Skip to main content
  1. CloudCertPro - Learn the Architecture Behind the Certification
  2. >
  3. Azure Cloud Knowledge Hub - CloudCertPro
  4. >
  5. AZ-104 Azure Administrator Associate Learning Hub
  6. >
  7. AZ-104 Skill Overview

AZ-104 Skills Overview: Azure Administrator Exam Breakdown & Architecture Mapping

Pillar Page | AZ-104 Learning Cluster Entry Point

This is not an exam summary. It is a structural map that connects the official AZ‑104 skill areas to the real domains, services, and architecture patterns that operate production Azure environments. If you understand the mapping, you move from memorising exam objectives to thinking like an Azure architect.

1. Overview: What Is AZ-104 Really Testing?
#

Microsoft defines AZ-104 as the certification for the Azure Administrator role. In practice, the exam validates operational cloud engineering: the ability to implement, manage, and monitor identity, storage, compute, networking, and governance in a live Azure subscription.

AZ‑104 does not test design from a blank canvas. It tests whether you can:

  • Receive a set of requirements (often under constraints)
  • Choose the correct administrative action
  • Execute that action using the right tool (portal, CLI, PowerShell, ARM template)
  • Troubleshoot when things break

Because an administrator touches every layer of a cloud workload, AZ‑104 becomes the natural foundation of Azure operational architecture. Before anyone designs a complex solution (AZ‑305), they must know how the building blocks actually behave at the management-plane level. That is why this page treats skills not as isolated exam items, but as the execution surface of a larger architecture.

2. AZ‑104 Skills at a Glance (Official Structure)
#

Microsoft groups the exam content into five skill areas with approximate weightings. These weights reflect the real‑world time an administrator spends on each domain.

# Skill area Weight
1 Manage Azure identities and governance 20–25%
2 Implement and manage storage 15–20%
3 Deploy and manage Azure compute resources 20–25%
4 Implement and manage virtual networking 15–20%
5 Monitor and maintain Azure resources 10–15%

Why this structure? Microsoft organises exams around operational accountability. An administrator’s primary job is to secure access (identity), then build the foundation (networking), deploy workloads (compute + storage), and keep everything healthy (monitoring). Governance weaves through all of it. The weight distribution mirrors a typical operations sprint: you spend the most time controlling who can do what, running VMs or containers, and connecting services, while monitoring is a continuous, lower-volume but critical activity.

3. Skill Breakdown Deep Dive (High‑Level Only)
#

This section explains what each skill area means in day‑to‑day Azure operations and the enterprise problems it solves. Detailed treatment follows in dedicated deep‑dive articles; here we set the context.

Skill 1: Manage Azure Identities and Governance
#

Real‑world meaning: Every secure Azure environment starts with identity. Administrators manage users, groups, service principals, and managed identities, then enforce rules with role‑based access control (RBAC) and Azure Policy. Governance includes subscription organisation, management groups, cost controls, and resource tagging.

Problems solved:

  • “Who accessed the production storage account last night?”
  • “How do we prevent a developer from deploying a $20k VM?”
  • “We must prove compliance with PCI‑DSS, how do we enforce encryption at creation?”

Identity & Governance Learning Path →

Skill 2: Implement and Manage Storage
#

Real‑world meaning: Azure workloads depend on the right storage service for the right data pattern—block blobs for logs, file shares for lift‑and‑shift, managed disks for VMs. Administrators configure replication, access tiers, lifecycle management, and shared access signatures to keep data available, secure, and cost‑optimised.

Problems solved:

  • “Our application needs globally redundant block storage with sub‑millisecond latency—how?”
  • “Backup retention must keep 30 daily, 12 monthly, and 7 yearly snapshots—how to configure?”
  • “We want to automatically move old blobs to archive tier after 90 days.”

Storage Learning Path →

Skill 3: Deploy and Manage Azure Compute Resources
#

Real‑world meaning: Whether it is virtual machines, scale sets, containers, or serverless functions, compute is what runs the business logic. Administrators deploy, configure, resize, and update compute resources, manage availability, and handle SSH/RDP access.

Problems solved:

  • “We need to patch 200 VMs without downtime.”
  • “Our containerised microservice must scale from 3 to 30 instances based on queue depth.”
  • “A legacy app requires a specific VM image; how do we create and manage custom images?”

Compute Learning Path →

Skill 4: Implement and Manage Virtual Networking
#

Real‑world meaning: Azure networking connects everything—VNets, subnets, IP addressing, DNS, network security groups, peering, VPN gateways, and load balancers. Administrators design address spaces, secure traffic flows, enable hybrid connectivity, and troubleshoot connectivity.

Problems solved:

  • “On‑premises servers must reach Azure VMs over a private, encrypted tunnel.”
  • “How do we restrict traffic between front‑end and database tiers to only the required ports?”
  • “Users in Europe and US need to hit the nearest application endpoint with SSL offload.”

Networking Learning Path →

Skill 5: Monitor and Maintain Azure Resources
#

Real‑world meaning: Operations require visibility. Administrators configure alerts, query logs, analyse performance metrics, set up backup and disaster recovery, and respond to incidents.

Problems solved:

  • “We need an email when CPU exceeds 85% for 10 minutes on any production VM.”
  • “How do we correlate failed sign‑ins with a service principal expiration?”
  • “After a storage account deletion by mistake, can we restore within 14 days?”

Monitoring Learning Path →

4. Skill → Azure Domains Mapping (Critical Section)
#

Azure Domains are the knowledge structure layer. They organise Azure services and concepts into logical, functional groups that mirror the platform’s own architecture. Skills are the exam evaluation layer—the tasks Microsoft considers measurable. Mapping them reveals what underlying knowledge each skill draws from.

Identity & Governance → Domains
#

  • identity-and-access (Entra ID tenants, users, groups, MFA, conditional access)
  • governance (management groups, subscriptions, resource groups, Azure Policy, blueprints)
  • cost-management (budgets, cost alerts, tagging for chargeback)

Explore Identity Domain →

Storage → Domains
#

  • storage (storage accounts, Blob, Files, Queues, Tables, access tiers)
  • data-protection (encryption at rest, Azure Key Vault integration, shared access signatures)
  • backup-and-dr (Azure Backup, snapshots, soft delete, recovery services vaults)

Explore Storage Domain →

Compute → Domains
#

  • compute (Virtual Machines, VM Scale Sets, availability sets/zones)
  • containers (Azure Container Instances, Azure Kubernetes Service, Azure Container Apps)
  • serverless (Azure Functions, Logic Apps)
  • vm-infrastructure (custom images, Azure Compute Gallery, disk management, Proximity Placement Groups)

Explore Compute Domain →

Networking → Domains
#

  • networking (VNet, subnet, IP addressing, DNS, routing tables)
  • hybrid-connectivity (VPN Gateway, ExpressRoute, Virtual WAN)
  • load-balancing (Azure Load Balancer, Application Gateway, Traffic Manager, Front Door)
  • private-connectivity (Private Link, Private Endpoints, service endpoints)
  • network-security (Network Security Groups, Azure Firewall, Bastion, DDoS Protection)

Explore Networking Domain →

Monitoring & Operations → Domains
#

  • observability (Azure Monitor, metrics, log analytics, workbooks)
  • monitoring (alert rules, action groups, service health)
  • logging (diagnostic settings, activity logs, resource logs)
  • backup-and-recovery-operations (Azure Backup, Azure Site Recovery, restore procedures)

Explore Observability Domain →

Key insight: An exam question might ask you to “configure a private endpoint for a storage account”. The skill is “Implement and manage storage”; the domain you need to understand is private-connectivity (from networking) plus storage itself. This cross‑domain reality is why surface‑level exam preparation often fails.

5. Skill → Azure Architecture Mapping (Critical Section)
#

If domains are the knowledge structure, architecture is the decision‑making layer. Every administrative action either reinforces or violates an architectural principle (resilience, security, cost optimisation, operational excellence). This mapping shows how each skill translates into an architectural building block.

Identity & Governance Architecture
#

  • identity-governance-architecture – Entra ID tenant design, admin tiering, emergency access accounts
  • rbac-architecture – role assignment scoping, custom roles, privileged identity management (PIM)
  • policy-driven-governance-architecture – Azure Policy initiatives, deny/audit effects, remediation tasks
  • subscription-landing-zone-architecture – management group hierarchy, subscription democratisation, network topology alignment

AZ‑104 skill execution feeds these architectures: When you assign RBAC roles, you are implementing the RBAC architecture; when you apply a policy that enforces allowed VM SKUs, you are materialising governance architecture.

Storage Architecture
#

  • storage-architecture – storage account design patterns (single vs. multi‑region, RA‑GRS vs. LRS), performance tiers
  • backup-and-recovery-architecture – recovery point objectives (RPO) / recovery time objectives (RTO), cross‑region restore, immutable backups
  • data-lifecycle-architecture – tiering policies, data retention compliance, automated cleanup

Compute Architecture
#

  • compute-architecture – deciding between IaaS, CaaS, PaaS, serverless for a given workload
  • vm-based-architecture – availability sets vs. zones, fault/update domains, dedicated hosts
  • container-architecture – AKS cluster design, node pools, network plugin choice, service mesh integration
  • serverless-architecture – event‑driven patterns, durable functions, cold‑start mitigation
  • autoscaling-architecture – scale‑out rules, in‑guest vs. platform metrics, scale‑in protection

Networking Architecture
#

  • networking-architecture – hub‑spoke topology, VNet peering vs. Virtual WAN, IP address planning
  • hybrid-network-architecture – site‑to‑site VPN, ExpressRoute with VPN failover, SD‑WAN integration
  • secure-networking-architecture – zero‑trust network segmentation, NSG/ASG micro‑segmentation, Azure Firewall forced tunnelling
  • load-balancing-architecture – global vs. regional load balancing, SSL termination strategy, layer‑7 routing decisions

Observability Architecture
#

  • observability-architecture – unified monitoring data plane, agent‑based vs. agentless, multi‑source correlation
  • monitoring-architecture – signal hierarchy (metrics → logs → traces), alert suppression, dynamic thresholds
  • resilience-and-recovery-architecture – cross‑region replication, automated failover runbooks, backup retention policy design

Why this matters for AZ‑104 learners: You might answer a compute scenario question correctly by selecting “add a VM to an availability set”, but understanding the compute‑architecture behind it tells you why that choice preserved the SLA. That distinction separates an administrator from an architect.

6. Skill → Azure Services Mapping (Light Section)
#

This table connects each skill to the core services you will implement, configure, and troubleshoot in the exam.

Skill area Primary Azure services
Manage identities & governance Microsoft Entra ID, RBAC, Azure Policy, Management Groups, Subscriptions, Resource Groups, Cost Management
Implement & manage storage Azure Storage Account (Blob, Files, Queue, Table), Managed Disks, Azure NetApp Files, Azure Backup, Recovery Services Vault
Deploy & manage compute Virtual Machines, VM Scale Sets, Azure App Service, Azure Kubernetes Service (AKS), Container Instances, Azure Functions
Implement & manage networking Virtual Network, Network Security Groups, Azure Load Balancer, Application Gateway, VPN Gateway, ExpressRoute, Private Link, Azure Firewall
Monitor & maintain Azure Monitor, Log Analytics, Azure Alerts, Application Insights, Azure Backup, Azure Site Recovery

This is the implementation layer where architecture decisions become live configuration. An exam scenario will almost always require you to select the correct service from this list and describe how to configure it.

7. Why AZ‑104 Is a Foundation for Azure Architecture
#

Azure architecture (as validated by AZ‑305) is not a separate discipline—it is the strategic layer built on operational reality. AZ‑104 teaches you:

  • Operational constraints that architecture must respect (e.g., how many NSG rules you can have, how long a backup restore takes)
  • Real‑world failure modes (a misconfigured route table, a storage account key leak, a VM stuck in a failed provisioning state)
  • Execution‑level thinking that prevents architecture diagrams from becoming fantasy

Direct evolution from AZ‑104 to AZ‑305:

  • Identity administration (AZ‑104) → identity architecture for multi‑tenant, multi‑cloud identity (AZ‑305)
  • Deploying a VM Scale Set (AZ‑104) → designing a globally distributed, auto‑remediated compute fabric (AZ‑305)
  • Configuring VNet peering (AZ‑104) → hub‑spoke landing zone topology with segmentation and security (AZ‑305)
  • Setting alert rules (AZ‑104) → building an observability strategy with correlated signals, AIOps, and automated runbooks (AZ‑305)

Mindset shift: In AZ‑104 you ask “How do I configure this?”. By the time you move toward architecture, you ask “Given what I know about how this actually works, what should we build, and what trade‑offs are we making?”. This pillar page is the anchor for that transition.

8. Learning Path Preview (Bridge to Next Content)
#

This skills overview is the entry point. The deep‑dive articles that follow each unpack a skill area completely:

  1. Skill 1 Deep Dive – Azure Identity & Governance
    Entra ID architecture, RBAC design, policy‑as‑code, subscription management, cost governance.

  2. Skill 2 Deep Dive – Azure Storage
    Storage account design patterns, data protection strategies, backup and restore at scale, lifecycle automation.

  3. Skill 3 Deep Dive – Azure Compute
    VM‑based workloads vs. containers vs. serverless, availability design, scaling strategies, image management.

  4. Skill 4 Deep Dive – Azure Virtual Networking
    Network topology, hybrid connectivity, network security, load balancing across layers, private endpoint architecture.

  5. Skill 5 Deep Dive – Monitoring & Maintenance
    Observability platform design, log analytics workspace strategy, alerting framework, business continuity and disaster recovery.

Each deep dive will follow the same triple‑layer mapping: exam skill → Azure domain → architectural decision. By the end of the cluster, you will not just be exam‑ready—you will be able to see the platform as an architect does.

9. Optional: Exam Thinking Model (Light Intro)
#

Microsoft writes AZ‑104 questions from a scenario‑based, decision‑under‑constraint perspective. Understanding this model improves both study efficiency and exam performance.

Common patterns:

  • “You need to…” – A task with explicit business or technical constraints (cost, time, SLA, security).
  • “You discover that…” – A troubleshooting scenario where a symptom is given and you must identify the root cause.
  • “Which two actions should you perform?” – Multi‑step administration flow; order matters.
  • “You must meet the following requirements…” – Several sometimes conflicting goals; you must choose the option that satisfies all.

Architecture‑aligned thinking for the exam:

  1. Identify the domain the question belongs to (even if it crosses skill boundaries).
  2. Recall the operational constraints of the services involved.
  3. Eliminate answers that violate a fundamental architectural principle (e.g., a solution that exposes a storage account key unnecessarily, or bypasses RBAC).
  4. Choose the option that matches the least‑complex, most‑secure, cost‑effective administrative action that meets the explicit requirements.

No full‑length questions here; the deep‑dive articles will include scenario‑style reasoning exercises aligned with this model.

This page serves as the structural hub for the entire AZ‑104 learning cluster. Return to it whenever you need to re‑align exam skills with operational and architectural reality.