondary region copy is encrypted at all
CWhether any secondary region copy is created at all
DHow the secondary region replicates the copied account
GRS and GZRS differ only in primary-region replication (LRS versus ZRS); the secondary always uses LRS. The docs state the primary difference between GRS and GZRS is how data is replicated in the primary region: GRS uses LRS and GZRS uses ZRS, while within the secondary region data is always replicated synchronously using LRS for both.
Why A is correct: Correct. The docs state the primary difference between GRS and GZRS is how data is replicated in the primary region: GRS uses LRS and GZRS uses ZRS, while within the secondary region data is always replicated synchronously using LRS for both.
Why B is wrong: All redundancy options encrypt data in both regions, so encryption is not the difference.
Why C is wrong: Both GRS and GZRS create a secondary region copy, so this is not the difference.
Why D is wrong: Within the secondary region both options always replicate synchronously using LRS.
What you must be able to do. Given a workload with scale, availability, and hosting constraints, deploy it idempotently with ARM or Bicep and choose between VMs, scale sets, containers, and App Service, with the right autoscale and billing model.
In one sentenceThe compute domain: deploy resources repeatably as code, then pick the VM, scale set, container, or App Service option whose availability and billing fit the workload.
Recall check: answer these from memory first
You redeploy an ARM template that exactly matches an existing resource. What happens, and what property of templates explains it?
On a scale set running several hundred instances, which autoscale operation adds capacity relative to the current count, and why prefer it here?
Which managed disk redundancy option gives the higher yearly durability, and what are the two nines figures?
In a dedicated App Service tier hosting several apps across two VM instances, what determines the compute charge?
What it tests. Deploying and operating compute correctly. Automating deployment with ARM templates and Bicep, where idempotency is the key behaviour; creating virtual machines with the right availability option and disk redundancy; configuring Virtual Machine Scale Sets and their autoscale rules; running containers on Azure Container Instances and Azure Container Apps; and hosting web apps on Azure App Service. The exam tests exact behaviours: that redeploying a template whose desired state already exists makes no changes, which scale operation suits a large scale set, the durability figures for LRS versus ZRS disks, and how App Service plans bill.
How to study it. Anchor on the behaviours the exam checks, not the click paths. Learn that ARM and Bicep deployments are idempotent: deploy the same template against an already-matching resource and nothing changes, so existing-resource scenarios resolve to no change rather than an error or a duplicate. For scale sets, match the autoscale operation to the size: increase or decrease percent by scales relative to the current count and suits large sets where a fixed step would barely move the needle, while increase count by adds a fixed number for smaller sets. Memorise the disk durability line: LRS disks give eleven nines a year, ZRS disks give twelve nines. For App Service, fix that dedicated tiers bill per VM instance in the plan regardless of how many apps run on it.
Easy to confuse
Increase count by versus increase percent by. Increase count by adds a fixed number of instances each trigger, fine for small scale sets; increase percent by adds a percentage of the current count, which is what the docs recommend for large scale sets where a fixed increase would not noticeably improve performance.
LRS versus ZRS managed disks. Locally redundant storage disks provide at least eleven nines of yearly durability; zone-redundant storage disks provide at least twelve nines by spreading copies across zones. ZRS is the higher-durability option.
Azure Container Instances versus App Service. Container Instances run a single container or container group quickly with no orchestration for short-lived or burst workloads; App Service is a managed platform for hosting web applications with scaling, slots, and plan-based billing. Reach for App Service for ongoing web apps, ACI for lightweight, isolated container runs.
Worked example from the AZ-104 bank
lock_openFree sampleDeploy and Manage Azure Compute Resourcesmedium
You deploy an ARM template that defines a storage account with a fixed name and Standard_LRS SKU. A storage account with exactly those properties already exists in the target resource group. What happens when the deployment runs?
ANo changes are made to the existing storage account because templates are idempotent.check_circle Correct
BThe deployment fails because a resource with that name already exists in the group.
CA second storage account is created with a numeric suffix appended to the name.
DThe existing account is deleted and then recreated from the template values.
Deploying a template whose desired state already exists results in no changes, because templates are idempotent. ARM templates are idempotent: you can deploy the same template many times and get the same resource types in the same state. The docs state that if the storage account with the specified properties already exists, no changes are made.
Why A is correct: Correct. ARM templates are idempotent: you can deploy the same template many times and get the same resource types in the same state.
Why B is wrong: Idempotency means redeploying the same desired state succeeds without error rather than failing on the existing resource.
Why C is wrong: Resource Manager matches on the declared name and type; it does not auto-generate a parallel resource with a suffix.
Why D is wrong: When the declared state already matches, Resource Manager makes no changes rather than tearing down and rebuilding the resource.
What you must be able to do. Given a connectivity, security, or traffic-distribution requirement, choose the peering, secure-access control, and DNS or load-balancing service that meets it, and reason correctly about how rule changes affect live traffic.
In one sentenceThe networking domain: connect virtual networks the right way, lock down access with NSGs, Firewall, and Bastion, and distribute traffic with the correct DNS or load-balancing service.
Recall check: answer these from memory first
Which peering option connects two virtual networks in different Azure regions, and which connects networks in the same region?
You remove the NSG rule that allowed SSH while a user has an active session, and the session keeps working. Why?
At which OSI layer does Azure Load Balancer operate, and how does it decide where to send a flow?
Which Azure service distributes traffic for a public app across multiple global regions using DNS, and why not a regional load balancer?
What it tests. Building and securing Azure networking. Configuring virtual networks with subnets, peering, and service endpoints, including regional versus global peering; securing access with network security groups, Azure Firewall, and Azure Bastion, and understanding that rule changes affect only new connections; and configuring name resolution and load balancing with Azure DNS, Azure Load Balancer, Application Gateway, and Traffic Manager. This domain carries the harder load-balancing objective, so the exam expects you to place each service at the right OSI layer and scope.
How to study it. Sort the connectivity and traffic services by the requirement each answers. For connecting virtual networks, regional peering joins networks in the same region while global peering joins networks across different regions, so a cross-region requirement points straight to global peering. For load balancing, fix the layer and scope: Azure Load Balancer is a layer 4 service distributing frontend flows to a backend pool by rules and health probes within a region, Application Gateway is layer 7 for HTTP-aware routing, and Traffic Manager is DNS-based for distributing traffic across global regions. Internalise the NSG rule behaviour that catches many candidates: changing or removing a rule affects only new connections, so an existing session keeps working until it ends.
Easy to confuse
Regional peering versus global peering. Regional virtual network peering connects virtual networks within the same Azure region; global virtual network peering connects them across different regions. A cross-region connectivity requirement is the signal for global peering.
Azure Load Balancer versus Traffic Manager. Azure Load Balancer is a layer 4 service that distributes flows to a backend pool within a region using rules and health probes; Traffic Manager is a DNS-based load balancer that distributes traffic across global Azure regions. Within a region use Load Balancer, across regions use Traffic Manager.
NSG rule change on new versus existing connections. Network security group rule changes apply only to new connections; existing established flows are not re-evaluated and continue until they close on their own. Removing an allow rule does not drop a live session.
Worked example from the AZ-104 bank
lock_openFree sampleConfigure and Manage Virtual Networkingmedium
An administrator must connect two virtual networks that sit in two different Azure regions so resources in each can reach the other directly. Which connectivity option meets this requirement?
AConfigure global virtual network peering between the two virtual networkscheck_circle Correct
BConfigure regional virtual network peering between the two virtual networks
CConfigure a service endpoint on a subnet in each virtual network
DConfigure a point-to-site VPN between the two virtual networks
Global virtual network peering is the option for connecting virtual networks that are in different Azure regions. The grounding states Azure supports global virtual network peering to connect virtual networks across Azure regions, whereas regular virtual network peering connects virtual networks within the same region.
Why A is correct: Correct. The grounding states Azure supports global virtual network peering to connect virtual networks across Azure regions, whereas regular virtual network peering connects virtual networks within the same region.
Why B is wrong: Regional virtual network peering connects virtual networks within the same Azure region, so it cannot join networks in different regions.
Why C is wrong: A service endpoint extends a subnet to an Azure service resource and does not interconnect two virtual networks for direct resource-to-resource traffic.
Why D is wrong: Point-to-site VPN is established between a virtual network and a single computer, not between two virtual networks for general connectivity.
What you must be able to do. Given a monitoring or recovery requirement, choose the right half of the Azure Monitor platform, configure diagnostic settings and alert processing correctly, and protect data with Backup and Site Recovery defaults.
In one sentenceThe operations domain: watch resources with the correct half of Azure Monitor, route alerts under the right precedence, and recover data with Backup and Site Recovery.
Recall check: answer these from memory first
Which half of the Azure Monitor data platform stores numeric values at regular intervals for near-real-time analysis, and which stores queryable event records?
How do you send one resource's logs to two separate Log Analytics workspaces, given the diagnostic setting limit?
When a suppression rule and an apply-action-group rule both match the same fired alert, which one wins?
Is backup data in a Recovery Services vault encrypted at rest by default, and what key type is used?
What it tests. Keeping resources observable and recoverable, the smallest domain by weight but a reliable source of marks. Monitoring with Azure Monitor metrics, alerts, and Log Analytics, including which half of the data platform holds numeric time-series versus queryable records, how many destinations one diagnostic setting can target, and how alert processing rules combine; and implementing recovery with Azure Backup and Azure Site Recovery, including the default encryption of a Recovery Services vault. The questions are precise and fact-driven, so they reward exact knowledge of defaults and limits.
How to study it. Split the Azure Monitor data platform cleanly: Metrics is the numeric, time-series half for near-real-time analysis, while Logs holds event records you query with KQL in Log Analytics. Learn the diagnostic setting limit precisely: one setting allows at most one of each destination type, so sending logs to two Log Analytics workspaces needs two separate diagnostic settings. For alert processing rules, fix that suppression has higher priority than apply-action-group, so when both match a fired alert the action groups are suppressed. For recovery, memorise that a Recovery Services vault encrypts backup data at rest by default with platform-managed keys, with no administrator action required, and customer-managed keys are the optional upgrade.
Easy to confuse
Azure Monitor Metrics versus Logs. Metrics keeps numeric values at regular intervals in a time-series database optimised for near-real-time analysis; Logs keeps event records you query with KQL in Log Analytics. Numeric performance over time is Metrics, searchable records and audit detail is Logs.
One diagnostic setting versus multiple settings. A single diagnostic setting can target at most one of each destination type, so it cannot list two Log Analytics workspaces. Reaching two workspaces of the same type requires two separate diagnostic settings on the resource.
Suppression rule versus apply-action-group rule. When both an alert processing suppression rule and an apply-action-group rule match one fired alert, suppression has the higher priority, so the alert's action groups are suppressed. Suppression wins the tie.
Worked example from the AZ-104 bank
lock_openFree sampleMonitor and Maintain Azure Resourcesmedium
An administrator needs to store numeric values that describe resource performance at regular intervals and analyze them in near real time with a time-series store. Which half of the Azure Monitor data platform fits this need?
AAzure Monitor Metrics, which keeps numeric data in a time-series databasecheck_circle Correct
BAzure Monitor Logs, which keeps event records that you query with KQL
CAzure Activity Log, which keeps the audit trail of control-plane writes
DAzure Service Health, which keeps the status of platform-wide incidents
Metrics is the numeric, time-series half of the Azure Monitor data platform; Logs is the queryable record half. Azure Monitor Metrics is the half of the data platform that collects numeric values at regular intervals into a time-series database optimized for near real-time analysis.
Why A is correct: Correct. Azure Monitor Metrics is the half of the data platform that collects numeric values at regular intervals into a time-series database optimized for near real-time analysis.
Why B is wrong: Logs holds log and trace records queried with KQL, not the time-series numeric store described.
Why C is wrong: The activity log records control-plane operations, not regular-interval numeric performance values.
Why D is wrong: Service Health reports platform incidents and advisories, not a time-series store of resource metrics.
A study plan that works
Map the blueprint and book a date
Day 1
Read the official AZ-104 skills outline and the five domains with their weights. Book a provisional date now: a fixed date turns open-ended study into a plan and is the strongest predictor of actually sitting. Note that Identities and Governance (23 percent) and Compute (24 percent) together are nearly half the exam, so they earn the most time.
Lock the governance precedence rules
Week 1
Start with the control plane because its rules recur everywhere: deny assignments override role assignments, locks block writes and deletes regardless of RBAC, budgets only notify, and Policy re-evaluates every 24 hours. Drill the SSPR licence line and the least-privilege built-in roles. Use this guide's recall prompts, cover the answer, decide from the rule, then reveal.
Drill storage and compute defaults
Weeks 1 to 3
These two domains are fact-dense and high-weight. Fix the redundancy ladder (LRS, ZRS, GRS, GZRS) and that account type is set at creation, then the compute behaviours: ARM idempotency, percent versus count autoscale, disk durability nines, and per-instance App Service billing. Get hands-on in a free or trial subscription so the limits stick from doing, not just reading.
Build the networking service map
Weeks 3 to 4
Networking carries the harder load-balancing objective, so build a clean map: regional versus global peering, NSG and Firewall and Bastion for secure access, and Load Balancer (layer 4) versus Application Gateway (layer 7) versus Traffic Manager (DNS, global). Burn in the NSG rule behaviour that changes affect only new connections. Place each service from the requirement before you read the options.
Cover monitoring and recovery
Week 4
The smallest domain but dependable marks if you know the exact defaults: Metrics versus Logs, one destination type per diagnostic setting, suppression beating apply-action-group, and default platform-managed encryption in a Recovery Services vault. These are pure precision questions, so memorise the limits and move on.
Drill weak domains, then space the review
Week 5
Use your per-domain accuracy to attack the two domains dragging you down, not to re-read what you already know. Then space it: revisit each domain's recall prompts after a few days and again a week later. Spacing roughly doubles what sticks compared with cramming, which matters for a fact-heavy exam like this one.
Sit a timed mock and calibrate
Weeks 5 to 6
Take at least one full timed mock under exam conditions to rehearse pacing, the flag-and-return habit, and the case-study format. Treat the score as a per-domain readiness signal, not a single number, and review every missed question, naming the exact default or limit you got wrong, before you book or sit.
Know when you're ready
Readiness for AZ-104 is a measured score on unseen questions, not a feeling that the services are familiar. Those are different things, and the gap between them is where people fail. Re-reading the docs builds fluency, and fluency feels like knowledge, so confidence rises while real recall does not. The fix is to test yourself on fresh items: if you can read a new scenario, name the exact default, limit, or precedence rule it turns on, and explain why each wrong option misstates Azure's behaviour, you know it; if you can only nod along to an explanation, you do not yet.
Be especially wary of confidence on the yes/no statement items, where one precise fact decides the answer and a sensible-sounding assumption is the trap. Knowing what a budget, a deny assignment, or a Recovery Services vault is for is the easy half; knowing exactly what each does and does not do at the boundary is the half the exam marks. Trust your measured per-domain accuracy over your gut, and set the bar at clearing every domain comfortably across more than one session, not scraping a single pass.
This guide gives you the map of defaults and limits. The practice bank is where you find out whether you have them locked in, with a worked explanation and a reason every distractor is wrong on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free AZ-104 questions with worked explanations. No sign-up.
Read each question for the exact requirement first. The named region, licence tier, redundancy need, or security boundary is what picks the answer, so find it before you weigh the options.
Treat yes/no statements as guilty until proven correct. Identify the single fact the statement turns on, such as whether a budget stops resources or a type change is allowed in place, and check that one fact before committing.
Anchor on documented defaults and limits, not on what sounds convenient. Many traps are built from a reasonable-sounding assumption Azure does not honour, so prefer the precise behaviour at the boundary every time.
Default to the managed, built-in capability. When a requirement could be met by a script or a manual workaround, the intended answer is usually the platform feature: Azure Backup over scripts, Bastion over a public RDP port, managed identities over stored keys.
Let the access pattern and constraint pick storage and networking. Cross-region connectivity means global peering, layer 7 HTTP routing means Application Gateway, durability targets pick the redundancy tier; do not default to the option you use most.
Flag and move on. Cover every question once before you sink time into a hard one or a case study, so you collect the clear precision marks first across the full paper.
Mind least privilege on RBAC items. When several roles would work, the correct one grants exactly enough at the right scope, not broad ownership, because the exam rewards the minimal sufficient assignment.
Frequently asked questions
Is the AZ-104 hard?
It is an associate, intermediate-level exam, and the difficulty is precision rather than depth. Most questions hinge on one exact Azure default, limit, or precedence rule, and the traps are built from plausible-sounding assumptions the platform does not honour. Hands-on practice and scenario drilling with worked explanations matter far more than memorising what each service is for.
How long should I study for the AZ-104?
Most candidates with real hands-on Azure exposure are ready in five to six weeks of steady study. Less practical experience means more time in a trial subscription and more time on the two heaviest domains, Identities and Governance and Compute, plus the fact-dense storage and networking behaviours.
Do I need hands-on Azure experience to pass?
It is not formally required, but the exam assumes around six months of administering Azure. The precision questions about defaults and limits are far easier when you have configured the services yourself, so working in a free or trial subscription is the single most useful preparation.
Do I need to write code or scripts for this exam?
You need to read and reason about ARM templates and Bicep and understand portal, CLI, and PowerShell workflows, but the exam is about choosing and configuring the right setting, not writing programs. Comfort with how a deployment behaves, such as idempotency, matters more than authoring templates from scratch.
What kinds of questions appear on the AZ-104?
Expect standalone multiple-choice and multiple-response items alongside case studies, and a notable share of yes/no statement checks where one precise fact decides the answer. The format rewards exact knowledge and punishes guessing, so treat each statement as something to verify against a documented behaviour.
Which domains should I focus on?
Deploy and Manage Compute at 24 percent and Manage Identities and Governance at 23 percent are nearly half the exam, so they deserve the most time. Storage at 20 percent and Networking at 19 percent are close behind and are fact-dense, while Monitoring at 14 percent is small but a dependable source of marks if you learn its defaults.
How many practice questions should I do before booking?
Enough that every domain clears comfortably on questions you have not seen, and a full timed mock feels comfortable on pacing and the case-study format. Quality of review beats raw volume: on every question, read the explanation and name the exact default or limit that picked the answer, including on the ones you got right.
Is the AZ-104 worth it?
It is well suited to hands-on Azure administrators and infrastructure engineers who need a recognised proof of their day-to-day operational skills. It also serves as the primary stepping stone to the expert-level Azure architecture and DevOps credentials on the Microsoft certification ladder.
Examworthy is not affiliated with or endorsed by Microsoft. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. AZ-104 and related marks belong to their respective owners.
