Microsoft Azure Administrator Associate
225 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
AZ-104 is Microsoft's flagship associate-level cloud-administrator credential. It validates the day-to-day skills of an Azure administrator: managing identities and governance through Microsoft Entra, deploying and operating Azure VMs, App Services, AKS, and storage accounts, configuring virtual networks and load balancing, and monitoring with Azure Monitor and Log Analytics. The exam is more hands-on than fundamentals: expect 40β60 questions in roughly 100 minutes including multiple-choice, multiple-response, drag-and-drop, hot-area, and at least one case study with several scenario-based items. Scenarios reward candidates who have actually clicked through the Azure portal rather than read about it.
Microsoft Entra ID users and groups, RBAC, custom roles, Azure Policy, resource locks, management groups, subscriptions, and tag-based governance. About 24% of questions and the foundation for the rest of the exam.
Storage accounts (Blob, Files, Queues, Tables), redundancy options (LRS / ZRS / GRS / RA-GRS / GZRS), lifecycle management, SAS tokens, Azure Files with AD integration, and AzCopy / Storage Explorer. About 19%.
About 24%. VMs (sizing, availability sets / zones, VMSS, snapshots, custom images), App Service (deployment slots, scaling), Container Instances and AKS basics, ARM templates / Bicep, and Azure Container Registry.
About 19%. VNets, subnets, peering, NSGs, ASGs, public IPs, Azure Load Balancer, Application Gateway, Azure DNS, VPN Gateway, and ExpressRoute fundamentals. Heavy on routing and traffic-flow scenarios.
About 14%. Azure Monitor, Log Analytics workspaces, Application Insights, alerts and action groups, Azure Backup, Azure Site Recovery, and update management. Lower weight but high-density questions.
Services you'll encounter on the exam and why each one matters.
IaaS compute with VM sizes, managed disks, availability sets/zones, and Virtual Machine Scale Sets (VMSS) for horizontal autoscale.
Why it's on the exam: Domain 3 (Deploy and Manage Azure Compute Resources) tests VM sizing, VMSS scaling rules, and disk-type selection on nearly every scenario.
Managed PaaS for web apps, APIs, and containers with deployment slots, autoscale, custom domains, and Easy Auth identity integration.
Why it's on the exam: Domain 3 covers App Service plan tiers, slot-based deployments, and scale-out rules as the canonical PaaS host on Azure.
Unified storage account exposing Blob (hot/cool/cold/archive tiers), Files (SMB/NFS shares), Queues, Tables, and Managed Disks with redundancy options (LRS/ZRS/GRS/RA-GRS).
Why it's on the exam: Domain 2 (Implement and Manage Storage) is built entirely around storage-account redundancy, lifecycle tiering, SAS tokens, and access-tier selection.
Software-defined network with subnets, network security groups (NSGs), application security groups, service endpoints, and global VNet peering.
Why it's on the exam: Domain 4 (Implement and Manage Virtual Networking) tests VNet address-space design, NSG rule precedence, and peering vs. VPN trade-offs.
Managed Kubernetes control plane with node pools, cluster autoscaler, Azure CNI/kubenet networking, Entra integration, and managed identities.
Why it's on the exam: Domain 3 includes AKS cluster provisioning, node-pool scaling, and basic upgrade/maintenance operations as the container-orchestration option.
Serverless single-container runtime with per-second billing, virtual-network injection, and Azure Files volume mounts for stateful workloads.
Why it's on the exam: Domain 3 contrasts ACI (no orchestration, fast spin-up) against AKS β knowing when each fits is a recurring exam pattern.
Cloud identity directory with users, groups, dynamic membership, app registrations, service principals, and built-in/custom directory roles.
Why it's on the exam: Domain 1 (Manage Azure Identities and Governance) leans heavily on Entra ID β group-based access assignment, guest invitations, and role assignments.
Control-plane orchestrator that exposes resource groups, locks, tags, and deployment scopes via ARM JSON templates or the higher-level Bicep DSL.
Why it's on the exam: Domain 1 covers resource locks, tagging strategies, and Bicep/ARM-based redeployment as the canonical AZ-104 IaC pattern.
Layer-4 Load Balancer (regional/global, public/internal) and Layer-7 Application Gateway with WAF, path-based routing, and end-to-end TLS.
Why it's on the exam: Domain 4 tests picking the right load-balancing tier β Basic vs. Standard LB, ALB-on-AKS, App Gateway vs. Front Door for HTTP.
Authoritative public DNS hosting plus Private DNS Zones for VNet-scoped name resolution, with auto-registration from linked VNets.
Why it's on the exam: Domain 4 covers DNS-zone delegation, private-link name resolution, and conditional forwarding from on-premises into Azure.
Hybrid connectivity options β site-to-site/point-to-site IPsec VPN via VPN Gateway, or private peering via ExpressRoute circuits with optional FastPath.
Why it's on the exam: Domain 4 tests choosing VPN vs. ExpressRoute by bandwidth/SLA, and configuring BGP, transit, and gateway-SKU sizing.
Centralized backup orchestration for VMs, Azure Files, SQL/SAP HANA on IaaS, and on-prem workloads via the MARS agent, stored in Recovery Services vaults.
Why it's on the exam: Domain 5 (Monitor and Maintain Azure Resources) names Azure Backup as the policy-driven RPO/RTO enforcement service across VM + file workloads.
DR orchestrator that replicates VMs (Azure-to-Azure, on-prem-to-Azure, VMware/Hyper-V) and runs scripted failover plans with RPO/RTO tracking.
Why it's on the exam: Domain 5 BCDR scenarios contrast ASR (cross-region/cross-cloud failover) with Azure Backup (point-in-time restore) β both surface frequently.
Service that turns Windows Server file servers into a cache of Azure Files, with cloud tiering, multi-site sync, and rapid namespace restore.
Why it's on the exam: Domain 2 storage scenarios test Azure File Sync as the canonical hybrid file-share pattern for branch offices.
Managed jumpbox-as-a-service that brokers RDP/SSH to VMs via the portal without exposing public IPs, with native client and shareable links.
Why it's on the exam: Domain 4 + Domain 1 secure-access scenarios name Bastion as the answer for VM access without inbound NSG rules or jumpbox VMs.
Network diagnostic toolset: Connection Monitor, IP Flow Verify, NSG diagnostics, Packet Capture, and VNet Flow Logs for ingest into Log Analytics.
Why it's on the exam: Domain 4 + Domain 5 troubleshooting questions name Network Watcher as the first stop for NSG-rule debugging and flow-log capture.
Declarative governance with built-in/custom definitions, initiatives, deny/audit/deployIfNotExists effects, and Blueprints for bundled environment baselines.
Why it's on the exam: Domain 1 expects Azure Policy as the primary mechanism for enforcing tag schemas, allowed regions, SKU restrictions, and compliance baselines.
Role-based access control with built-in/custom roles, scope assignment at management group / subscription / resource group / resource, and Privileged Identity Management for just-in-time elevation.
Why it's on the exam: Domain 1 leans on RBAC β least-privilege role choice, scope inheritance, and PIM activation flows are repeated exam patterns.
Managed store for secrets, certificates, and HSM-backed keys, with access via Entra-integrated RBAC or vault access policies and soft-delete/purge-protection.
Why it's on the exam: Domain 1 + Domain 2 reference Key Vault for storage-account access-key rotation, TLS-cert management, and managed-identity-based secret retrieval.
Unified telemetry platform β metrics, activity logs, resource logs, alerts, and Log Analytics workspaces queried via KQL, with workbooks and dashboards.
Why it's on the exam: Domain 5 (Monitor and Maintain Azure Resources) is anchored on Azure Monitor β alert rules, diagnostic-setting routing, and KQL queries dominate the domain.
$90kβ$125kβ$170k USD annual
AZ-104 is the single most-valued individual Azure cert in admin / ops job postings. Range covers US-based mid-level administrators; senior cloud engineers and Azure-focused SREs at FAANG / fintech often clear $200k TC. Non-coastal US markets trend toward the lower end.
Source: levels.fyi 2025 cloud admin / SRE roles, U.S. BLS OEWS May 2024 (15-1244 network and computer systems administrators), Glassdoor 2025. Figures are approximate; actual compensation depends on role, region, and experience.
AZ-104 is the most-requested Azure certification in admin and operations job postings, frequently appearing as a hard requirement for Azure-centric roles in healthcare, finance, government, and Microsoft-partner consultancies. Recruiters treat it as the canonical proof of hands-on Azure operational competence. It pairs naturally with AZ-500 for security-leaning admin roles, with AZ-700 for network-leaning roles, and with AZ-305 as the architect track. Many candidates who pass AZ-104 follow up with AZ-305 within 6β12 months to qualify for senior architect openings.
There are no formal prerequisites. Microsoft recommends six months of hands-on Azure administration experience plus comfort with PowerShell, Azure CLI, and ARM / Bicep templates. While AZ-900 is not required, candidates without prior cloud exposure typically benefit from passing it first β many AZ-104 questions assume baseline familiarity with shared responsibility, regions, and Microsoft Entra concepts.
Microsoft's free Microsoft Learn path covers all five exam areas in roughly 30β40 hours of content. Hands-on lab time in a personal Azure subscription (or via Microsoft Learn sandboxes) is essentially mandatory β the case study and drag-and-drop questions reward candidates who can recall portal navigation, not just concepts. Many candidates supplement with one of the popular video courses (Pluralsight, A Cloud Guru, Tutorials Dojo) for extra exam-style practice.
AZ-104 sits in the Associate tier β a clear step up from AZ-900. Plan on 80β120 hours of study over 6β10 weeks with prior IT / sysadmin background; double that if Azure is your first cloud. The exam runs roughly 100 minutes with 40β60 questions in multiple-choice, multiple-response, drag-and-drop, hot-area, and case-study formats. Case studies are timed separately and cannot be revisited once you move past them, so candidates should manage time carefully.
The most common stumbling block is networking β VNets, NSGs vs. ASGs, peering, gateway transit, and the differences between Load Balancer / Application Gateway / Front Door / Traffic Manager are dense, scenario-heavy material. Storage redundancy options and Microsoft Entra advanced features (Conditional Access, PIM basics) also tend to surprise candidates who have only studied at the AZ-900 level.
Most recent skills-measured update. Refreshed Microsoft Entra terminology, expanded AKS and Bicep coverage, modernized monitoring tooling. Microsoft refreshes AZ-104 approximately every 12β18 months without changing the exam code.
Major outline refresh: consolidated former six domains into the current five-domain structure and rebalanced weights toward identity and governance. Renamed Azure Active Directory references to Microsoft Entra ID.
Initial GA, replacing the AZ-103 exam (which itself replaced the AZ-100 / AZ-101 pair). Original launch outline.
AZ-104 (Microsoft Azure Administrator Associate) is a a moderately difficult exam expecting practical hands-on experience plus solid understanding of best practices Associate-level exam. Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
AZ-104 is a recognized credential in the Azure ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with Azure day-to-day or want to move into roles that do.
The passing score for AZ-104 is 700 / 1000. The exam contains 50 questions and lasts 1 hr 40 min.
The AZ-104 exam fee is $165 USD. Fees are set by Azure and may vary by region; always confirm the current price on the official Azure certification page before booking.
Microsoft role-based certifications expire after 1 year but can be renewed for free via an unproctored online assessment on Microsoft Learn, starting 6 months before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for AZ-104. The exam-simulation mode mirrors the real exam: 50 questions in 1 hr 40 min, with the same passing threshold of 700 / 1000. Browse mode lets you read every Q&A statically.