Why AZ-104 is the Azure credential that matters most in 2026

Every enterprise Azure journey eventually leads back to one question: who is accountable for keeping the cloud running? AZ-104 answers that question on a résumé. Unlike the entry-level AZ-900 (Fundamentals), AZ-104 tests operational competence — the ability to deploy, configure, and troubleshoot Azure resources in production, not just describe what they do. And unlike the Expert-level AZ-305 (Solutions Architect), it stays grounded in day-to-day administration rather than high-level design patterns.

The exam costs $165 USD, runs for 120–180 minutes, and contains 40–60 questions across multiple formats: multiple-choice, drag-and-drop, case studies, and performance-based labs where you complete real tasks in a live Azure portal sandbox. The passing threshold is 700 out of 1000 — and Microsoft has made it clear that the performance-based items cannot be bluffed with memorization alone. You must be able to navigate the portal and command line fluently.

The AZ-104 mental model

Azure organises everything around subscriptions, grouped under management groups, inside a tenant anchored to Microsoft Entra ID. Every resource lives in a resource group within a subscription. RBAC roles are inherited down this hierarchy and can be overridden at each level. Before touching any service, understand how role assignments propagate from management group → subscription → resource group → resource — the exam tests this hierarchy constantly.

The five functional groups

Microsoft publishes the AZ-104 study guide at learn.microsoft.com. The five functional groups and their approximate exam weights are:

Group 1 — Manage Azure Identities and Governance (~20–25%)

This group tests your ability to control who can access what across an entire Azure estate.

  • Microsoft Entra ID: Create and manage users, groups (security and Microsoft 365), and service principals. Understand guest accounts (B2B collaboration) and dynamic group membership rules based on user attributes. Bulk user operations via CSV upload and the Entra admin centre.
  • RBAC: Assign built-in roles (Owner, Contributor, Reader, User Access Administrator) at the right scope. Know when to create a custom role and how to use az role assignment create. Understand that RBAC controls what you can do; Entra ID controls who you are.
  • Azure Policy: Create, assign, and remediate policies to enforce governance standards (e.g., “all resources must have a CostCenter tag”). Policy initiative = a group of policies assigned together. Audit effect vs. Deny effect vs. DeployIfNotExists — each appears in scenario questions.
  • Resource locks: CanNotDelete vs. ReadOnly. Locks are inherited by child resources. Even Owners cannot delete a resource with a CanNotDelete lock without first removing the lock.
  • Management groups and subscriptions: Up to six levels of management group nesting. Azure Policy and RBAC assigned at a management group cascade to all child subscriptions automatically — the canonical answer for “enforce a policy across 50 subscriptions.”

Group 2 — Implement and Manage Storage (~15–20%)

Storage in Azure is deceptively deep. The exam tests service selection, access control, and lifecycle management across all storage types.

  • Storage accounts: Standard (HDD) vs. Premium (SSD). Redundancy options: LRS, ZRS, GRS, GZRS, RA-GRS, RA-GZRS. Know the tradeoff — GRS replicates asynchronously to a paired region; RA-GRS adds read access to the secondary. The exam answer for “survive a regional failure with read access” is RA-GRS or RA-GZRS.
  • Blob storage: Containers, access tiers (Hot / Cool / Cold / Archive). Lifecycle management policies automate tier transitions and deletion. Immutability policies (WORM) prevent modification or deletion for compliance. Blob versioning and soft delete for recovery from accidental overwrites.
  • Azure Files: SMB and NFS shares. Azure File Sync replicates on-premises Windows file servers to Azure. Snapshot and restore operations on file shares. Authentication via Entra ID Domain Services or on-premises AD DS.
  • Access control: Storage account keys (full access, avoid in production), SAS tokens (scoped, time-limited, revocable via stored access policy), and Entra ID authentication (preferred, zero-secret). Know when to use each and how to rotate keys without downtime using a dual-key rotation pattern.
  • Tools: AzCopy for high-throughput transfers, Azure Storage Explorer for GUI management, and the Azure portal for quick configuration. The azcopy copy command with --recursive is a common exam scenario.

Group 3 — Deploy and Manage Azure Compute Resources (~20–25%)

The heaviest group by weight, covering VMs, containers, serverless, and IaC — the practical core of day-to-day Azure administration.

  • Virtual machines: VM series selection (B-series burstable, D-series general purpose, E-series memory-optimised, F-series compute-optimised, N-series GPU). Availability sets (fault domains + update domains, 99.95% SLA) vs. Availability Zones (physically separate datacenters, 99.99% SLA). Proximity placement groups for latency-sensitive workloads.
  • VM scale sets (VMSS): Auto-scaling policies based on metrics or schedules. Uniform vs. Flexible orchestration modes. Custom script extension and Azure Monitor Agent for bootstrapping and telemetry. Spot instances for fault-tolerant batch workloads at up to 90% discount.
  • Azure App Service: Deployment slots (production/staging) and slot swapping for zero-downtime releases. App Service plans define compute scale; apps within a plan share the same underlying VMs. Auto-scaling rules based on CPU, memory, or HTTP queue length.
  • Infrastructure as Code: ARM templates (JSON) are native to Azure but verbose. Bicep is the modern DSL that compiles to ARM — cleaner syntax, full ARM feature parity. az deployment group create to deploy. Understand what-if for preview and --complete mode vs. --incremental mode (complete removes resources not in the template).
  • Containers: Azure Container Instances (ACI) for single containers without orchestration. Azure Kubernetes Service (AKS) for orchestrated workloads — the exam tests basic cluster creation, node pool scaling, and upgrade procedures. Azure Container Registry (ACR) stores images; geo-replication mirrors them across regions.

Group 4 — Implement and Manage Virtual Networking (~15–20%)

Azure networking is where many candidates stumble — the terminology is dense and service names change. Build a mental map of how traffic flows in, out, and between Azure resources.

  • Virtual networks and subnets: Address space planning with CIDR. Subnet delegation for PaaS services (e.g., Azure SQL Managed Instance). Network Security Groups (NSGs) filter traffic at the NIC or subnet level using inbound/outbound rules evaluated by priority. Application Security Groups (ASGs) group VMs logically so NSG rules can reference groups instead of IP ranges.
  • Azure DNS: Public DNS zones for internet-facing names. Private DNS zones for internal resolution within VNets. Private DNS zones must be linked to a VNet with auto-registration enabled to resolve VM hostnames automatically. Know how to delegate a subdomain to Azure DNS from an external registrar.
  • Load balancing: Azure Load Balancer (Layer 4, TCP/UDP) for intra-region high availability. Azure Application Gateway (Layer 7, HTTP/HTTPS) for URL-based routing, SSL termination, and WAF. Azure Front Door (global Layer 7) for multi-region traffic management with anycast routing.
  • Connectivity: VNet Peering (low-latency, non-transitive — use a hub-and-spoke topology for shared services). VPN Gateway for encrypted site-to-site or point-to-site connections. ExpressRoute for private, dedicated, high-bandwidth connections from on-premises to Azure without traversing the public internet.
  • Private endpoints: Give PaaS services (Storage, SQL, Key Vault) a private IP inside your VNet, removing public endpoint exposure. Azure Private Link is the underlying mechanism. Understand the DNS implications — private DNS zones must resolve the service name to the private IP, not the public one.

Group 5 — Monitor and Maintain Azure Resources (~10–15%)

Smaller by weight but operationally critical — this group tests your ability to keep things running and recover when they break.

  • Azure Monitor: Platform metrics for every Azure service flow in automatically with no configuration. The Azure Monitor Agent (AMA) is required for VM-level metrics (memory, disk) and log collection — the replacement for the legacy Log Analytics agent. Data Collection Rules (DCRs) define what the AMA collects and where it sends it.
  • Log Analytics workspaces: Central store for logs from Azure Monitor, Defender for Cloud, Sentinel, and custom sources. Query with Kusto Query Language (KQL). Know the basics: | where, | summarize, | project, | order by. Alert rules trigger on log queries; metric alerts trigger on numeric thresholds.
  • Azure Backup: Recovery Services vault stores backups for VMs, SQL databases, Azure Files, and on-premises workloads via the MARS agent. Backup policies define frequency and retention. Soft-delete keeps deleted backup data for 14 days to protect against accidental or malicious deletion.
  • Azure Site Recovery (ASR): Replicates VMs to a secondary region for disaster recovery. RPO and RTO targets are configurable. Test failover lets you validate recovery plans without affecting production. Know the distinction between backup (point-in-time restore) and ASR (near-real-time replication for failover).
  • Network Watcher: Diagnose connectivity issues with Connection Monitor, IP flow verify, and Next Hop. Packet capture for deep inspection. NSG flow logs (sent to storage account or Log Analytics) for traffic auditing. The exam answer for “why is traffic being dropped to a VM” starts with IP flow verify.
The most common AZ-104 trap: confusing Microsoft Entra ID with RBAC. Entra ID manages identity — who the user is, whether they’re authenticated, what groups they belong to. RBAC manages authorisation — what that authenticated identity is permitted to do on which Azure resource. Both are required; neither replaces the other.

Services you must know before exam day

If you can answer a scenario question on any of these without hesitation, you’re exam-ready:

Why it matters for cert candidates

AZ-104 is the gateway to every Azure specialisation. AZ-500 (Security Engineer) explicitly recommends it as a prerequisite — its Entra ID, NSG, and RBAC coverage forms the foundation that AZ-500 builds on. AZ-305 (Solutions Architect Expert) requires passing AZ-104 or AZ-204 first. AZ-400 (DevOps Engineer Expert) expects fluency with the compute and networking concepts AZ-104 certifies. With Microsoft’s enterprise market share growing and Azure certifications among the highest-compensated in the industry, the 4–8 weeks of focused study for AZ-104 has one of the best ROI profiles in cloud computing. Build everything hands-on in an Azure free account — the performance-based exam items cannot be prepared for with flashcards alone.

What comes after AZ-104

AZ-104 is the cornerstone of the Microsoft Azure certification architecture. Every path above Associate level passes through it:

Candidates who pass AZ-104 often tackle AZ-500 next — the security domains map naturally onto the governance and networking foundations already covered. Give yourself 4–6 weeks of hands-on Azure Free Tier practice before booking the exam, and use Microsoft Learn’s free AZ-104 learning path as your primary resource.

Ready to test your Azure knowledge? We have scenario-based Microsoft Azure practice questions covering RBAC, virtual networking, storage, compute, and monitoring — timed, randomised, and free.

Start AZ-104 Practice Questions →