RoleMath Study Track for Microsoft Azure Administrator Associate (AZ-104)
A free study companion keyed to the officially published exam domains of Microsoft Azure Administrator Associate (AZ-104): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. Microsoft AZ-104 (Azure Administrator) study guide
A free, source-cited study companion built on Microsoft's published AZ-104 study guide — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
A complete free AZ-104 program pinned to the currently reviewed Microsoft study guide, sequencing identity and governance, storage, networking, compute, and monitoring into hands-on own-subscription labs and reviewable Azure administration evidence, with an explicit recheck of the official skills-measured date before any exam scheduling.
This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.
Modules
5
Labs
5
Concept checks
15
Resource mix
3 official / 0 community
Choose an outcome
Three routes through the same evidence
Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.
Certification-focused
Learners who have selected AZ-104 and want one current, dependency-ordered sequence across all five domains with the labs done in their own free Azure subscription and a recheck of the official skills-measured date before scheduling.
Completion emphasis: Complete every module, run each own-subscription lab (or its portal/accessibility route) with teardown, correct every missed check, finish the integrated governed-environment capstone, and diff the current study guide before booking the exam.
Required phases: Guide currency, own-subscription setup, cost safety, and baseline, Identity, RBAC, and governance control plane, Storage and virtual networking foundation, Compute: infrastructure as code, VMs, containers, and App Service, Monitoring, backup, recovery, and integrated capstone
Admin skills first
Career changers with some prior IT or cloud exposure who want reviewable evidence that they can administer Azure identity, RBAC, storage, networking, compute, and monitoring in a real subscription, whether or not they sit the exam soon.
Completion emphasis: Retain a labeled artifact per domain — a least-privilege role and policy, a scoped SAS and lifecycle rule, peered VNets with an NSG and route, a zone-placed VM deployed from Bicep, and an alert plus vault — plus the capstone environment and a teardown record.
Required phases: Guide currency, own-subscription setup, cost safety, and baseline, Identity, RBAC, and governance control plane, Storage and virtual networking foundation, Compute: infrastructure as code, VMs, containers, and App Service, Monitoring, backup, recovery, and integrated capstone
Career-fit sprint
Learners deciding whether Azure administration — identity, governance, storage, networking, and cost control — is a direction worth deeper investment before committing to the full exam grind.
Completion emphasis: Complete the diagnostic, the identity-and-governance foundation, and the storage-and-networking phase with their labs, then choose a next Azure role experiment or a full exam commitment rather than inferring job readiness from partial coverage.
Required phases: Guide currency, own-subscription setup, cost safety, and baseline, Identity, RBAC, and governance control plane, Storage and virtual networking foundation
Start safely
Prerequisite diagnostic
Choose a current-guide route and confirm your own Azure subscription and administration readiness before the AZ-104 labs; this diagnostic is not a Microsoft prerequisite, cost promise, or exam prediction, and AZ-104 is an Associate exam that assumes prior hands-on Azure administration experience.
Have you opened the official AZ-104 study guide and credential page and recorded the current skills-measured date (the reviewed guide is measured as of 2026-04-17) and any newer objective changes?
Ready when: Yes, with the current guide date recorded and any drift diffed before exam scheduling or promotion.
If not yet: Keep studying the reviewed sequence but block exam logistics until you have checked the live study guide for a newer skills-measured date.
Do you control your own free Azure account, Azure for Students subscription, or personal pay-as-you-go subscription whose resources you may freely create and delete for practice?
Ready when: Yes, in a personal subscription you own — never an employer, client, or shared tenant — with the labs run there and torn down afterward.
If not yet: Create a free Azure account (which may require a payment method for identity verification) or an Azure for Students subscription (no card), or use the portal-only accessibility routes and expected-state walkthroughs until you have your own subscription.
Are you comfortable running commands in the Azure CLI or Cloud Shell — signing in, creating a resource group, and reading command output — or willing to use the portal equivalents the labs document?
Ready when: Yes, or you will use each lab's portal/keyboard/screen-reader route which reaches the same outcome and evidence.
If not yet: Start in Cloud Shell (browser-based, no local install) with the login-and-resource-group step before attempting the identity or compute labs.
Can you already reason about core cloud concepts — regions and zones, shared responsibility, subscriptions and resource groups, and consumption pricing — at roughly an AZ-900 level, since AZ-104 assumes this and does not re-teach it?
Ready when: Yes, or you will review AZ-900-level fundamentals before the identity-and-governance module rather than learning both layers at once.
If not yet: Spend a session on cloud fundamentals (or the AZ-900 track) before starting, because AZ-104 is an Associate exam that builds on that baseline.
Do you have billing visibility, a low budget alert, and a habit of deleting the throwaway resource group after each lab — knowing the compute lab deploys a billable VM that must be torn down promptly?
Ready when: Yes, with a budget alert in place and a plan to delete every lab resource group, understanding a budget is an alert and not a hard spending cap.
If not yet: Set a low budget alert and rehearse the teardown command before the compute lab, and keep the identity, networking, and monitoring labs (which are free) until cost habits are in place.
Have you chosen a pace whose weekly hours you can realistically protect across roughly 60 to 145 total hours depending on your prior Azure experience?
Ready when: Yes, with a pace selected and the objective recheck and capstone left uncompressed.
If not yet: Pick the steady pace if Azure is new to you and reserve the intensive pace for learners with prior Azure, IT, or infrastructure administration experience.
Plan, then adapt
Pace options
Steady
12 weeks 8-12 hours/week
A planning estimate of roughly 110-144 hours for learners newer to Azure administration: one domain block at a time, every lab run in your own subscription with teardown, plus the capstone and a study-guide recheck.
Standard
8 weeks 10-14 hours/week
A planning estimate that pairs the Microsoft Learn paths with one retained artifact per domain and preserves the integrated capstone, missed-check corrections, and a guide-diff block before scheduling.
Intensive
6 weeks 16-20 hours/week
Roughly 59-75 hours for IT or cloud professionals with prior Azure administration exposure; do not compress the objective recheck, the compute lab's teardown discipline, or unfamiliar identity, networking, or governance concepts.
Evidence-gated sequence
Program roadmap
1
Guide currency, own-subscription setup, cost safety, and baseline
Pin the currently reviewed AZ-104 study guide and its skills-measured date, confirm you own the Azure subscription you will practice in, establish billing visibility and a budget alert, and rehearse the teardown discipline every lab depends on.
Exit evidence
Record the official study-guide skills-measured date (reviewed as of 2026-04-17) and recheck the live guide for any newer objective set before exam scheduling or promotion.
Confirm access to your own free, Students, or personal Azure subscription; set billing visibility and a low budget alert; and rehearse the resource-group teardown command before any billable lab.
Complete the objective-currency, own-subscription, command-line, cloud-foundation, cost-safety, and study-time diagnostics and choose a pace you can protect.
2
Identity, RBAC, and governance control plane
Build the control plane every other resource is created inside: Microsoft Entra identity, role-based access control scope and least privilege, subscriptions and management groups, Azure Policy, tags, locks, and cost governance, ending with a hands-on least-privilege role and enforced policy.
Explain the RBAC role/scope/principal model and least privilege, and complete the lab that creates a custom read-only storage role assigned at resource-group scope with an enforced tagging policy, then tears it down.
Retain a governance artifact covering management groups/subscriptions/resource groups, Azure Policy, tags, locks, a budget alert, and Advisor, with owner and evidence recorded.
Attempt every authored identity-and-governance check and correct each miss against its cited source, applying it to a fresh access-scope scenario.
3
Storage and virtual networking foundation
Layer the data and connectivity foundation compute depends on: storage-account redundancy, tiers, scoped SAS access, and lifecycle rules, then virtual networks, subnets, peering, network security groups and effective rules, and user-defined routes — networking studied before compute so VM placement makes sense.
Complete the storage lab (redundancy choice, container and blob, a read-only expiring SAS, and a lifecycle rule) and the networking lab (two peered VNets, an NSG allow rule on a subnet, and a user-defined route), tearing each down.
Retain a storage-access artifact (redundancy, SAS scope/expiry, tier/lifecycle) and a network artifact (peering state, effective NSG rules, route table) that reuse the least-privilege thinking from the identity phase.
Attempt every authored storage and networking check and correct each miss, tracing how a packet or a data-access request would actually be permitted or blocked.
4
Compute: infrastructure as code, VMs, containers, and App Service
Run workloads on the identity, storage, and network foundations already in place: ARM/Bicep deployment, virtual-machine sizing and availability-zone placement, scale sets, container services, and App Service plans and deployment slots, deploying a real VM from a template and tearing it down promptly.
Complete the compute lab: deploy a Standard_B1s VM into an availability zone from a Bicep file, verify the zone, resize it, export the ARM template, and delete the resource group immediately because the VM is billable.
Explain declarative deployment (Bicep compiling to ARM) and match resilience and scaling needs to availability zones, availability sets, scale sets, or App Service, with a labeled artifact retained.
Attempt every authored compute check and correct each miss, and confirm the compute lab's VM was deleted so it cannot keep billing.
5
Monitoring, backup, recovery, and integrated capstone
Watch and protect everything you built — Azure Monitor metrics, logs, alerts and action groups, Network Watcher, Azure Backup with Recovery Services vaults, and Site Recovery — then integrate all five domains in the governed-environment capstone and a study-guide diff.
Complete the monitoring lab (a Recovery Services vault with an LRS daily/30-day policy that protects nothing yet, plus an action group and a CPU>80% metric alert) and distinguish Backup from Site Recovery.
Complete the integrated capstone spanning identity/governance, storage, networking, compute, and monitoring in one governed environment, then tear the environment down and verify no resources remain.
Diff the current Microsoft study guide, record remaining gaps, and choose a continue, practice, defer, role-experiment, or exam-scheduling next decision.
Before a lab
Environment, access, and safety
Required and optional setup
Required
A browser plus text, spreadsheet, and diagram tools for the Microsoft Learn paths, official documentation, and for recording each lab's artifacts, evidence, and teardown confirmation
Your own Azure subscription to run the labs in — a free Azure account, an Azure for Students subscription, or a personal pay-as-you-go subscription whose resources you may freely create and delete
The Azure CLI or Cloud Shell (browser-based, no local install) and the Azure portal for the equivalent accessibility routes
A guide-version, subscription, cost, resource-group, and teardown ledger recording every lab resource created and confirmed deleted
Optional
A free Microsoft Learn profile for progress tracking across the five official AZ-104 learning paths
John Savill's vetted community AZ-104 study material as an alternate explanation after the live Microsoft guide and Learn paths
A local Azure CLI and Bicep install for learners who prefer a desktop terminal over Cloud Shell
Accounts and accessibility routes
Accounts
AZ-104 labs run in the learner's own Azure subscription; a free Azure account may require a payment method on file for identity verification even though the free/near-free labs spend little or nothing.
Azure for Students provides a subscription with no credit card required and is the recommended no-card route for eligible learners.
A live subscription can incur charges: the identity, networking, and monitoring-setup labs stay free, the storage lab costs pennies, and the compute lab deploys a billable VM that must be deleted promptly, so keep billing visibility and a budget alert on at all times.
Equivalent routes
Every lab has an Azure portal route (IAM, Policy, Storage, Networking, Virtual machines, Monitor, and Recovery Services blades) reaching the same role, scope, storage, network, VM, alert, and vault outcomes as the CLI, all keyboard-navigable with labeled form fields for screen readers.
When account, payment, region, device, motor, or visual constraints block portal or CLI work, use official documentation, hierarchy/architecture/network diagrams, exported command output, and written expected-state walkthroughs labeled simulated, and split learning, building, and teardown across sessions.
Prefer the Azure CLI over Cloud Shell in low-bandwidth conditions since all commands and output are plain text, and record every capstone artifact in a local document rather than a hosted portal session.
Safety baseline
Run every lab only in a personally controlled Azure subscription with MFA, least privilege, billing visibility, and a low budget alert — never against an employer, client, or shared tenant.
Scope all roles, policies, and networking constructs to a throwaway resource group so the blast radius is limited, and never assign roles or policies at subscription or management-group scope where they could touch resources you did not create.
Delete the throwaway resource group after each lab and verify no resources remain; the compute VM is the one billable resource on the track and must be torn down immediately, since a budget is an alert and not a hard spending cap.
Do not upload real or sensitive data, share account access keys, or publish credentials, tenant/subscription/object IDs, billing data, portal sessions, or resource details; hand out only scoped, expiring SAS tokens where access is needed.
Show your work
Module evidence and missed-check protocol
Module exit evidence
A labeled artifact per domain tied to its module: a least-privilege role and tagging policy; a redundancy choice, scoped SAS, and lifecycle rule; peered VNets with an NSG rule and route; a zone-placed VM and exported ARM template; or a vault policy and metric alert with an action group.
A plain-language explanation of the requirement, scope, service or control chosen, owner, cost driver, alternative, limitation, verification route, and the condition that would change the decision.
All authored checks for the domain attempted, with each miss corrected against its cited source and re-applied to a fresh Azure administration scenario, plus a recorded teardown confirmation for any lab that created resources.
After a missed check
Identify whether the question tests identity/governance, storage, networking, compute, or monitoring/maintenance before reviewing the answer.
Write why the distractor was plausible and which RBAC scope, redundancy option, NSG/effective rule, deployment or resilience construct, backup-versus-recovery distinction, or governance control distinguishes the correct answer.
Change one fictional requirement — scope, region, redundancy, availability, retention, or cost target — and explain whether the correct answer changes.
Completing this policy demonstrates current-guide AZ-104 coverage and hands-on Azure administration practice inside RoleMath; it does not predict a score, confer tenant authority, guarantee savings or availability, or establish professional Azure experience.
Stand up a small governed Azure environment for a fictional department in your own subscription — identity and RBAC, storage, a virtual machine on a secured network, and monitoring and backup — then tear it down, integrating all five AZ-104 domains into one reviewable evidence packet.
Workflow
Write a fictional brief for a small internal department that needs governed access, a data store, a virtual machine reachable only through secure access, backup, and monitoring, using no real personal or regulated data, and record functional, security, availability, retention, budget, and non-goal requirements plus assumptions.
In your own subscription, create a throwaway resource group and set the identity-and-governance layer: create a group, assign a least-privilege built-in or custom role at resource-group scope, and assign an Azure Policy that enforces a required tag such as costCenter. Record the scope, role, and policy rationale.
Create a storage account with a deliberate redundancy choice, a container and a small blob, a read-only SAS with an expiry, and a lifecycle rule. Record why the redundancy option and the scoped SAS (rather than an account key) meet the brief.
Build the network layer: a virtual network and subnet, a network security group with a least-privilege allow rule attached to the subnet, and — if the brief needs it — a user-defined route. Record the effective rules and how traffic to the VM will be permitted or blocked.
Deploy one small Standard_B1s VM (from a Bicep template if you can, otherwise the portal) into the subnet and an availability zone, verify the zone, and confirm it is reachable only through the secured path you designed, not a public RDP/SSH exposure.
Add the monitoring and continuity layer: create an action group and a metric alert rule (for example CPU above a threshold) wired to it, and create a Recovery Services vault with an LRS daily/30-day backup policy — associating the VM to a backup only if you accept the small cost, otherwise leaving the policy defined but unassociated.
Write a one-page decision memo and an operator handoff that agree on the identity/RBAC choices, storage, network, VM placement, monitoring and backup, remaining assumptions, the estimated cost, and the teardown plan.
Tear the environment down: delete the VM and resource group, remove any subscription-scope artifacts you created, and verify across the subscription that no lab resources remain. Record the teardown confirmation and a final cost check.
Crosswalk every identity, storage, network, compute, and monitoring artifact to the five AZ-104 domain IDs; diff the current Microsoft study guide, flag any uncovered topics as explicit gaps, and record the next role-experiment or exam-scheduling decision.
Retained artifacts
Fictional department brief with requirements, assumptions, and non-goals
Identity-and-governance record: group, least-privilege role assignment at scope, and enforced tagging policy
Storage-and-network record: redundancy choice, scoped SAS and lifecycle rule, and a VNet/subnet/NSG/effective-rule diagram
Compute record: the zone-placed VM, its Bicep or portal deployment, and its secured access path
Monitoring-and-continuity record: action group and metric alert plus a Recovery Services vault and backup policy
Decision memo, operator handoff, teardown confirmation with a final cost check, and a five-domain crosswalk with a guide diff
Review checklist
Requirements, identity, storage, network, compute, monitoring, backup, cost, and teardown describe one consistent fictional department built in the learner's own subscription.
Every role, policy, redundancy option, NSG rule, VM placement, alert, and backup policy has a requirement, scope, owner, alternative, cost implication, limitation, and verification route recorded.
The VM is reachable only through the secured path designed, roles and policies are scoped to the throwaway resource group, and nothing was assigned at subscription or management-group scope where it could affect other resources.
The throwaway resource group and VM were deleted, no lab resources remain anywhere in the subscription, a final cost check was recorded, and any backup that was started was cleaned up so the vault could be removed.
No account access key, credential, tenant/subscription/object ID, billing screenshot, or unredacted portal session was shared, and only scoped expiring SAS access was handed out.
The official study guide was rechecked for a newer skills-measured date and any changed objective invalidates the affected mapping or review.
All five current AZ-104 domains map to at least one artifact; uncovered topics remain explicit gaps rather than implied completion.
The packet does not claim exam success, official Microsoft approval or training beyond linked sources, tenant administration authority, guaranteed savings or availability, professional Azure experience, or a RoleMath credential.
Safety boundary: Build the entire capstone only in your own Azure subscription — never an employer, client, or shared tenant. Scope every role, policy, and network construct to a throwaway resource group, keep the VM behind secure access with no public RDP/SSH, hold billing visibility and a budget alert throughout, and delete every resource and verify none remain when finished, since a budget is an alert and not a hard cap.
Finish honestly
Completion, portfolio, and maintenance
Completion evidence
All five current AZ-104 domain modules have been covered and checked against the official Microsoft study guide, including a recheck of the current skills-measured date.
Every domain lab has been run in the learner's own subscription (or via its documented portal/accessibility route) with its artifact retained and a teardown confirmation recorded.
Every authored knowledge check has been attempted and each miss has a cited correction plus a fresh Azure administration scenario.
The official Microsoft Learn paths have been used within current free-access terms, with any community instruction reconciled to the live study guide.
The governed-environment capstone passes its identity, storage, network, compute, monitoring, cost-safety, teardown, privacy, consistency, and five-domain coverage review.
The learner has recorded remaining guide or objective gaps and a next role or exam-scheduling decision; completion is not represented as an exam result, credential, tenant authority, job readiness, savings or availability guarantee, or professional experience.
Portfolio candidates
A sanitized identity-and-governance packet: a least-privilege role assignment at scope and an enforced tagging policy
A storage-access and lifecycle record: a redundancy choice, a scoped expiring SAS, and a tiering/lifecycle rule
A virtual-network diagram with peering or subnet segmentation, NSG effective rules, and a route
A compute record: a zone-placed VM, its Bicep/ARM template, and its secured access path
A monitoring-and-continuity record: a metric alert with an action group and a Recovery Services vault policy
The governed-environment capstone decision memo, teardown confirmation, and a guide-diff reflection
Present the packet as self-directed AZ-104 Azure administration lab work done in your own subscription. Do not call it production tenant administration, Microsoft approval, guaranteed cost or availability, professional Azure experience, or a RoleMath credential.
Freshness controls
Objective source checked 2026-07-10. Recheck objectives every 30 days and resources every 90 days.
Stop and re-verify when
Microsoft changes the AZ-104 skills measured, study-guide skills-measured date, exam code, domain set, weight ranges, lifecycle, prerequisites, or credential terms.
A Microsoft Learn path, official service or documentation page, the Azure CLI command surface, Azure Pricing, free-account or Students terms, or the community study material changes URL, access, version, reuse, behavior, or authority.
A lab can no longer be run own-subscription within the free tier or near-free cost, or its teardown, budget-alert, or least-privilege guarantees no longer hold.
An Azure identity/RBAC, Policy/tag/lock, storage redundancy/SAS/lifecycle, virtual-networking/NSG/route, compute/IaC/VM, or monitoring/backup/recovery concept materially changes.
Any module, lab, check, phase, capstone step, account instruction, cost-safety guardrail, or guide-diff fails technical, source, Azure-domain, associate-level, cost-safety, security, privacy, accessibility, currency, or claims review.
AZ-104 is an administration exam, so our sequencing follows the dependencies of the job rather than the raw weights alone. Microsoft weights 'Manage Azure identities and governance' and 'Deploy and manage Azure compute resources' as the joint-heaviest domains at 20-25% each, with 'Implement and manage storage' and 'Implement and manage virtual networking' at 15-20% and 'Monitor and maintain Azure resources' the lightest at 10-15%. We still open with identity and governance (Domain 1), because Microsoft Entra ID, Azure role-based access control, subscriptions, and policy are the control plane every other resource is created inside — you cannot reason clearly about who may touch a storage account or a VM until you understand RBAC scope and least privilege, so this domain earns first place on both weight and dependency. Storage (Domain 2) comes next as a self-contained, high-clickability domain that reinforces the access model you just learned (SAS tokens, keys, firewalls) without needing compute. We then deliberately study virtual networking (Domain 4) BEFORE compute (Domain 3), inverting the exam's numbering: virtual machines land inside subnets, behind NSGs, and reachable through Bastion or a load balancer, so understanding VNets, peering, and network security groups first makes VM placement and connectivity make sense instead of feeling arbitrary. Compute (Domain 3) then sits on the identity, storage, and networking foundations already in place — ARM/Bicep deployments, VM sizing and availability zones, containers, and App Service. Monitoring and maintenance (Domain 5) goes last, both because it is the lightest domain at 10-15% and because Azure Monitor, Backup, and Site Recovery are most meaningful once you have resources worth watching, backing up, and recovering. This is sequencing advice based on the published weight ranges and how the topics depend on each other, not a claim about the science of learning — if a different order fits how you think, use it.
Study this first. Microsoft weights it at 20-25% — tied for the heaviest domain — and it is also the control plane every other resource is created inside: identity, role-based access control, subscriptions, and policy govern who may do what to the storage, networking, and compute you build later.
This is the 'who can do what, and how do you keep an environment governed' domain, and Microsoft weights it at 20-25% — tied with compute as the heaviest slice of the exam. It splits into two halves that reinforce each other: identity (managing the people and workloads that sign in) and governance (the guardrails, cost controls, and organizing structure that keep a subscription in line). For a career changer, this is often the friendliest domain to start with, because much of it is about administering users, assigning permissions, and reading a bill rather than configuring deep technology by hand. The skills here were measured as of 2026-04-17 in Microsoft's published study guide, so confirm the current objectives before you sit the exam.
The identity half centers on Microsoft Entra ID, Azure's cloud identity service. You are expected to create and manage users and groups, assign licenses, and handle external or guest users who need access from outside your organization — a common real-world pattern when contractors or partners collaborate. Self-service password reset (SSPR) shows up as a way to let users recover their own accounts without a help-desk ticket, which reduces administrative load. The mental model to carry is that identity is the front door: before any resource can be secured, you need a trustworthy answer to 'who is this, and are they who they claim to be.' The exam tests whether you can pick the right identity action for a described need, not whether you can recite directory internals.
Azure role-based access control (RBAC) is the connective tissue between identity and everything else, and it deserves the most careful study in this domain because its logic repeats across every other domain. RBAC grants permissions by assigning a role (a bundle of allowed actions, such as Reader, Contributor, or Owner) to a security principal (a user, group, or managed identity) at a scope (a management group, subscription, resource group, or single resource). Assignments inherit downward, so a role granted at the subscription level flows to every resource group and resource beneath it. The principle to internalize is least privilege: give each identity only the access it genuinely needs and no more. When a scenario asks how to let a team read a storage account without letting them delete it, the answer is almost always a specific built-in role assigned at the narrowest scope that works.
The governance half is about controlling and organizing subscriptions at scale. Management groups sit above subscriptions and let you apply governance to many subscriptions at once; subscriptions themselves are the billing and boundary unit; resource groups organize related resources inside a subscription. Azure Policy lets you define and enforce rules — for example requiring every resource to carry certain tags, or blocking deployments to unapproved regions — so the platform enforces standards instead of relying on every administrator to remember them. Resource locks protect critical resources from accidental deletion or change, and tags attach metadata (like a cost center or environment name) that makes resources searchable and billable by group. The recurring exam skill is recognizing that governance is how you scale control: you encode a rule once and the platform applies it everywhere.
Cost governance closes the domain and is worth practicing with your own hands, because it is both examinable and genuinely useful. Microsoft Cost Management lets you analyze and forecast spending and slice it by service, region, or tag; budgets let you set a threshold and get alerted before spending crosses a line you chose; and Azure Advisor surfaces recommendations, including places you could cut cost. The habit the exam quietly rewards — and that the lab below builds — is being warned before an overrun rather than after. For an administrator, a standing budget alert is the single cheapest insurance policy on a subscription.
Study this domain by doing the administration it describes: in a free subscription you can create a group, assign a built-in role at resource-group scope, and read how Azure Policy would enforce a tagging rule in minutes. The lab below has you build a least-privilege custom role and attach a policy so the abstract RBAC and governance vocabulary becomes muscle memory. As with every domain on this track, read the official AZ-104 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.
Learn it free
Official · Official exam objectives
Microsoft AZ-104 (Azure Administrator) study guideThe exam's own topic list for this domain — read its identity-and-governance section directly rather than relying on any summary, including ours. (captured 2026-07-10)
Azure Policy overview (Azure documentation)A cited definition of the governance-at-scale enforcement (rules like required tags and approved regions) this domain paraphrases. (captured 2026-07-10)
Az104 Identity Governance Lab
Create and assign a least-privilege custom RBAC role at resource-group scope Assign an Azure Policy that enforces a required tag on resources
Free tools
Azure portal
Azure CLI / Cloud Shell
Steps
Sign in with the Azure CLI and create a throwaway resource group to scope the lab.
Edit custom-role.json to insert your subscription id in AssignableScopes, then create the least-privilege custom role.
Assign the custom role to your own identity at resource-group scope, then verify it.
Assign a built-in tagging policy to rg-az104-lab1 so the platform would enforce a required tag such as costCenter.
Remove the policy assignment, role assignment, custom role, and resource group so nothing lingers.
What you should see
Confirm the custom role appears in az role definition list, the assignment lists at resource-group scope, and the policy assignment is present before cleanup.
Practice evidence maps to exam_domain_microsoft_az_104_az_104_01
Stay safe & legal: Run only in your own Azure subscription; never against an employer, client, or shared tenant. Account required: yes; payment required: no; maximum designed cost: $1.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 2 of 5 · domain 2 · 15-20% of the exam
Implement and manage storage
Study this second. Microsoft weights it at 15-20%, and it is a self-contained, highly clickable domain that reinforces the access model from Domain 1 — SAS tokens, keys, and firewalls all reuse the identity-and-permission thinking you just built.
This is the 'where does data live, how is it protected, and who can reach it' domain, weighted at 15-20% of the exam. It builds directly on the access thinking from the identity-and-governance domain: storage in Azure is heavily about securing and scoping access to data, so the RBAC and least-privilege habits you just formed carry straight over. Storage is also one of the most satisfying domains to study hands-on, because a storage account costs pennies and every concept — redundancy, tiers, SAS tokens, lifecycle rules — is something you can create and see in minutes. Confirm the current objectives on the official study guide (skills measured as of 2026-04-17) before you sit the exam.
Everything starts with the storage account, the top-level container that holds blobs, files, queues, and tables. The single most examinable choice is redundancy: how many copies of your data Azure keeps and where. Locally redundant storage (LRS) keeps copies within one data center; zone-redundant storage (ZRS) spreads them across availability zones in a region; geo-redundant storage (GRS) replicates to a secondary region for disaster resilience. The exam repeatedly asks you to match a durability or compliance requirement to the right redundancy option — 'survive a regional outage' points to a geo-redundant option, while 'stay inside one region but survive a zone failure' points to zone-redundant. Encryption at rest is on by default, and you should know it exists and that you can bring your own keys.
Access control for storage is the second pillar and where the identity thinking pays off. You can restrict which networks reach a storage account with firewalls and virtual-network rules, so only trusted sources connect. For delegated access you have several tools with different trade-offs: account access keys grant full control and should be guarded like passwords; shared access signature (SAS) tokens grant scoped, time-limited access to specific resources and operations, which is the safer default for handing out access; and for Azure Files you can use identity-based access tied to a directory service. The exam wants you to reach for the least-powerful tool that meets the need — a read-only SAS with an expiry, not an account key, when someone just needs to download a file for a week.
Blob storage carries most of the domain's day-to-day detail. Blobs live in containers, and each blob can sit in an access tier chosen for cost: Hot for data accessed often, Cool for data accessed rarely, and Archive for data you almost never touch but must retain, where retrieval is slower and cheaper storage is the point. Lifecycle management lets you write rules that automatically move blobs to cooler tiers or delete them after a set age, which is how administrators control storage cost at scale without manual cleanup. Data-protection features round it out: versioning keeps prior versions of a blob, and soft delete lets you recover blobs or containers deleted by mistake within a retention window. The exam expects you to match a described retention or cost goal to the tier or feature that meets it.
Azure Files and the movement tools complete the picture. Azure Files provides fully managed file shares you can mount over SMB or NFS, useful for lift-and-shift scenarios where an application expects a network drive. For getting data in and out, Azure Storage Explorer gives a graphical client, and AzCopy is the command-line workhorse for bulk copy and sync. You are not expected to be an expert in either, but you should recognize what each is for — a scenario about 'copy a large dataset into blob storage efficiently' points to AzCopy. Tying the domain together is a single instinct: choose the cheapest, most-scoped option that still meets the durability, access, and retention requirement in front of you.
Study this domain by building a real storage account and exercising each concept once: pick a redundancy option, create a container, upload a blob, generate a scoped SAS, and set a lifecycle rule. The lab below walks exactly that path for pennies and then deletes everything. As always, read the official AZ-104 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.
Create a storage account and generate a scoped, time-limited read-only SAS token Apply a blob lifecycle-management policy that tiers and expires aging blobs
Free tools
Azure portal
Azure CLI / Cloud Shell
Steps
Create a resource group and a locally redundant, Hot-tier storage account (Hot default so the later lifecycle move to Cool is observable).
Create a container named labcontainer and upload a small text file as a blob.
Generate a read-only SAS token for the blob with a short expiry.
Apply the blob lifecycle-management policy from blob-lifecycle-policy.json to the account.
Delete the resource group so the storage account stops billing.
What you should see
Confirm the account reports Standard_LRS and Cool tier, the SAS URL opens the blob, and the lifecycle policy shows enabled before cleanup.
Practice evidence maps to exam_domain_microsoft_az_104_az_104_02
Stay safe & legal: Run only in your own Azure subscription; never against an employer, client, or shared tenant. Account required: yes; payment required: no; maximum designed cost: $1.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 3 of 5 · domain 4 · 15-20% of the exam
Implement and manage virtual networking
Study this third, before compute. Microsoft weights it at 15-20%, and we deliberately place it ahead of compute (Domain 3) because virtual machines live inside subnets, behind NSGs, and reachable through Bastion or a load balancer — networking is the foundation VM placement and connectivity depend on.
This is the 'how do resources connect, and how do you control and secure that traffic' domain, weighted at 15-20% of the exam. We deliberately place it before compute in our sequence, inverting the exam's numbering, because virtual machines and other resources live inside the networking constructs this domain defines: a VM sits in a subnet, is protected by a network security group, and is reached through Bastion, a load balancer, or a private endpoint. Understanding the network first makes the compute domain feel grounded instead of arbitrary. The skills were measured as of 2026-04-17; confirm the current objectives before you sit the exam.
The foundation is the virtual network (VNet) and its subnets. A VNet is your private, isolated slice of Azure networking, carved into subnets that segment resources by role or trust level. Public IP addresses attach to resources that must be reachable from the internet. VNet peering connects two virtual networks so resources in each can communicate as if on one network, which is how you link workloads across VNets or regions. User-defined routes let you override Azure's default routing to send traffic through a specific next hop, such as a firewall appliance. The exam also expects basic troubleshooting instincts — recognizing that a connectivity problem might be a missing peering, a route, or a security rule — and the recurring skill is reasoning about how a packet would actually travel from source to destination.
Network security is the domain's second pillar and its most examinable area. Network security groups (NSGs) hold ordered allow and deny rules that filter inbound and outbound traffic by source, destination, port, and protocol; you attach them to subnets or network interfaces. Because rules are evaluated by priority and can be attached at multiple levels, the exam loves questions about effective security rules — the net result of all NSGs that apply to a resource. Application security groups let you group VMs logically so you can write rules against the group rather than individual IPs. Azure Bastion provides secure browser-based RDP and SSH access to VMs without exposing them to the public internet, which is the modern answer to 'how do I reach a VM safely.' Service endpoints and private endpoints extend private connectivity to platform services like storage, keeping that traffic off the public internet.
Name resolution and load distribution round out the domain. Azure DNS lets you host and manage DNS zones so names resolve to your resources, and private DNS zones handle name resolution inside your VNets. For distributing traffic, Azure load balancers spread incoming connections across a pool of backend resources; an internal load balancer serves traffic inside a VNet, while a public one faces the internet. You are expected to recognize which tool fits a described need — 'spread web traffic across several VMs inside our network' points to an internal load balancer, while 'resolve a custom domain to our resources' points to Azure DNS. The exam tests matching and reasoning, not deep protocol engineering.
A theme that unifies the domain is that networking in Azure is largely about explicit, layered control: you decide what can reach what by composing VNets, subnets, peering, routes, and security groups, and a working connection usually depends on several of these being right at once. This is why the effective-rules idea matters so much — a single misconfigured NSG or missing route can block traffic that everything else permits. Building the instinct to trace a connection through each layer is exactly the administrative judgment the exam is checking, and it directly serves the compute domain, where every VM you deploy must be reachable and protected through these same constructs.
Study this domain by building the network layer with your own hands, because it is entirely free — VNets, subnets, peering, NSGs, and route tables cost nothing until you attach billable compute. The lab below has you create two VNets, peer them, add an NSG rule, and add a user-defined route, so the effective-rules and connectivity ideas become concrete without spending a cent. As always, read the official AZ-104 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.
What is Azure Bastion? (Azure documentation)A cited reference for the secure browser-based VM access this domain names as the modern alternative to public RDP/SSH. (captured 2026-07-10)
Az104 Networking Lab
Create two VNets and configure bidirectional peering between them Add an NSG allow rule to a subnet and a user-defined route to a route table
Free tools
Azure portal
Azure CLI / Cloud Shell
Steps
Create a resource group and two VNets with non-overlapping address spaces.
Configure bidirectional peering between the two VNets and verify it is connected.
Create an NSG with an allow-HTTP rule, attach it to subnet-a, and add a user-defined route.
Delete the resource group to keep the subscription tidy.
What you should see
Confirm peering shows Connected on both sides, the allow-HTTP rule is attached to subnet-a, and the user-defined route exists before cleanup.
Practice evidence maps to exam_domain_microsoft_az_104_az_104_04
Stay safe & legal: Run only in your own Azure subscription; never attach these constructs to an employer, client, or shared tenant. Account required: yes; payment required: no; maximum designed cost: $1.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 4 of 5 · domain 3 · 20-25% of the exam
Deploy and manage Azure compute resources
Study this fourth, after networking. Microsoft weights it at 20-25% — tied for the heaviest domain — but virtual machines live inside the subnets and behind the NSGs from Domain 4, so compute makes far more sense once networking is in place.
This is the 'run workloads: how do you deploy and operate the things that do the work' domain, weighted at 20-25% and tied with identity-and-governance as the heaviest slice of the exam. It spans four families — infrastructure-as-code deployment, virtual machines, containers, and App Service — and it sits deliberately near the end of our sequence because compute lands inside everything you have already studied: identities that may touch it, storage disks it uses, and the networking it connects through. We recommend studying networking (Domain 4) before this one so that virtual-machine placement, subnets, and connectivity feel grounded rather than arbitrary. The skills were measured as of 2026-04-17; confirm the current objectives before you sit the exam.
The domain opens with infrastructure as code, because Azure increasingly expects administrators to deploy repeatably rather than by hand. Azure Resource Manager (ARM) templates are JSON descriptions of the resources you want, and Bicep is a cleaner, more readable language that compiles down to ARM. You are expected to deploy from a template, interpret what a template will create, export an existing deployment as a template, and understand that Bicep and ARM describe the same underlying deployment. The instinct to build is declarative thinking: you describe the desired end state and let Azure reconcile to it, which is why the same template can create a resource once and safely re-run later.
Virtual machines are the heart of the domain and the richest source of examinable detail. You should be able to create a VM and choose its size (the balance of CPU, memory, and cost), attach and manage disks, and place the VM for resilience. Placement is where availability zones and availability sets matter: spreading VMs across availability zones — physically separate locations within a region — lets a workload survive one facility failing, while availability sets guard against rack-level failures within a data center. Virtual Machine Scale Sets let you run and automatically scale a group of identical VMs behind a single configuration, which is how you handle variable load. Disk and VM encryption protect data at rest. The exam repeatedly asks you to match a resilience or scaling goal to the right construct — 'survive a data-center outage' points to availability zones, 'handle a traffic spike automatically' points to a scale set.
Containers are the next family, and the exam wants recognition rather than deep engineering. Azure Container Registry stores your container images privately; Azure Container Instances runs a single container quickly without managing servers; and Azure Container Apps runs containerized apps and microservices with built-in scaling. The mental model is a ladder of increasing management on your side: a registry holds images, Container Instances runs one container simply, and Container Apps orchestrates several with scaling and networking handled for you. You are matching a described need — 'store our images privately', 'run one short-lived container', 'run a scaling microservice' — to the right service.
App Service closes the domain as Azure's managed platform for hosting web applications without minding the servers underneath. You should understand App Service plans (the compute that backs your apps and what you pay for), scaling up (a bigger plan) versus scaling out (more instances), securing traffic with TLS and custom domains, and deployment slots — staging environments you can warm up and then swap into production with near-zero downtime. Deployment slots are a favorite exam topic because they solve a real problem cleanly: test a new version in a slot, then swap it live and swap back instantly if something is wrong. Across the whole domain runs the control-versus-convenience spectrum from earlier domains — a VM gives you the most control and the most responsibility, while App Service and Container Apps trade customization for managed operation.
Study this domain by deploying with a template rather than clicking, because infrastructure-as-code is both examinable and the modern default. The lab below has you deploy a small VM into an availability zone with a Bicep file, verify its zone, resize it, and export the deployment as an ARM template — touching IaC, sizing, and placement in one pass, and then deleting everything so the VM does not keep billing. As always, read the official AZ-104 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.
Learn it free
Official · Official exam objectives
Microsoft AZ-104 (Azure Administrator) study guideThe authoritative topic list for this domain's ARM/Bicep, VM, container, and App Service coverage — worth reading in full given its 20-25% weight. (captured 2026-07-10)
What is Bicep? (Azure documentation)Microsoft's own overview of Bicep — the infrastructure-as-code language the lab deploys from and that compiles to ARM. (captured 2026-07-10)
Deploy a VM into a chosen availability zone from a Bicep template and verify the zone Resize a VM and export its deployment as an ARM template
Free tools
Azure portal
Azure CLI / Cloud Shell
Steps
Create a resource group to hold the compute lab.
Deploy the VM from the Bicep template, supplying a secure admin password.
Verify the VM landed in zone 1, then resize it to Standard_B2s (note: B2s is not free-tier eligible, so delete the group promptly after).
Export the deployment as an ARM template and read how Azure describes it.
Delete the resource group immediately so the VM stops billing.
What you should see
Confirm az vm show reports zone ["1"] and size Standard_B2s, the deployment succeeded, and the group was deleted after the lab.
Practice evidence maps to exam_domain_microsoft_az_104_az_104_03
Stay safe & legal: Run only in your own Azure subscription; never deploy this VM into an employer, client, or shared tenant. Account required: yes; payment required: no; maximum designed cost: $1.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 5 of 5 · domain 5 · 10-15% of the exam
Monitor and maintain Azure resources
Study this last. Microsoft weights it at 10-15% — the lightest domain — and Azure Monitor, Backup, and Site Recovery are most meaningful once you have resources worth watching, backing up, and recovering, so it lands naturally after the other four.
This is the 'how do you watch what you built, and how do you get it back when something breaks' domain, and at 10-15% it is the lightest slice of the exam. It divides cleanly into two halves: monitoring (the tools that tell you how resources are behaving and alert you when they are not) and business continuity (backup and disaster recovery). It sits last in our sequence for a practical reason — monitoring, backup, and recovery are most meaningful once you have identities, storage, networking, and compute worth watching and protecting. The skills were measured as of 2026-04-17; confirm the current objectives before you sit the exam.
The monitoring half centers on Azure Monitor, the platform's umbrella observability service. It collects metrics (numeric measurements over time, such as CPU percentage) and logs (richer event and diagnostic data you can query). You configure alert rules that fire when a condition is met — for example CPU above a threshold — and route them through action groups, which define who gets notified and how (email, SMS, webhook, or an automated response). Insights are curated monitoring experiences for specific resource types. The exam wants you to match a described need to the right piece: 'notify the on-call engineer when CPU stays high' is an alert rule plus an action group, while 'query last week's diagnostic events' points to logs. The lab below has you create exactly that alert-plus-action-group pairing so it stops being abstract.
Network-focused monitoring rounds out the observability half. Network Watcher is a set of tools for diagnosing and monitoring network conditions, and Connection Monitor within it tracks connectivity and latency between endpoints over time. You are not expected to master every Network Watcher tool, but you should recognize that when a scenario describes intermittent connectivity or a need to verify that traffic can flow between two points, Network Watcher and Connection Monitor are where an administrator looks. This ties back to the virtual-networking domain: monitoring is how you confirm, after the fact, that the network you designed is actually behaving as intended.
The business-continuity half opens with Azure Backup. Backup uses a Recovery Services vault as the container that stores backup data and defines how it is protected, including its own redundancy setting (such as locally redundant or geo-redundant). You define backup policies — how often backups run and how long they are retained — and you can restore protected items when needed. The core skills are creating a vault, setting a policy that meets a stated frequency and retention requirement, and understanding restore. The exam commonly frames this as matching a described recovery-point or retention need to the right policy, so internalize that a backup policy is essentially a promise about how recent and how long-lived your recoverable copies are.
Disaster recovery, the domain's final piece, is handled by Azure Site Recovery. Where Backup protects data, Site Recovery protects whole workloads by replicating them so they can fail over to another region if a primary region becomes unavailable, then fail back when it recovers. The distinction the exam wants is clear: Backup is about restoring data (recover a file, a database, or a VM's disks), while Site Recovery is about keeping a workload running through a regional outage by having a replica ready. Matching a described continuity requirement — 'recover deleted files' versus 'keep the application running if the whole region goes down' — to Backup or Site Recovery is precisely the judgment being tested.
Study this domain by wiring up an alert and standing up a vault, because both are quick and mostly free to explore. The lab below has you create a Recovery Services vault with a backup policy and create a metric alert with an action group — touching both halves of the domain — while stopping short of triggering an actual backup job so it stays within the free tier. As always, read the official AZ-104 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.
What is Azure Backup? (Azure documentation)Microsoft's own explanation of Recovery Services vaults, policies, and restore — the business-continuity half of this domain. (captured 2026-07-10)
Official · Free official practice assessment
AZ-104 practice assessment (free, Microsoft account required)Microsoft's own free practice assessment for AZ-104 — the closest official gauge of readiness across all five domains once you have worked through the labs; a Microsoft account is required. (captured 2026-07-10)
Vetted independent · Community video
John Savill's AZ-104 study cram (free community video)A widely respected free walkthrough of the AZ-104 objectives; useful for a second explanation, but it predates the 2026-04-17 skills update, so cross-check anything time-sensitive against the official study guide. (captured 2026-07-10)
Az104 Monitor Backup Lab
Create a Recovery Services vault with LRS redundancy and a daily 30-day backup policy Create an action group and a metric alert rule that fires on high CPU
Free tools
Azure portal
Azure CLI / Cloud Shell
Steps
Create a resource group and a Recovery Services vault, then set its redundancy to LRS.
Define a daily backup policy with 30-day retention (per backup-policy.json), but do not associate a VM or trigger a backup.
Create an action group with your email, then a metric alert rule that fires when CPU exceeds 80%.
Optionally keep the standing alert; delete the vault and resource group when finished.
What you should see
Confirm the vault reports LRS, the policy shows a daily/30-day schedule, and the CPU>80% alert is wired to an action group with your email before any optional cleanup.
Practice evidence maps to exam_domain_microsoft_az_104_az_104_05
Stay safe & legal: Run only in your own Azure subscription; never create vaults or alerts against an employer, client, or shared tenant. Account required: yes; payment required: no; maximum designed cost: $1.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Skills you’ll build
Studying Microsoft Azure Administrator Associatebuilds transferable skills that carry across employers and platforms, not just toward this one exam. Each has a free, source-cited RoleMath primer — what it is, a step-by-step free learning path, clearly labeled free resources, and a safe hands-on exercise:
Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.
Exam registration fee: Approximately $165 USD for the AZ-104 exam (prices vary by country/region and delivery provider - verify the current price for your location on Microsoft's official exam page before you register) Official Microsoft AZ-104 exam page
A free, source-cited study companion built on Microsoft's published AZ-104 study guide — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by Microsoft.