Microsoft Azure AZ-104 Administrator Study Guide 2026/2027 Complete Exam Preparation with Five Domain Coverage and Verified Practice Questions Grade A

This Microsoft Azure AZ-104 Administrator Study Guide 2026/2027 resource is designed for IT professionals, cloud administrators, system engineers, and DevOps specialists preparing for the Microsoft Certified: Azure Administrator Associate certification. This comprehensive study guide covers all five domains of the AZ-104 exam blueprint as updated April 17, 2026 , with detailed explanations, hands-on practice scenarios, and exam preparation strategies aligned with current Microsoft certification standards. Exam Overview and Critical Information: Candidates should have subject matter expertise in implementing, managing, and monitoring an organization's Microsoft Azure environment, including virtual networks, storage, compute, identity, security, and governance . The AZ-104 exam contains 40 to 60 questions with a duration of 120 minutes. A passing score of 700 out of 1000 points is required, approximately 70 percent . Microsoft associate, expert, and specialty certifications expire annually and can be renewed by passing a free online assessment on Microsoft Learn . Candidates should be familiar with operating systems, networking, servers, and virtualization, with hands-on experience in PowerShell, Azure CLI, the Azure portal, Azure Resource Manager templates or Bicep files, and Microsoft Entra ID . Domain 1: Manage Azure Identities and Governance (20–25%) This domain covers critical identity management concepts including Microsoft Entra ID (formerly Azure AD) as the centralized identity management service for Azure resources. Key topics include creating and managing users and groups, managing user and group properties, managing licenses in Microsoft Entra ID, managing external users, and configuring self-service password reset (SSPR) . Role-Based Access Control (RBAC) topics include managing built-in Azure roles (Owner, Contributor, Reader, User Access Administrator, Virtual Machine Contributor, Virtual Machine Operator), assigning roles at different scopes (management group, subscription, resource group, individual resource), and interpreting access assignments . Subscription and governance topics include implementing and managing Azure Policy with deny and audit effects, configuring resource locks (Delete locks prevent deletion but allow modifications; Read-Only locks prevent both deletion and modifications), applying and managing tags on resources, managing resource groups and subscriptions, managing costs using alerts, budgets, and Azure Advisor recommendations, and configuring management groups as hierarchical containers for policy enforcement across multiple subscriptions . Domain 2: Implement and Manage Storage (15–20%) Storage access configuration includes configuring Azure Storage firewalls and virtual networks, creating and using Shared Access Signature (SAS) tokens for time-limited delegated access without exposing account keys, configuring stored access policies, managing access keys, and configuring identity-based access for Azure Files . Storage account management includes creating and configuring storage accounts (General-purpose v2 accounts provide access to all storage types), configuring Azure Storage redundancy options including LRS (Locally Redundant Storage), GRS (Geo-Redundant Storage), ZRS (Zone-Redundant Storage), and GZRS, configuring object replication, configuring storage account encryption, and managing data using Azure Storage Explorer and AzCopy . Azure Files and Blob Storage configuration includes creating and configuring file shares in Azure Files, creating and configuring containers in Azure Blob Storage, configuring storage tiers (Hot tier for frequently accessed data, Cool tier for infrequently accessed data stored minimum 30 days, Cold tier minimum 90 days, Archive tier minimum 180 days), configuring soft delete for blobs and containers, configuring snapshots and soft delete for Azure Files, configuring blob lifecycle management policies for automated tier transitions, and configuring blob versioning . Domain 3: Deploy and Manage Azure Compute Resources (20–25%) ARM template and Bicep deployment includes interpreting existing templates, modifying existing Azure Resource Manager templates or Bicep files, deploying resources using templates, exporting deployments as ARM templates, and converting ARM templates to Bicep files. Azure CLI and Azure PowerShell support deployment of resources from templates . Virtual machine configuration includes creating virtual machines, configuring encryption at host, moving virtual machines to another resource group, subscription, or region, managing virtual machine sizes, managing virtual machine disks, deploying virtual machines to availability zones (protection against entire datacenter failures) and availability sets (distribution across fault domains and update domains), and deploying and configuring Azure Virtual Machine Scale Sets (VMSS) for automatic scaling based on demand metrics . Container management includes creating and managing Azure Container Registry (ACR) as a managed Docker container registry, provisioning containers using Azure Container Instances (ACI) for serverless container execution, provisioning containers using Azure Container Apps, and managing sizing and scaling for containers . Azure App Service configuration includes provisioning an App Service plan, configuring scaling for an App Service plan, creating an App Service, configuring certificates and Transport Layer Security (TLS), mapping existing custom DNS names to an App Service, configuring backup for an App Service, configuring networking settings, and configuring deployment slots for staging environments and zero-downtime deployments . Domain 4: Implement and Manage Virtual Networking (15–20%) Virtual network configuration includes creating and configuring virtual networks (VNets) and subnets for IP address space segmentation, creating and configuring virtual network peering for private high-speed connections between VNets, configuring public IP addresses, configuring user-defined routes (UDRs), and troubleshooting network connectivity . Secure access configuration includes creating and configuring Network Security Groups (NSGs) with inbound/outbound rules based on source/destination IP, port, and protocol, creating and configuring Application Security Groups (ASGs) for logical VM grouping to simplify NSG rule configuration, evaluating effective security rules in NSGs, implementing Azure Bastion for secure RDP/SSH access without public IP addresses, configuring service endpoints for Azure PaaS, and configuring private endpoints for Azure PaaS . Name resolution and load balancing includes configuring Azure DNS for domain name resolution and hosted zones, configuring internal or public load balancers for Layer 4 traffic distribution, configuring session persistence (Client IP and Protocol), and troubleshooting load balancing issues . Domain 5: Monitor and Maintain Azure Resources (10–15%)