AZ-104 has just had an overhaul, and as with most exam update it includes some changes and clarifications, but this time there are also a few items that have been added and removed.


  • Application security groups
  • Manage licenses in Azure AD
  • custom Azure AD roles
  • VM insights
  • ASR failover
  • storage access policies
  • Azure Compute Gallery


  • file sync service
  • Azure FIrewall
  • VPN GW
  • Express Route
  • Virtual Wan

Let’s focus on the items that were removed were on the networking side, and how to possibly interpret them. You probably noticed that all but one were networking related, and it’s important to note that they are potentially included in some of the other networking topics, as well as being more heavily covered in AZ-700. The other item on the list of removed items is the Azure file sync service. I think it’s fair to say that this is one that is way more suitable for the Azure hybrid Exams. I know that previously the inclusion of file sync was problematic for some people because of the Windows Server exposure that the technology requires.

The exam has also been slowly but surely moving away from being almost completely IaaS focused, with PaaS based objectives expanding further than they had previously. In some ways it has expanded into areas that were originally covered across AZ-100 and AZ-101 before they scaled back and combined into AZ-103, which was the predecessor to AZ-104.

I view this as a good thing, because one of the trends I was seeing for a while with the AZ-10x exams was that the people I saw do well in those exams were people with significant on-premises infrastructure experience, but those who were focused on non-IaaS Azure capabilities were more likely to struggle during the exam. It really seemed that these exams weren’t doing a great job of catering to those working with PaaS, but that has definitely changed.

The expectation of what an Azure Administrator should be familiar with constantly evolves, and while many admins maybe have been able to take their on-premises knowledge of virtual machines, operating systems, networking and storage across to Azure with little effort, there is now an expectation that some of those IaaS workloads are slowly but surely being moved across to PaaS offerings. Notice I’m not saying all workloads are expected to move, but some of them certainly are. If you have come from more of an IaaS background, this means you will need to focus on these areas.

This doesn’t mean that those focused on PaaS workloads don’t have to put in effort as well. Understanding networking technologies and and traditional compute models is still a major, though shrinking part of the exam, and one of the common issues I’ve seen with people who fail this exam is that it’s a lack of core networking skills that let them down. There have been some consolidations in the networking sections of the exam, but the reality is that nothing has been removed, with the assumption that an admin has a basic level of knowledge of networking concepts.

Regardless of where your skills are strongest, the important thing is to focus on your weakness with your exam preparation, rather than getting too carried away learning about the things you already work with. An example of this is that if you work mostly with SaaS via Microsoft 365, you may already have a strong enough set of skills to get through the identity questions without a challenge. Instead go through the resources listed below to make sure you aren’t missing anything before sitting for the exam.

Manage Azure identities and governance (15-20%)

Manage Azure AD objects

Manage role-based access control (RBAC)

Manage subscriptions and governance

Implement and manage storage (15-20%)

Secure storage

Manage data in Azure storage accounts

Configure Azure files and Azure blob storage

Deploy and manage Azure compute resources (20-25%)

Automate deployment and configuration of VMs by using Azure Resource Manager

Create and configure VMs

Create and configure containers

Create and configure Azure App Service

Configure and manage virtual networking (20-25%)

Configure virtual networks

Configure secure access to virtual networks

Configure load balancing

Monitor virtual networking

Monitor and maintain Azure resources (10-15%)

Monitor resources by using Azure Monitor