The Microsoft Azure Administrator Exam (AZ-104) validates your ability to implement, manage, and monitor Microsoft Azure environments. This exam is designed for IT professionals and cloud administrators who deploy, configure, and maintain Azure infrastructure and services. This page outlines the exam structure, core topics, question formats, and practical preparation strategies to help you study efficiently and build confidence before test day.
Use this topic map to guide your study for Microsoft AZ-104 (Microsoft Azure Administrator Exam) within the Microsoft Azure path.
The AZ-104 exam measures both foundational knowledge and practical decision-making through a variety of question types designed to assess real-world competency.
Questions increase in complexity as you progress, reflecting the depth of knowledge needed to manage production Azure environments.
An effective study routine aligns your preparation time to each of the five core topics and builds from conceptual understanding to hands-on practice. Dedicate 1-2 weeks per topic, combining reading, labs, and practice questions to reinforce learning.
Explore other Microsoft certifications: view all Microsoft exams.
Strengthen your preparation with up‑to‑date resources from validexamdumps.com. These materials align to AZ-104 and cover practical scenarios with clear explanations.
Visit the exam page to download the PDF, Online Practice Test, or get a Bundle Discount offer for both formats: Microsoft Azure Administrator Exam.
While all five domains are important, Implement and manage virtual networking and Deploy and manage Azure compute resources tend to represent a larger portion of the exam. However, Microsoft regularly adjusts weightings, so thorough coverage of all topics, especially Manage Azure identities and governance, is essential for success.
In practice, these domains overlap significantly. For example, deploying a virtual machine (compute) requires configuring network security groups (networking), assigning managed identities (identities), attaching storage accounts (storage), and setting up monitoring (monitoring). Understanding these connections helps you answer scenario-based questions and troubleshoot real issues faster.
Ideally, you should have 6-12 months of Azure administration experience or equivalent lab practice. Prioritize hands-on labs in virtual networking, virtual machine deployment, RBAC configuration, and storage account management. Free Azure credits and sandbox environments let you practice without cost.
Common errors include confusing RBAC roles and their permissions, misunderstanding network security group vs. firewall rules, choosing the wrong storage redundancy option for a given scenario, and overlooking monitoring/alerting requirements. Carefully read scenario details and consider all constraints before selecting an answer.
In the final week, shift focus from learning new material to review and practice. Take a full-length timed practice test to identify remaining gaps, review explanations for incorrect answers, and do quick refreshers on high-weight topics. Get adequate sleep, avoid cramming, and trust your preparation.
You need to add VM1 and VM2 to the backend poo! of LB1. What should you do first?
In Azure, Load Balancers distribute network traffic across multiple virtual machines (VMs) to ensure high availability and reliability. To add virtual machines to the backend pool of an Azure Load Balancer, the following key conditions must be met according to the Microsoft Azure Administrator documentation:
All VMs in the backend pool must be connected to the same virtual network (VNet) as the Load Balancer.
The Load Balancer (in this case, LB1) is configured for internal load balancing on VNET1/Subnet1 as per the technical requirements of the case study.
The backend pool can include network interfaces (NICs) from VMs within the same region and VNet.
Step-by-step analysis:
From the case study data:
VM
Location
Connected to
IP Address
VM1
West US
VNET1/Subnet1
10.0.1.4
VM2
West US
VNET1/Subnet2
10.0.2.4
LB1
Internal Basic Load Balancer
Connected to VNET1/Subnet1
---
Observation:
VM1 is already connected to VNET1/Subnet1, where the internal Load Balancer LB1 is also deployed.
VM2, however, is connected to VNET1/Subnet2, which is a different subnet within the same virtual network.
According to Microsoft Learn (''Configure backend pools in Azure Load Balancer''):
''All network interfaces in the backend pool must be within the same virtual network as the load balancer. You cannot add VMs connected to different VNets or subnets not associated with the load balancer's front-end configuration.''
Therefore, before you can add VM2 to the backend pool, you must ensure that its network interface is attached to VNET1/Subnet1, the same subnet used by LB1.
Only after this step will both VMs (VM1 and VM2) be eligible for inclusion in LB1's backend pool.
Incorrect Option Analysis:
A. Create a new NSG and associate the NSG to VNET1/Subnet1. Not required. Network Security Groups control traffic filtering, not backend pool configuration.
C. Redeploy VM1 and VM2 to the same availability zone. Availability Zones only matter for redundancy and failover, not for backend pool eligibility in a basic internal load balancer.
D. Redeploy VM1 and VM2 to the same availability set. Basic Load Balancers can distribute traffic across VMs in the same availability set, but both VMs must already reside in the same VNet/Subnet first.
Final Verified Answe r:
B. Connect VM2 to VNET1/Subnet1
Reference (Microsoft Official Documentation):
Microsoft Learn: Configure the backend pool for Azure Load Balancer
Microsoft Learn: Azure Load Balancer overview
Microsoft Learn: Create and configure an internal load balancer
Microsoft Learn: Virtual network and subnet requirements for load balancing
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that an Azure Active Directory (Azure AD) user named Admin1 is assigned the required role to enable Traffic Analytics for an Azure subscription.
Solution: You assign the Owner role at the subscription level to Admin1.
Does this meet the goal?
To enable Traffic Analytics for an Azure subscription, the user must have sufficient privileges to configure Network Watcher, NSG flow logs, and the associated Log Analytics workspace.
As per Microsoft Azure documentation, the following built-in roles can enable Traffic Analytics:
Owner
Contributor
Reader
Network Contributor
The Owner role provides full access to all resources, including the right to delegate permissions and modify configurations. Since the Owner role includes complete management capabilities for all Azure resources at the subscription level, this role absolutely meets the requirements for enabling Traffic Analytics.
The Azure Network Watcher documentation clearly states:
''To enable Traffic Analytics, your account must have any one of the following roles at the subscription scope: Owner, Contributor, Reader, or Network Contributor.''
Therefore, assigning the Owner role to Admin1 at the subscription level ensures Admin1 has the required permissions to enable Traffic Analytics.
You have an Anne container registry named Registry1 that contains an image named image1.
You receive an error message when you attempt to deploy a container instance by using image1.
You need to be able to deploy a container instance by using image1.
Solution: You assign the AcrPull role to ACR-Tasks-Network for Registry1.
Does this meet the goal?
Azure Container Registry (ACR) uses Azure roles-based access control (RBAC) to determine who can pull, push, or manage images. The AcrPull role allows identities to pull (read) container images from a registry but not to push (write) or deploy images.
In this scenario, the error occurs when trying to deploy an Azure Container Instance (ACI) using an image from Registry1. The deployment process requires that the Azure Container Instance resource provider (the identity performing the deployment) has access permissions to pull the image from ACR. However, simply assigning the AcrPull role to an internal system identity like ACR-Tasks-Network does not necessarily authorize the ACI to pull images unless that specific managed identity used by ACI has the role assignment.
According to the Microsoft Azure Administrator documentation, the correct method to allow a container instance to pull an image from an Azure Container Registry is:
Enable a managed identity (system-assigned or user-assigned) for the Azure Container Instance.
Assign that managed identity the AcrPull role on the container registry.
The ACR Tasks Network identity mentioned in the scenario is used internally by ACR for automated build tasks, not for deployment of container instances. Therefore, assigning the AcrPull role to ACR-Tasks-Network does not resolve the issue of ACI being unable to access the container image.
Hence, this solution does not meet the goal because the role was assigned to the wrong identity. The correct approach is to assign AcrPull to the Azure Container Instance's managed identity instead.
You need to identify which storage account to use for the flow logging of IP traffic from VM5. The solution must meet the retention requirements.
Which storage account should you identify?
You must identify the correct storage account for flow logging of IP traffic from VM5 that satisfies the retention requirement of eight months.
Step 1 --- Review the Requirements
Flow logs are stored in a StorageV2 (general purpose v2) account.
The selected storage account must support Network Watcher flow logs.
Data must be retained for eight months ( 240 days).
Step 2 --- Evaluate Each Storage Account
Storage Account
Kind
Region
Remarks
storage1
Storage (general purpose v1)
West US
Does not support flow logs (deprecated type).
storage2
StorageV2 (general purpose v2)
East US
Fully supports flow logs and lifecycle management.
storage3
BlobStorage
East US 2
Not suitable --- supports blobs only, not log structure or lifecycle retention.
storage4
FileStorage
Central US
File-only --- cannot store flow logs.
Step 3 --- Compliance with Flow Log Retention
Flow logs for Network Watcher NSG flow logging are supported only by StorageV2 accounts. You can use Azure Storage lifecycle management to automatically delete logs after a set period --- such as 240 days (8 months) --- to comply with retention requirements.
Official Microsoft Note: ''Network security group (NSG) flow logs are stored in Azure StorageV2 (General Purpose v2) accounts, which support lifecycle management for log retention.'' --- Azure Network Watcher documentation.
Conclusion
storage2 is the only StorageV2 account.
It's located in East US, matching VM5's region (East US) --- this satisfies performance and compliance requirements.
You have an Azure Storage account named storage1.
You need to enable a user named User1 to list and regenerate storage account keys for storage1.
Solution: You assign the Storage Account Contributor role to User1.
Does this meet the goal?
The Storage Account Contributor role provides the necessary permissions to manage a storage account except for access to data itself. According to Microsoft's Azure RBAC documentation, this role includes the following actions:
Microsoft.Storage/storageAccounts/regenerateKey/action
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/read
Therefore, a user assigned the Storage Account Contributor role can list and regenerate access keys for the assigned storage account.
Reference from Azure documentation (Built-in roles for Azure RBAC):
''Storage Account Contributor -- Manage storage accounts, including access keys. Can't manage access to data.''
Hence, assigning Storage Account Contributor to User1 meets the requirement.
