Azure Administrator (AZ-104) Roadmap: Pass, Prove Skills, Get Hired

Azure adoption keeps climbing, and teams want administrators who can run production—identity, networking, storage, security, cost, and automation—not just recite service names. AZ-104 is still the clearest signal that you can operate Azure responsibly. This guide expands the plan into a full action playbook: detailed study sprints, lab builds, IaC templates, monitoring baselines, and interview prep. Authority comes from hiring standards and repeatable patterns—not personal stories.

Why AZ-104 Still Matters in 2025

• Hiring signal: AZ-104 appears in most Azure administrator and cloud ops postings; it proves baseline competence across identity, networking, and storage.
• Day-one relevance: Exam scenarios mirror real tasks—locking down VNets, enforcing RBAC, configuring backup, wiring alerts, and managing cost.
• Career ladder: AZ-104 is the feeder into Azure Security Engineer, Solutions Architect, Cloud Engineer, and Platform roles.
• Market reality: Azure continues gaining enterprise share, especially in regulated industries; admins who blend security + automation rise fastest.

Exam Overview (AZ-104)

• Format: 40-60 questions (multiple choice, case studies, drag-and-drop; hands-on labs when Microsoft enables them)
• Time: 120 minutes
• Passing score: 700/1000
• Cost: $165 USD
• Prereqs: None, but 6-12 months Azure exposure makes success faster
• Domains (approx.): Manage Azure identities and governance; implement and manage storage; deploy/manage compute; configure/secure virtual networking; monitor/back up Azure resources

Role Expectations vs Exam Domains (Map Your Learning)

• Identity/Governance: RBAC, PIM awareness, policy, management groups, tags. Employers want least-privilege by default and consistent tagging for cost/ops.
• Networking: VNets, subnets, NSGs, routing, private endpoints, DNS. Employers expect secure connectivity patterns (hub-spoke, private ingress/egress, zero unnecessary public IPs).
• Storage: Accounts, containers, file shares, access control, encryption, lifecycle. Employers want predictable access (SAS/keys), cost controls, and private endpoints to data.
• Compute: VMs, scale sets, load balancers, images, extensions, updates. Employers expect patching, HA, and backup plans.
• Monitoring/DR: Azure Monitor, Log Analytics, alerts, action groups, Diagnostics, Backup, ASR. Employers want alert hygiene (no noise), tested recovery, and budget-friendly retention.

Skill Baseline (Fix Gaps Before the Sprint)

• Cloud fundamentals: regions, AZs, shared responsibility
• Networking basics: CIDR, DNS, routing, NSG vs firewall
• Identity basics: RBAC, groups vs roles, least privilege
• OS basics: Windows/Linux admin (services, updates, permissions)
• Scripting: Azure CLI or PowerShell comfort (loops, params)
• Source control: Git basics to version scripts/IaC

If gaps exist, invest 2-3 weeks to close them so the main plan sticks.

16-Week Action Plan (12 Weeks Core + 4 Weeks Acceleration)

Time budget: 8-12 hours/week (push to 12-15 for faster finish).

Weeks 1-2: Tenant, Governance, Identity

• Management groups, subscriptions, resource groups, tags, locks
• RBAC vs classic admin roles; role assignments; custom roles basics
• Azure AD (Entra ID) fundamentals; PIM awareness; Conditional Access overview
• Policy: built-ins (tag enforcement, allowed locations), initiatives
• Labs: Build MG hierarchy; apply allowed-locations policy; enforce required tags; create least-privilege roles for ops vs security vs dev teams.
• Checkpoint: You can deploy resources only to approved regions with enforced tags, and assign roles with least privilege.

Weeks 3-4: Networking + Storage Core

• VNets/subnets, service endpoints vs private endpoints, DNS options, UDRs
• NSGs vs Azure Firewall; DDoS Standard awareness; Bastion/JIT access
• Storage accounts: redundancy (LRS/ZRS/GZRS), blob tiers, SAS, lifecycle
• File shares (Azure Files), private endpoints for storage, encryption
• Labs: Build hub-spoke with shared services (DNS/Firewall); lock down subnets with NSGs; add private endpoints for storage + Key Vault; test connectivity with and without NSGs.
• Checkpoint: You can deliver a private-only data path and block unintended public exposure.

Weeks 5-6: Compute, HA, Backup/DR

• VMs, scale sets, images (SIG), extensions, availability sets/zones
• Load balancers (public/internal), health probes, NAT rules
• Azure Backup vaults, policies; ASR concepts; snapshots
• Update management (Azure Update Management/ARC where needed)
• Labs: Deploy VMSS behind internal load balancer; configure backup; test restore; schedule updates; create golden image and redeploy.
• Checkpoint: You can deploy, patch, back up, and restore compute with documented RPO/RTO.

Weeks 7-8: Monitoring, Logging, Security Baselines

• Azure Monitor + Log Analytics: workspaces, data collection rules, cost controls
• Alerts and action groups; alert tuning (metric vs log alerts)
• Defender for Cloud: recommendations, just-in-time, secure score basics
• Key Vault: secrets/keys/certs, access policies vs RBAC
• Labs: Route diagnostics to Log Analytics; create CPU/disk/network alerts; set action groups (email/Teams/webhook); enable Defender plans where appropriate; store secrets in Key Vault and consume from VM/Function.
• Checkpoint: You can show dashboards/alerts with low noise, and secrets never leave secure stores.

Weeks 9-10: Automation + IaC

• Azure CLI/PowerShell scripting patterns (loops, parameters, idempotence)
• Bicep basics: modules, parameters, variables, outputs, template specs
• ARM comprehension for legacy templates
• Automation Account + runbooks; identity for automation; schedules
• Labs: Convert a manual VNet/VM/NSG build to Bicep modules; deploy via CLI; create runbook to rotate secrets or start/stop VMs on schedule; store code in GitHub with README.
• Checkpoint: You can deploy consistent infra via Bicep and automate recurring ops tasks.

Weeks 11-12: Cost, Governance, Ops Maturity

• Budgets and alerts; cost analysis; rightsizing patterns
• Cleanup/retention: resource locks, lifecycle on storage, log retention tuning
• Policy/initiative for guardrails (no public IPs, required tags, allowed SKUs)
• Runbooks for nightly shutdowns, stale resource cleanup
• Labs: Apply budget to subscription; create alerts for threshold breaches; enforce policy to block public IPs; rightsize VM/SQL SKUs; implement tag-based cleanup job.
• Checkpoint: You can demonstrate cost awareness, guardrails, and operational hygiene.

Weeks 13-16 (Acceleration / Differentiators)

• AKS operations basics: node pools, upgrades, identities, network modes
• Hybrid connectivity: VPN Gateway, ExpressRoute concepts, Azure Arc onboarding
• Identity hardening: PIM exercises, Conditional Access templates, MFA enforcement
• Logging depth: KQL queries for troubleshooting; workbook creation
• Outcome: You signal readiness for platform/DevOps-adjacent tasks and security-conscious operations.

Lab Blueprint (Portfolio-Ready)

Build one cohesive environment instead of scattered demos:

• Networking: Hub-spoke VNets; private endpoints to Storage/Key Vault; Azure Firewall or NSG-only controls; DNS resolution across spokes.
• Compute: VM scale set + load balancer; JIT/Bastion for admin; update schedule; backup policy; ASR test.
• Data: Storage account with blob + files; lifecycle policies; encryption; private access only.
• Security: RBAC with least privilege; policy initiative enforcing tags/locations/no-public-IP; Defender recommendations addressed.
• Monitoring: Log Analytics + Azure Monitor alerts; action groups to email/Teams/webhook; workbook summarizing health/cost signals.
• Automation/IaC: Bicep modules for network + compute + storage; runbook for start/stop; budget alerts; GitHub repo with README, parameters, and architecture diagram.

Document in GitHub:

• bicep/ modules + main deployment
• scripts/ for CLI/PowerShell runbooks
• docs/diagram.png or Excalidraw
• README.md with setup, decisions, costs, and cleanup instructions

Practice Tests & Readiness (Pacing Plan)

• Week 4: Baseline quiz to surface weak domains (expect 55-65%); study targeted sections.
• Week 8: Full practice exam; aim for 70%+. Review every miss; lab anything unclear.
• Week 11: Second full practice exam; aim for 75%+. Retake after remediation.
• Week 12: Timed dry run; practice time management; finalize cheat sheets (service limits, SLAs, RBAC scopes, backup/ASR options).
• Schedule the real exam only after consistent 75%+ on reputable practice tests.

Day-Before and Day-Of Checklist

• Sleep 7-8 hours; clear the calendar.
• Revisit service limits and defaults (NSG rules, VM quotas, storage redundancy).
• Re-read notes on RBAC scope, policy vs initiative, private endpoints vs service endpoints.
• Confirm government/tenant restrictions if applicable (allowed regions).
• On exam day: pace at ~2 minutes/question; flag long case studies; avoid overthinking—choose the best supported option.

Resume, Portfolio, and Interview Positioning

• Lead with outcomes: uptime, security hardening, cost reductions; quantify (alerts reduced X%, backups tested quarterly, cost down Y%).
• Show automation: Bicep modules, runbooks, scheduled start/stop, tag enforcement scripts.
• Highlight governance: Policies that prevent public IPs, required tags, budgets with alerts.
• Link artifacts: GitHub repo (IaC + runbooks + diagram), workbook screenshot, sample alert playbook.
• Interview prep: Be ready to whiteboard hub-spoke, explain RBAC vs access policies, walk through backup/restore, and demonstrate cost tuning.
• Internal links to deepen authority:
  • Map long-term growth with the Cloud Engineer Career Path.
  • Cross-check details on the Azure Administrator Certification page.
  • Compare clouds in AWS vs Azure vs GCP Certification Path.

Salary & Career Trajectory (What to Expect)

• Entry Azure admin: ~$85K-$110K in many US markets with AZ-104 + labs.
• Mid-level cloud admin/engineer: ~$110K-$145K with automation + governance strength.
• Next steps: Azure Security Engineer, Solutions Architect, or Platform Engineer ($140K-$190K) by adding security depth (PIM/CA/Defender) and IaC-at-scale.
• Negotiation tip: Bring evidence—cost reports, uptime/alerting improvements, and IaC portfolio reduce perceived risk and support higher bands.

Common Mistakes (Avoid These)

• Portal-only studying: Hands-on labs are essential; AZ-104 leans on applied knowledge.
• Ignoring networking/identity depth: Most misses come from NSG/route/PE/ RBAC missteps.
• No cost focus: Budgets, alerts, and lifecycle policies matter in interviews and on the job.
• Zero automation: Hiring teams expect CLI/PowerShell/Bicep; manual clicks do not scale.
• Skipping monitoring: Unconfigured diagnostics/log routing is a red flag; build alert hygiene.

Quick FAQ

• Do I need Kubernetes? Not to pass, but AKS basics help for many roles.
• Is Bicep required? Strongly recommended; at least read ARM and write simple Bicep modules.
• Are practice labs enough for a job? Labs + IaC + monitoring artifacts make resumes credible; pair with clear outcomes in bullets.
• How long to study? 12 weeks steady or 8-10 weeks aggressive; add 4 weeks for differentiators if time permits.