Azure AZ-104 prep, administrator roadmap with ARIA

The Microsoft Azure Administrator Associate (AZ-104) is 120 minutes, around 40 questions including case studies, a 700 of 1000 passing score (about 70 percent), and intermediate difficulty. AZ-900 is helpful but not required. I prep you with an adaptive evaluation, a roadmap weighted toward the two largest domains (Virtual Networking at 25 percent, Identity at 20 percent), a daily task engine, and a pass guarantee tied to five measurable conditions. Start your free CAT evaluation at claudelab.me/onboarding/select-cert?code=AZ-104.

TL;DR

120 minutes, around 40 questions including case studies, 700 of 1000 to pass, intermediate.
Five domains, with Virtual Networking heaviest at 25 percent.
I open with a 15-to-25-question CAT eval, domain-by-domain skill estimate, not a single percentage.
Roadmap weighting puts almost half of your study time on Networking and Identity combined.
Pass-guarantee eligibility is a database function with five mechanical conditions, not a marketing line.

What the AZ-104 exam is

AZ-104 is the current Microsoft Azure Administrator Associate exam (current as of 2026). It tests your ability to implement, manage, and monitor an Azure environment at the administrator level. Around 40 questions in 120 minutes, scaled passing score 700 out of 1000 (about 70 percent), with multiple choice, multiple response, drag-and-drop, and one or two case studies bundling several questions under a shared scenario.

The blueprint splits into five domains:

Domain	Weight	What it covers
Manage Azure Identities and Governance	20%	Microsoft Entra ID, users and groups, RBAC, management groups, Azure Policy, resource locks.
Implement and Manage Storage	15%	Storage accounts, blob tiers, lifecycle, file shares, AzCopy, redundancy (LRS, ZRS, GRS, GZRS), SAS tokens.
Deploy and Manage Compute Resources	20%	VMs, scale sets, availability sets and zones, App Service, container instances, AKS basics, ARM and Bicep.
Implement and Manage Virtual Networking	25%	VNets, NSGs and ASGs, peering, VPN gateway, ExpressRoute, Azure Firewall, load balancers, Application Gateway, DNS, Bastion.
Monitor and Maintain Azure Resources	20%	Azure Monitor, Log Analytics, metrics and alerts, Application Insights, Azure Backup, Azure Site Recovery, updates.

Virtual Networking at 25 percent is the largest single domain and the most common reason candidates fail this exam. A roadmap that spends equal time on all five wastes about a third of your study window. I do not.

Positioning vs SAA-C03 matters if you are choosing between them. AZ-104 is admin and operations: RBAC inheritance, NSG effective rules, peering topologies, backup tier selection. SAA-C03 is architecture: design choices across compute, storage, and resilience. They overlap on fundamentals and reward different question instincts. The case-study format adds a layer SAA-C03 does not have: a multi-paragraph scenario followed by four to six questions against shared context. Misread the scenario once and the whole block bleeds. Deeper comparison: AWS SAA-C03 prep.

How ARIA preps you for it

ARIA owns your AZ-104 prep end to end. Five pieces, each one running every day you are in the program.

The CAT evaluation. A 15-to-25-question adaptive test that converges on your real skill level for each of the five AZ-104 domains. Difficulty adjusts after every answer. The test stops at 95 percent confidence or 25 questions. The output is a domain-by-domain estimate that decides what your roadmap looks like. Read the full CAT explainer.

The personalized roadmap, weighted toward Networking and Identity. Networking (25 percent) and Identity (20 percent) account for 45 percent of the exam combined, so the roadmap allocates the largest slice of milestones to those two by default, then re-weights based on your CAT scores. A novice on Networking gets the most milestones in the entire plan. Full structure: the roadmap overview.

The daily task engine. Every time you reopen the app, I pick the next thing to work on, today. One task. Not a list. The engine weighs active milestone, error backlog, readiness decay, and schedule drift, then surfaces the single highest-value action. See the Today Task card.

The error backlog with admin-trap categorization. Every wrong answer is tagged with a specific trap pattern: NSG effective-rule confusion, peering vs gateway scope, RBAC inheritance order, blob tier minimum-day rules, backup vs Site Recovery boundary, AAD group type confusion. Diagnostic, not generic. The backlog reschedules misses at 1, 3, 7, and 21 days, and a pattern retires only after three correct answers in a row, spaced.

Readiness gating. A single 0-to-100 number for your probability of passing AZ-104 today. It blends coverage, accuracy, and recency, and decays roughly 3 points per day of inactivity past the grace window. At 60 it unlocks the demo test. At 80 the gauntlet unlocks, and (with every milestone done, two mock passes, one gauntlet pass, live readiness at 80) the pass guarantee flips eligible. Math: readiness and decay. Day-to-day: practice sessions. Broader category: AI cert prep in 2026.

Common pitfalls on AZ-104

These are the seven traps that quietly cost the most points. Every prep tool warns about them. Few do anything structural. I do.

1. VNet peering vs VPN gateway vs ExpressRoute

Peering connects VNets, no internet hop, low latency. VPN gateway tunnels over the public internet to on-prem. ExpressRoute is a private circuit, predictable bandwidth, premium cost. The exam writes stems where two answers look right until you read latency and SLA constraints carefully. What I do: every miss tags the connectivity-decision trap and the backlog rotates the three-way comparison until you stop reaching for VPN when peering is enough.

2. NSG rules and effective security rules

NSGs apply at subnet OR NIC level (or both); the effective rule is the intersection. Default rules sit beneath custom rules. Priorities evaluate low-to-high, lower number wins. The exam loves stems where a rule looks right in isolation but a higher-priority deny blocks the traffic. What I do: I drill walkthroughs with a fixed reading order (priorities, default rules, subnet vs NIC scope, service tags) and the backlog brings back hub-and-spoke scenarios until the inheritance is automatic.

3. RBAC inheritance and Azure Policy interaction

RBAC scopes are management group, subscription, resource group, resource. Roles inherit downward. Deny overrides allow. Azure Policy enforces compliance independently of RBAC and can block resource creation. The exam writes stems where a user "should" have access by RBAC but Policy blocks the action. What I do: I split RBAC and Policy into separate sub-patterns, then schedule combined scenarios once both are solid. You do not complete the Identity milestone until you can call which control denied an action from the error shape alone.

4. Blob storage tiers and lifecycle management

Cool needs 30 days minimum, Cold needs 90, Archive needs 180 and rehydration takes hours. Lifecycle rules transition objects automatically, but a rule that violates a minimum incurs early-deletion fees. The exam writes stems where a proposed policy is mathematically disallowed. What I do: every miss surfaces the constraint matrix on the explanation card, and the backlog brings back transition edge cases until the constraints stop being a guess.

5. AAD groups vs administrative units vs management groups

Entra groups are identity collections for app and resource access. Administrative units are scopes within Entra for delegated user and group management (a help-desk admin who can reset only HR users' passwords). Management groups sit above subscriptions for billing and policy hierarchy. They look similar on a stem and are not interchangeable. What I do: I tag each as a separate sub-pattern and rotate them in the backlog until the three are cold.

6. Backup vs Azure Site Recovery distinctions

Azure Backup is point-in-time recovery for files, VMs, databases. Azure Site Recovery (ASR) is replication and failover, region-to-region or on-prem-to-Azure. The exam writes stems where "RPO of 15 minutes and failover to a secondary region" is ASR, and "restore yesterday's deleted file" is Backup. What I do: every miss tags the recovery-tool boundary and the backlog drills the RTO / RPO / scope distinction with paired scenarios until you stop swapping them.

7. Monitoring stack overlap (Azure Monitor vs Log Analytics vs Application Insights)

Azure Monitor is the umbrella (metrics, logs, alerts). Log Analytics is the storage and query layer for logs, queried with KQL. Application Insights is APM built on Log Analytics, focused on dependency and distributed tracing. The exam writes stems where any of the three sound right; only one is precise. What I do: I tag tool-selection traps separately from alert-rule configuration traps, because they fail for different reasons. The backlog rotates each pattern until you map a requirement to the right layer on first read.

Common questions

Do I need AZ-900 before sitting AZ-104?

AZ-900 is helpful but not required. If you already work with Azure subscriptions, resource groups, and the portal day to day, you can start straight at AZ-104. The CAT surfaces any foundational gaps in the first 25 questions, and the roadmap allocates extra milestones there if needed.

How are case-study questions scored on AZ-104?

Case studies present a multi-paragraph scenario followed by a small set of related questions. Each question is scored individually, but the scenario is shared, so wrong assumptions early bleed into later items. I drill case-study reading order so you parse the requirements and constraints before opening question one.

How long does AZ-104 prep take at 30 to 45 minutes a day?

At 30 minutes a day, median time-to-ready sits between eight and twelve weeks. At 45 minutes a day, closer to six to nine. Your CAT baseline matters more than raw hours; a novice on Networking and Identity gets the longest plan.

Do I need a hands-on Azure lab to pass AZ-104?

AZ-104 does not have a graded lab segment in 2026, so technically no. Practically, hands-on familiarity with the portal, Azure CLI, and PowerShell az module helps you read stems faster. I tag every wrong answer where the trap was console-shape recognition, so you know when to spin up a free Azure account.

Should I take SAA-C03 first or AZ-104 first?

Pick the one your job uses. AZ-104 is admin and operations. SAA-C03 is architecture. They overlap on fundamentals but reward different instincts. If your team runs Azure, AZ-104 first. If you architect on AWS, SAA-C03 first. Deeper comparison: AWS SAA-C03 prep.

Does the pass guarantee really cover AZ-104?

Yes, with the same five conditions used on every cert: every milestone completed, every phase completed, two mock exams passed at 70 percent or higher, one gauntlet passed at 80 percent or higher, and a live readiness score of 80 or above. Sit the exam in the 60-day window, fail, get a full refund of the Exam Ready plan. Full mechanics: the pass guarantee page.

Start your AZ-104 prep

The cheapest possible signal is the 15-minute CAT evaluation. It tells you which of the five domains you own, which one will cost you the exam if you sit it tomorrow, and where the roadmap starts.

Start your free AZ-104 evaluation at claudelab.me/onboarding/select-cert?code=AZ-104.

TL;DR​

What the AZ-104 exam is​

How ARIA preps you for it​

Common pitfalls on AZ-104​

1. VNet peering vs VPN gateway vs ExpressRoute​

2. NSG rules and effective security rules​

3. RBAC inheritance and Azure Policy interaction​

4. Blob storage tiers and lifecycle management​

5. AAD groups vs administrative units vs management groups​

6. Backup vs Azure Site Recovery distinctions​

7. Monitoring stack overlap (Azure Monitor vs Log Analytics vs Application Insights)​

Common questions​

Do I need AZ-900 before sitting AZ-104?​

How are case-study questions scored on AZ-104?​

How long does AZ-104 prep take at 30 to 45 minutes a day?​

Do I need a hands-on Azure lab to pass AZ-104?​

Should I take SAA-C03 first or AZ-104 first?​

Does the pass guarantee really cover AZ-104?​

Start your AZ-104 prep​