Azure's Position in the Cloud Market
AWS dominates the cloud certification conversation, but Azure holds 23% of the global cloud infrastructure market and is the default choice for enterprises already invested in Microsoft's ecosystem. That's a massive installed base — and it means Azure skills are in high demand, especially in industries like finance, healthcare, government, and manufacturing where Microsoft enterprise agreements are deeply embedded.
The Azure Administrator Associate (AZ-104) is the second most in-demand cloud certification globally, behind only the AWS Solutions Architect Associate. It validates your ability to manage Azure identities, governance, storage, compute, and virtual networking — the core skills every Azure administrator needs.
If your organization runs on Azure, or if you're targeting enterprise cloud roles, the AZ-104 is the credential that gets you in the door.
Exam Overview
| Detail | Information |
|---|---|
| Exam code | AZ-104 |
| Duration | 120 minutes |
| Format | 40-60 questions (multiple choice, case studies, drag-and-drop, labs) |
| Passing score | 700/1000 |
| Cost | $165 USD |
| Validity | 1 year (free renewal assessment available annually) |
| Prerequisites | None (6 months Azure experience recommended) |
| Testing | Pearson VUE (test center or online proctored) |
Annual Renewal Required
Unlike AWS certifications (valid for 3 years), Microsoft certifications require an annual renewal. The good news: the renewal assessment is free, online, and open-book. It covers updates to Azure services since your last certification. Set a calendar reminder 6 months before expiration.
Domain Breakdown
| Domain | Weight |
|---|---|
| Manage Azure identities and governance | 20-25% |
| Implement and manage storage | 15-20% |
| Deploy and manage Azure compute resources | 20-25% |
| Implement and manage virtual networking | 15-20% |
| Monitor and maintain Azure resources | 10-15% |
Domain 1: Azure Identities and Governance (20-25%)
Microsoft Entra ID (formerly Azure AD)
This is the identity backbone of Azure. Key concepts:
- Users and groups: Create and manage users, assign group memberships, configure dynamic groups based on attributes.
- RBAC roles: Azure uses role-based access control. Know the built-in roles (Owner, Contributor, Reader) and when to create custom roles.
- Administrative units: Delegate administration of subsets of users to specific admins without giving them tenant-wide access.
- Multi-factor authentication: Configure MFA policies and Conditional Access rules.
Subscriptions and Management Groups
Azure's organizational hierarchy: Tenant → Management Groups → Subscriptions → Resource Groups → Resources.
- Management Groups organize subscriptions into a hierarchy for policy and access management.
- Azure Policy enforces organizational standards. Policies can audit, deny, or automatically remediate non-compliant resources.
- Resource locks prevent accidental deletion or modification. CanNotDelete and ReadOnly locks apply to the resource and all its children.
RBAC Scope Hierarchy
RBAC assignments inherit downward: Management Group → Subscription → Resource Group → Resource. An Owner role assigned at the Subscription level gives Owner access to every resource group and resource within that subscription. Always assign roles at the narrowest scope possible.
Cost Management
- Budgets: Set spending thresholds with alerts.
- Cost analysis: Visualize spending by service, resource group, tag, or time period.
- Tags: Apply metadata tags to resources for cost allocation, environment tracking, and automation.
- Azure Advisor: Provides recommendations for cost, security, reliability, and performance.
Domain 2: Storage (15-20%)
Storage Accounts
Azure storage accounts provide four data services:
| Service | Use Case | Access |
|---|---|---|
| Blob Storage | Unstructured data (files, images, backups) | REST API, SDKs, AzCopy |
| File Storage | SMB/NFS file shares | Mount on VMs and on-premises |
| Queue Storage | Message queuing between services | REST API |
| Table Storage | NoSQL key-value data | REST API, SDKs |
Blob Storage Tiers
| Tier | Access Pattern | Monthly Cost (per GB) | Retrieval Cost |
|---|---|---|---|
| Hot | Frequent access | Higher storage, lower access | Lowest |
| Cool | Infrequent (30+ days) | Lower storage, higher access | Moderate |
| Cold | Rare (90+ days) | Even lower storage | Higher |
| Archive | Long-term retention (180+ days) | Lowest storage | Highest (hours to rehydrate) |
Data Protection
- Soft delete: Recover accidentally deleted blobs and containers within a retention period.
- Versioning: Automatically maintain previous versions of blobs.
- Immutable storage: WORM (Write Once, Read Many) policies for compliance.
- Replication: LRS, ZRS, GRS, RA-GRS, GZRS, RA-GZRS. Know when to use each.
Replication Choices Matter
LRS (Locally Redundant): 3 copies in one datacenter. Cheapest but no AZ protection. ZRS (Zone-Redundant): 3 copies across AZs. Protects against AZ failure. GRS (Geo-Redundant): 6 copies across 2 regions. Protects against regional failure but secondary is read-only with RA-GRS. The exam loves asking when to upgrade from LRS to ZRS or GRS based on availability requirements.
Domain 3: Compute Resources (20-25%)
Virtual Machines
- VM sizes: Know the series (B-series for burstable, D-series for general purpose, E-series for memory-optimized, N-series for GPU).
- Availability Sets: Distribute VMs across fault domains and update domains within a datacenter.
- Availability Zones: Distribute VMs across physically separate datacenters within a region.
- Virtual Machine Scale Sets (VMSS): Auto-scale identical VMs based on demand. Configure scaling rules based on metrics.
Azure App Service
Platform-as-a-Service for web applications:
- App Service Plans: Determine compute resources and pricing tier. Know the differences between Free, Basic, Standard, Premium, and Isolated tiers.
- Deployment slots: Deploy to staging, test, then swap to production with zero downtime.
- Custom domains and TLS: Configure custom domains with App Service Managed Certificates.
Containers
- Azure Container Instances (ACI): Fastest way to run a container in Azure. No orchestration, single-container or small group workloads.
- Azure Kubernetes Service (AKS): Managed Kubernetes. Know how to create clusters, configure node pools, and manage upgrades.
- Azure Container Registry (ACR): Private Docker registry for storing container images.
Domain 4: Virtual Networking (15-20%)
VNet Fundamentals
- Address spaces: Plan CIDR ranges carefully. Overlapping ranges prevent VNet peering.
- Subnets: Segment VNets by function (web tier, app tier, data tier).
- Network Security Groups (NSGs): Filter traffic with inbound/outbound rules. Applied to subnets or NICs.
- Application Security Groups (ASGs): Group VMs logically for NSG rules instead of using IP addresses.
Connectivity
- VNet Peering: Connect VNets within or across regions. Non-transitive by default.
- VPN Gateway: Site-to-site VPN for connecting on-premises networks to Azure.
- ExpressRoute: Dedicated private connection from on-premises to Azure (not over the public internet).
- Azure Bastion: Secure RDP/SSH access to VMs without exposing public IP addresses.
Load Balancing
| Service | Layer | Scope | Use Case |
|---|---|---|---|
| Azure Load Balancer | Layer 4 (TCP/UDP) | Regional | VM load balancing |
| Application Gateway | Layer 7 (HTTP/HTTPS) | Regional | Web application load balancing, WAF |
| Front Door | Layer 7 | Global | Global HTTP load balancing, CDN, WAF |
| Traffic Manager | DNS-based | Global | DNS-level routing, failover |
Load Balancer Selection
The exam frequently asks you to pick the right load balancer. Think in layers: Layer 4 (just forward TCP traffic) = Azure Load Balancer. Layer 7 (inspect HTTP, path-based routing, SSL termination) = Application Gateway. Global (route users to the nearest region) = Front Door or Traffic Manager.
DNS
- Azure DNS: Host DNS zones in Azure. Supports both public and private zones.
- Private DNS Zones: Name resolution within VNets without custom DNS servers. Link zones to VNets for automatic registration.
Domain 5: Monitoring and Maintenance (10-15%)
Azure Monitor
The central monitoring platform:
- Metrics: Numeric time-series data (CPU %, memory, disk IOPS). Visualize in Azure Portal or Grafana.
- Logs: Text-based diagnostic data. Query with Kusto Query Language (KQL) in Log Analytics.
- Alerts: Trigger notifications or automated actions based on metric thresholds or log query results.
- Diagnostic settings: Route resource logs and metrics to Log Analytics, Storage, or Event Hubs.
Azure Backup
- Recovery Services Vault: Central location for backup policies and recovery points.
- VM backup: Agent-based, application-consistent snapshots.
- Backup policies: Define retention (daily, weekly, monthly, yearly) and schedule.
Network Watcher
- Connection troubleshoot: Test connectivity between two endpoints.
- IP flow verify: Check if traffic to/from a VM is allowed or denied by NSG rules.
- NSG flow logs: Capture and analyze network traffic patterns.
Study Plan: 6 Weeks to AZ-104
Week 1: Identity and Governance
Set up a free Azure account. Create users, groups, and RBAC assignments. Configure Azure Policy to enforce tagging. Set up Management Groups and cost budgets.
Week 2: Storage
Create storage accounts in different redundancy configurations. Upload blobs, configure lifecycle management, and set up Azure File shares. Practice AzCopy for large data transfers.
Week 3: Compute
Deploy VMs in availability sets and zones. Create a VMSS with auto-scaling. Deploy a web app to App Service with deployment slots. Create an AKS cluster and deploy a container.
Week 4: Networking
Build a hub-and-spoke network topology. Configure VNet peering, NSGs, and Azure Bastion. Set up Application Gateway with path-based routing. Configure Azure DNS zones.
Week 5: Monitoring and Integration
Configure Azure Monitor alerts and dashboards. Set up Log Analytics and write basic KQL queries. Configure Azure Backup for VMs. Practice with Network Watcher tools.
Week 6: Practice Exams
Take 3-4 full-length practice exams from Microsoft Learn or reputable third-party providers. Review every incorrect answer. Focus on your weakest domains.
Microsoft Learn Is Your Best Free Resource
Microsoft Learn provides free, hands-on learning paths specifically aligned to the AZ-104 exam domains. The learning paths include sandboxed Azure environments where you can practice without a credit card. Start with the "AZ-104: Prerequisites for Azure administrators" learning path and work through all five domain paths.
Tips for AWS Engineers Transitioning to Azure
If you already know AWS, the concepts transfer directly — the service names just change:
| AWS | Azure | Notes |
|---|---|---|
| IAM | Microsoft Entra ID + Azure RBAC | Azure separates identity (Entra ID) from authorization (RBAC) |
| VPC | Virtual Network (VNet) | Similar concepts, different defaults |
| EC2 | Virtual Machines | Comparable instance families |
| S3 | Blob Storage | Similar tiers and lifecycle management |
| RDS | Azure SQL / SQL Managed Instance | Azure leans heavily into SQL Server |
| EKS | AKS | AKS control plane is free (you pay only for nodes) |
| CloudWatch | Azure Monitor | Azure Monitor is more unified than CloudWatch |
| CloudFormation | ARM Templates / Bicep | Bicep is Azure's modern IaC language |
The biggest conceptual difference: Azure's identity model revolves around Microsoft Entra ID, which is fundamentally different from AWS IAM. In Azure, identity (who you are) is managed separately from authorization (what you can do). Plan extra study time for Entra ID if you're coming from AWS.
Conclusion
The AZ-104 is a comprehensive exam that tests real administrator skills across the full Azure platform. It's not as architecture-focused as the AWS SAA — it's more operational, testing your ability to actually configure and manage Azure resources, not just design them on paper.
The hands-on format means you can't pass by memorizing facts. You need to be comfortable navigating the Azure Portal, using Azure CLI, and understanding how services connect. The 6-week study plan above prioritizes this hands-on practice because it's the most effective way to prepare.
Azure certifications are particularly valuable in enterprise environments where Microsoft's ecosystem dominates. If you're building your cloud career and your target employers run Azure, the AZ-104 is the credential that proves you can manage their infrastructure. And if you're already AWS-certified, adding Azure to your skillset makes you far more versatile in a multi-cloud world.
Want to practice this hands-on?
CloudaQube generates complete labs from a simple description. Try it free.
Get Started Free
