Azure Administrator AZ-104 Certification

The AZ-104: Microsoft Azure Administrator certification validates the technical skills needed to manage an organization's cloud infrastructure. In today's cloud-first landscape, an Azure Administrator is the operational backbone, ensuring resources are secure, performant, cost-effective, and reliable. This guide breaks down the core skills you'll need to master, preparing you not just for the exam but for real-world cloud management responsibilities.

Core Concept 1: Managing Azure Identities with Azure Active Directory

At the heart of any secure Azure environment is Azure Active Directory (Azure AD), Microsoft's cloud-based identity and access management service. You must understand it goes beyond simple user management; it's the central control plane for authentication across Azure, Microsoft 365, and thousands of other SaaS applications.

Your primary administrative tasks here involve creating and managing users and groups, both cloud-native and synchronized from an on-premises Active Directory Domain Services (AD DS) environment using Azure AD Connect. A critical skill is configuring and managing self-service password reset (SSPR), which reduces help desk overhead while maintaining security. Furthermore, you'll implement Azure AD Join and Hybrid Azure AD Join to bring Windows 10+ devices under managed identity control, which is foundational for conditional access policies. The most important concept in this domain is Multi-Factor Authentication (MFA). Enforcing MFA is no longer optional for securing administrative and user accounts; you must know how to configure it using security defaults or conditional access policies for granular control.

Core Concept 2: Implementing Governance via Policy and RBAC

After establishing who can log in, you must define what they can do and enforce organizational standards. This is achieved through governance. Azure role-based access control (Azure RBAC) is the system for managing access to Azure resources. You grant permissions by assigning built-in roles (like Contributor, Reader, or User Access Administrator) or custom roles to users, groups, or service principals at specific scopes: management group, subscription, resource group, or resource.

Governance, however, is more than just access; it's about compliance and cost control. This is where Azure Policy comes in. You use policy definitions to enforce rules and effects over your resources. For example, you can create a policy that allows only certain VM SKUs in a region, ensures all storage accounts use TLS 1.2, or automatically applies resource tags for cost center tracking. A powerful governance structure combines Azure Blueprints, which package together artifacts like policies, role assignments, and ARM templates to deploy a compliant, repeatable environment. For the exam, you must understand the inheritance model of both RBAC and Policy and how to remediate non-compliant resources.

Core Concept 3: Configuring Virtual Networking and Connectivity

Azure resources don't exist in isolation; they communicate through Azure Virtual Networks (VNets). Your job is to design and manage these software-defined networks. Key tasks include creating VNets and subnets, configuring private IP addresses (static or dynamic) and public IP addresses, and setting up DNS settings for name resolution.

Network security is paramount. You will configure Network Security Groups (NSGs) to filter traffic to and from resources using rules based on source/destination IP, port, and protocol. For more advanced application-level protection, you deploy Azure Firewall as a managed, stateful firewall service. Connectivity is another major pillar. You must know how to link your Azure VNet to other networks using VNet Peering (for VNet-to-VNet connectivity) and VPN Gateway (for site-to-site or point-to-site connections to on-premises). Understanding the basics of Azure ExpressRoute for private, high-bandwidth connections is also essential.

Core Concept 4: Managing Storage Accounts and Data Services

Azure provides scalable, durable storage through storage accounts. You must know the different account types (Standard vs. Premium) and performance tiers, as well as the core data services they support: Blob containers (for unstructured data), File shares (for server message block and network file system protocols), Tables (for NoSQL key-value storage), and Queues (for messaging).

A critical administrative duty is selecting the right access tier for blob data (Hot, Cool, or Archive) to optimize costs based on access frequency. Securing this data is done via storage account keys, shared access signatures (SAS), and integrating with Azure AD for Azure Files. You also need to understand redundancy options like locally redundant storage, zone-redundant storage, and geo-redundant storage to meet business continuity requirements. Finally, you'll manage data movement using tools like AzCopy and the Azure Storage Explorer.

Core Concept 5: Deploying and Managing Compute Resources

Compute is where your applications run. The AZ-104 focuses heavily on Azure Virtual Machines (VMs). You must be proficient in provisioning VMs from the portal, CLI, or templates, selecting appropriate VM sizes (series and type) for the workload, and attaching managed data disks. High availability strategies like deploying VMs across Availability Zones or in an Availability Set are crucial exam topics.

Beyond VMs, you need to understand other compute services an admin manages. This includes Azure App Service for web applications, where you configure scaling plans and deployment slots. For containerized workloads, you'll work with Azure Kubernetes Service (AKS) clusters, though as an administrator, your focus is on provisioning and maintaining the cluster infrastructure, not writing application manifests. Managing these resources also involves implementing backup and recovery solutions using Azure Backup and understanding Azure Site Recovery for disaster recovery.

Monitoring with Azure Monitor and Insights

You cannot manage what you cannot measure. Azure Monitor is the comprehensive platform for collecting, analyzing, and acting on telemetry. You will configure diagnostic settings to stream logs and metrics from Azure resources (like VMs, storage accounts, or Key Vaults) to a Log Analytics workspace. Here, you can run powerful queries using the Kusto Query Language (KQL) to investigate issues.

For virtual machines, you deploy the Azure Monitor Agent to collect guest OS performance data and logs. To visualize this data, you create Azure Dashboards and Workbooks. A key component is setting up alerts based on metric thresholds or log query results, which can then trigger Action Groups to send notifications via email, SMS, or webhooks, or even trigger automated responses via Azure Automation Runbooks or Logic Apps. Understanding the cost and data retention implications of your monitoring configuration is a practical, exam-relevant skill.

Common Pitfalls

1. Misconfiguring Network Security Group (NSG) Rules: A frequent mistake is not understanding the priority order of NSG rules or forgetting that Azure applies both subnet-level and network interface-level NSGs. This leads to unexpected connectivity failures. Correction: Always test connectivity after NSG changes and use the "IP flow verify" tool in Network Watcher to diagnose rule conflicts. Design rules with clear priorities, starting with explicit denies, then specific allows, and ending with the implicit deny-all.

1. Overlooking the Shared Responsibility Model: Candidates often assume Azure handles all aspects of security for a service like a VM. Correction: Remember that while Azure secures the infrastructure, you are responsible for guest OS security (patching, firewalls), application security, and data classification. This model directly impacts tasks like backup (your data) and compliance configurations.

1. Confusing RBAC Roles with Azure AD Administrative Roles: Assigning the "Global Administrator" Azure AD role to someone who just needs to manage VMs is a severe over-permissioning error. Correction: Use Azure AD roles (like Global Admin, User Administrator) for managing identities and Azure AD features. Use Azure RBAC roles (like Contributor, Virtual Machine Contributor) for managing Azure resources. Keep these permission boundaries distinct.

1. Ignoring Cost Management During Deployment: The exam tests your ability to choose cost-effective solutions. Deploying a premium SSD for a low-I/O dev/test VM or selecting a geographically redundant storage tier for transient data is wasteful. Correction: Align your resource SKUs and configurations with the actual performance and durability requirements of the workload. Use the Azure Pricing Calculator and regularly review Cost Management + Billing reports.

Summary

• The AZ-104 certifies your ability to manage the core pillars of an Azure tenant: Identity (Azure AD), Governance (RBAC & Policy), Networking (VNets & Security), Storage, Compute, and Monitoring (Azure Monitor).
• Security and cost optimization are not isolated topics; they are cross-cutting concerns you must integrate into every administrative decision, from enforcing MFA to selecting the appropriate VM size and storage tier.
• Master the tools for automation and repeatability, such as ARM templates, Azure Policy, and Blueprints, as manually configuring resources at scale is inefficient and error-prone.
• Success hinges on understanding how these services interconnect—for example, how a VM's network interface is governed by an NSG, its disk resides in a storage account, its performance is tracked by Azure Monitor, and access to manage it is controlled by RBAC.
• Approach each task with the shared responsibility model in mind, clearly distinguishing between Microsoft's duties for the cloud and your administrative duties in the cloud.