AZ-104 Azure Administrator study guide: practice like an operator

The fastest way to make AZ-104 frustrating is to study it as a list of Azure service names. Azure Administrator questions usually ask what an operator should do next: assign access at the right scope, restrict a storage account, deploy compute repeatably, fix name resolution, configure monitoring, or prove that backup can restore data.

That means your study sessions should feel like small operations reviews. Read the scenario, identify the resource boundary, decide what is being protected or changed, and choose the least-disruptive action that satisfies the requirement. The answer is rarely the biggest permission, broadest network rule, or most dramatic rebuild.

A useful mental model is this: every AZ-104 question has a scope. The scope might be a user, group, subscription, resource group, storage account, subnet, VM, app service, backup vault, or alert rule. If you identify the scope correctly, several wrong answers become easier to eliminate.

Microsoft Entra ID, Azure RBAC, management groups, subscriptions, resource groups, Azure Policy, tags, locks, budgets, and Advisor recommendations are not side topics. They define who can act, where they can act, how resources are organized, and which standards are enforced.

For example, an auditor who only needs to view one production resource group should not receive Owner at the subscription or tenant root. The right habit is to choose a role that matches the task and assign it at the narrowest useful scope. That same habit appears again in storage, networking, and compute scenarios.

When practicing governance questions, ask four questions: who needs access, what action do they need, which scope contains the resources, and how will the organization detect or prevent drift later? That turns RBAC, Policy, locks, tags, and budgets into a coherent workflow instead of unrelated features.

Azure Storage can look simple from the portal, but AZ-104 expects you to reason through access controls, redundancy, encryption, data protection, and operational maintenance. A storage account might be technically reachable but still inaccessible because of network rules, identity permissions, SAS scope, or key handling.

Practice separating access layers. Storage firewalls and virtual network rules decide which network paths can reach the account. Identity and RBAC decide who can perform management or data actions. SAS tokens delegate specific access for a limited time. Access keys are powerful and should not be the default answer when narrower delegation fits.

For data protection, pay attention to wording. Soft delete helps recover deleted data. Snapshots can preserve file share state. Versioning helps with blob changes. Lifecycle rules move or delete blobs based on conditions. Redundancy choices affect durability and availability. Each feature solves a different operational problem.

AZ-104 compute is broader than virtual machines. You should be comfortable with ARM templates, Bicep, VM sizing, disks, availability sets, availability zones, VM Scale Sets, Azure Container Registry, Azure Container Instances, Azure Container Apps, and App Service.

The exam often rewards matching the hosting model to the operational requirement. If the team needs operating system control, a virtual machine may fit. If the team needs a staged web release, App Service deployment slots are likely relevant. If the team wants a private container image store, Azure Container Registry matters. If the question mentions repeatability and review, ARM or Bicep should be in your mind.

When reviewing missed compute questions, write the workload requirement in one sentence. For example: 'The app needs a blue-green style validation before production traffic.' That sentence points toward deployment slots more clearly than rereading every App Service feature.

Virtual networking questions are easier when you imagine the packet path. Where is the source? Which subnet is it in? Which route applies? Which NSG rule is evaluated? Does name resolution return a private or public address? Is traffic being load balanced to healthy backend instances?

A private endpoint question is not the same as a service endpoint question. An NSG question is not the same as a route table question. Azure DNS is not the same as a load balancer. These features often appear together, but they solve different parts of the connectivity problem.

Use practice questions to build a troubleshooting routine. Start with the symptom, identify whether the failure is routing, filtering, DNS, endpoint access, or backend health, then choose the action that confirms or fixes that layer. That mirrors real Azure support work and prevents random configuration changes.

Azure Monitor, Log Analytics, alert rules, action groups, Network Watcher, Connection monitor, Backup vaults, Recovery Services vaults, Azure Backup, and Azure Site Recovery all test whether you can maintain running environments. The exam is not only asking if you know a tool name; it is asking whether you can prove the environment is observable and recoverable.

A backup policy is not enough by itself. You should know whether the right resources are protected, how long restore points are retained, whether restore works, and who receives failure alerts. A disaster recovery plan is not complete until failover behavior is understood and tested.

For monitoring, read the signal. Metrics, logs, activity, connection tests, and service health all answer different questions. If the scenario needs notification when CPU crosses a threshold, alert rules and action groups matter. If it needs investigation across collected events, Log Analytics may be the better fit.

A strong six-week AZ-104 plan can be simple: identity and governance first, storage second, compute third, networking fourth, monitoring and recovery fifth, then mixed timed review in the final week. The order works because later topics depend on understanding scope and access.

During each week, use three session types. First, do a focused concept review for one domain. Second, answer scenario questions and read every explanation. Third, revisit missed questions and write why the correct answer was better than the most tempting distractor. That last step is where real readiness improves.

Do not wait until the final week to practice. AZ-104 is easier when you repeatedly make small operational decisions. The goal is not to memorize every portal blade; it is to become consistent at reading requirements, choosing scope, and avoiding broad changes that do not match the evidence.