Is AZ-104 still worth it in 2026?

Yes. AZ-104 remains the practical baseline certification for Azure administrators and is still one of the most recognizable proof points for platform operations skills.

How hard is AZ-104 compared with AZ-900?

Much harder. AZ-900 is conceptual; AZ-104 expects you to actually configure identity, networking, storage, compute, policy, and monitoring.

Do I need Azure PowerShell if I already use the portal?

Yes. Portal-only candidates are slower and less reliable. You should be able to complete core admin tasks in Azure CLI 2.65+ and PowerShell 11.x.

What should I lab first for AZ-104?

Start with identity and governance, then VNets and NSGs, then VMs, then storage, then monitoring and backup. Those areas give the fastest coverage and strongest retention.

How much networking do I need to know?

Enough to create VNets, subnets, peering, NSGs, private endpoints, and basic load balancing, and enough to troubleshoot connectivity failures.

What is the biggest mistake candidates make?

They memorize terms instead of doing labs. AZ-104 rewards people who can operate Azure under real constraints, not people who can recite definitions.

Should I use practice exams?

Yes, but only after lab work. Practice exams are useful for identifying weak spots, not for replacing hands-on admin repetition.

Azure AZ-104 Roadmap 2026: Administrator That Passes

If you want to pass AZ-104 in 2026, stop studying like a tourist. This exam rewards operators who can build, troubleshoot, and govern an Azure tenant without hand-holding. It is not a trivia contest about portal clicks. It is a practical admin exam centered on Microsoft Entra ID, Azure RBAC, governance, compute, storage, networking, monitoring, and backup/DR. The fastest path to a passing score is a ruthless plan: learn the exam domains, build a disposable lab, automate the routine tasks, and practice under time pressure.

My opinionated roadmap is simple: treat AZ-104 as the baseline credential for Azure platform administrators, not as a beginner course. If you already understand DNS, subnets, IAM, and backups, you can compress your study time. If you do not, you need hands-on repetition, not flashcards. The exam changes over time, but the admin muscle memory it measures does not. In 2026, that means being fluent in Azure Portal, Azure CLI 2.65+, Azure PowerShell 11.x, and the current Microsoft Entra admin center experience. If you can operate from command line and portal, you will move faster and make fewer mistakes.

1) Know what AZ-104 actually tests

AZ-104 is about day-two administration. That means provisioning and securing resources, not designing a global cloud platform. You should be able to create and manage identities, subscriptions, resource groups, virtual machines, storage accounts, virtual networks, load balancing, and monitoring. You also need to know how Azure governance works in practice: management groups, subscriptions, policy assignments, resource locks, and role-based access control.

The exam tends to punish shallow knowledge. For example, it is not enough to know that Azure Policy exists. You need to understand when to assign a built-in initiative at the management group level versus when to use a custom policy at the subscription scope. Likewise, it is not enough to know RBAC roles. You should know the difference between Owner, Contributor, and User Access Administrator, and where Microsoft Entra roles are different from Azure RBAC roles.

Core domains to master

Identity and governance: Microsoft Entra ID, users, groups, role assignments, custom roles, PIM basics, policy, locks, tags, management groups.
Storage: storage accounts, blob, file, queue, table, redundancy options, access tiers, SAS, access keys, lifecycle management, Azure Files.
Compute: Azure virtual machines, VMSS, availability sets, images, disks, extensions, Azure Bastion, autoscaling basics.
Virtual networking: VNets, subnets, NSGs, UDRs, private endpoints, DNS, peering, VPN Gateway, load balancers, Application Gateway basics.
Monitoring and backup: Azure Monitor, Log Analytics, alerts, activity logs, Resource Health, Recovery Services vault, backup policies.

2) Build a lab that forces you to operate

If you are serious, create a sandbox subscription and break things on purpose. A lab is not optional. Azure free credits, a pay-as-you-go subscription, or a Visual Studio subscription is enough. Keep costs down with small SKUs, automation, and aggressive cleanup. Use one resource group per exercise so teardown is deterministic.

Your lab should include:

One Microsoft Entra tenant with at least two test users and one group.
One subscription under your control for RBAC and policy testing.
One hub-and-spoke or simple two-VNet topology with peering.
One Windows Server 2022 or Windows Server 2025 VM and one Ubuntu Server 24.04 LTS VM.
One storage account with blob and file services enabled.
One Log Analytics workspace and alert rules.
One Recovery Services vault with VM backup configured.

Use current tooling. In 2026, Azure CLI 2.65+ is the fastest way to repeat tasks. Azure PowerShell 11.x is still heavily used by admins, especially in enterprise environments with legacy scripts. Microsoft Sentinel and Defender for Cloud may appear in your day-to-day work, but AZ-104 focuses more on platform operations than advanced SecOps. Do not drift into unrelated study rabbit holes.

Here is a minimal CLI sequence you should be comfortable with:

az login --use-device-code
az account set --subscription "AZ104-Lab"
az group create --name rg-az104-core --location eastus
az network vnet create \
  --resource-group rg-az104-core \
  --name vnet-hub \
  --address-prefix 10.10.0.0/16 \
  --subnet-name snet-app \
  --subnet-prefix 10.10.1.0/24
az storage account create \
  --name staz104lab2026 \
  --resource-group rg-az104-core \
  --location eastus \
  --sku Standard_LRS \
  --kind StorageV2

Do the same tasks through the portal, then repeat them in CLI. If you cannot recreate a VM, subnet, NSG rule, or backup configuration from scratch without the wizard, you are not ready.

3) Identity and governance: the highest-value marks

This is where many candidates lose easy points. Azure administration is identity administration. If you misunderstand identity, nothing else matters. In 2026, Microsoft Entra ID is the control plane for users, groups, app registrations, conditional access concepts, and privileged role assignment workflows. You should know where to manage identities in the Microsoft Entra admin center and where Azure Portal still remains the operational home for RBAC on resources.

Focus on these points:

Authentication versus authorization: Entra ID proves who you are; Azure RBAC decides what you can do.
Built-in RBAC roles: Owner can manage access and resources; Contributor can manage resources but not grant access; Reader can view.
Scope hierarchy: management group, subscription, resource group, resource. Assign at the lowest practical scope.
Resource locks: CanNotDelete and ReadOnly are blunt instruments; know when to use them and their limitations.
Azure Policy: use policy to enforce standards, audit drift, and deny noncompliant deployments.

Also understand group-based access. In enterprises, you rarely assign users directly unless there is a one-off exception. You assign roles to groups, then manage membership. That is the operationally sane model. For governance, learn tags, policy initiatives, and the difference between auditing and denying. A policy that audits an unapproved region is not the same as one that blocks deployment. The exam likes these distinctions.

One practical exercise I recommend is creating a custom role with limited permissions, assigning it at the resource group scope, then verifying access with a test user. Next, move the assignment up to the subscription and observe the blast radius. That teaches scope better than reading docs ever will.

4) Networking and compute: build, connect, troubleshoot

AZ-104 expects enough networking knowledge to administer Azure resources confidently. You are not being tested like an Azure networking specialist, but you absolutely need to know what breaks connectivity. Start with VNets, subnets, address spaces, NSGs, and peering. Then add private endpoints, DNS resolution, and basic load balancing. If you can explain why a VM cannot reach a storage account over the public internet when a private endpoint and private DNS zone are configured, you are in good shape.

For compute, know the lifecycle of Azure virtual machines. Understand images, disks, extensions, availability sets, scale sets, and basic resizing. Know when to use Azure Bastion instead of exposing RDP or SSH. In 2026, Bastion remains the clean answer for secure admin access. Understand how boot diagnostics and serial console can save you when a VM will not come up.

Hands-on labs that matter

Create two subnets, associate NSGs, and test east-west traffic rules.
Peer two VNets and confirm default routing behavior.
Deploy a VM from the Azure Marketplace, attach a data disk, and set up a startup script extension.
Configure Bastion and connect without a public IP.
Deploy a Standard Load Balancer in front of two Linux VMs and validate health probes.
Break DNS on purpose, then fix it using a private DNS zone link.

Do not ignore Azure Load Balancer versus Application Gateway. You do not need deep WAF expertise for AZ-104, but you should know that one is Layer 4 and the other is Layer 7, and which problem each solves.

5) Storage, backup, and monitoring: where admins prove they can keep things alive

Storage is boring until it costs you a data incident. For AZ-104, know the major storage services and the admin knobs that matter. A storage account is not just a bucket. It is a control plane with redundancy, networking, encryption, access control, lifecycle, and performance settings. Learn when to use LRS, ZRS, GRS, and GZRS. Know the difference between hot, cool, and archive tiers. Know the difference between an account access key and a shared access signature. Know why you should prefer Microsoft Entra-based authorization where applicable instead of spreading account keys everywhere.

For Azure Files, understand SMB access, identity-based access options, and common admin use cases like lift-and-shift file shares or user profile storage. For backup, know Recovery Services vault behavior, backup policies, snapshot retention concepts, and how to restore a VM or file-level data. Administrators are judged on recovery, not hope.

Monitoring is the same story. You should know how Azure Monitor ties together metrics, logs, alerts, and dashboards. Activity logs are for control-plane events. Log Analytics is for queryable logs. Resource Health tells you whether Azure believes the service is impaired. The question style often asks you to choose the best troubleshooting source. Pick the right telemetry, not just any telemetry.

Run KQL queries in a Log Analytics workspace. Learn enough to filter VM heartbeats, failed sign-ins, and resource changes. You do not need to become a Sentinel analyst, but you do need to be able to find evidence quickly. That skill is directly examinable and directly useful.

6) A 30-day study plan that actually works

If you have a full-time job, you need a compact plan. Here is the schedule I would give a serious candidate.

Days 1-7: Identity and governance. Build Entra users/groups, RBAC assignments, policy definitions, locks, and tags.
Days 8-14: Networking and compute. Build VNets, peering, NSGs, Bastion, VMs, and basic load balancing.
Days 15-20: Storage. Deploy storage accounts, blobs, Azure Files, access tiers, and SAS-based access.
Days 21-24: Monitoring and backup. Configure Log Analytics, alerts, Recovery Services vault, and restore tests.
Days 25-28: Full lab rebuild from memory. Time yourself and document only after the fact.
Days 29-30: Review weak spots, do practice questions, and rest.

Do not spend the last week watching endless summary videos. By then, you need recall and confidence, not passive intake. Rebuild the lab. That is the real exam prep. If you want a structured starting point, compare your study budget and support options with techleague.io.

7) Exam-day strategy: the difference between pass and almost

AZ-104 is manageable if you stay disciplined during the exam. Read the question twice. Most misses come from ignoring scope, region, or requirement constraints. Watch for words like minimal management effort, least privilege, support for existing configuration, and avoid downtime. Those phrases change the correct answer.

Use this mental checklist:

What scope is the question asking about?
Is the requirement about access, policy, or deployment?
Is the answer asking for portal, CLI, or PowerShell behavior?
Is the solution preventive, detective, or corrective?
Does the feature actually support the resource type?

Time management matters. Do not sink eight minutes into one drag-and-drop question. Mark it, move on, and return later. Eliminate obviously wrong options first. If two answers seem plausible, identify the one that is easiest to operate in real life and matches the scope requirement. Microsoft loves realistic admin logic, not theoretical perfection.

Finally, stay calm. You do not need a perfect score. You need a passing score and the judgment of someone who has administered Azure before. That means understanding the platform as a system: identity controls access, policy controls drift, networking controls reachability, storage controls durability, and monitoring tells you when it is all falling apart.

Bottom line: if you can build the lab, explain the why behind each service, and troubleshoot failures without guessing, AZ-104 is passable. If you only memorize definitions, you will be exposed. Start with the lab, drill the admin tasks, and earn the cert the way operators should.

CTA: Build the lab this week, schedule the exam, and use this roadmap as your operating plan. If you want more structured cloud training and certification prep, explore the resources at techleague.io.