AZ-104 Exam Strategy
Time management, question tactics, and distractor patterns — know these before you sit down at the test centre.
Exam Format
Question types:
- • Single-answer MCQ — pick the one best answer
- • Multi-select — usually "choose 2" or "choose 3" — always stated in the stem
- • Scenario-based — 2–4 sub-questions from a shared business scenario
- • Azure portal labs — complete actual tasks in a live Azure environment (no notes or documentation)
Time Management
Target pace
With 150 minutes for ~50 questions, you have about 3 minutes per question. Most MCQs should take 60–90 seconds, saving time for scenarios and any lab tasks.
Flag and return strategy
If you are unsure about a question, flag it and move on immediately. Do not spend more than 2 minutes on any single question during your first pass. A fresh perspective on the second pass often surfaces the answer faster than grinding through uncertainty.
Reserve 15 minutes
Aim to finish all questions with at least 15 minutes remaining to review flagged questions and double-check any lab tasks. If approaching time with flagged questions remaining, answer with your best guess — there is no penalty.
Lab task strategy
If the exam includes a portal lab section, read each task carefully before clicking. Mistakes in the portal (deleting wrong resources, wrong configurations) can be hard to undo. Think before you act.
Domain Weighting Strategy
Domain 1 — Identities & Governance (20–25%)
Know RBAC cold: Owner vs Contributor vs Reader vs User Access Administrator, scope hierarchy (management group → subscription → resource group → resource), and that Contributor cannot grant access. Azure Policy effects order matters: Deny > Audit > DeployIfNotExists.
Domain 3 — Compute (20–25%)
Availability Sets (fault domains + update domains, 99.95% SLA) vs Availability Zones (99.99% SLA) are mutually exclusive — you cannot add a VM to an availability set after creation. App Service autoscale requires Standard tier or higher. Deployment slots require Standard.
Domain 2 — Storage (15–20%)
Know all 6 redundancy options — especially the difference between GRS (no secondary reads) and RA-GRS (secondary reads allowed). Archive tier cannot be set at the account level and requires individual blob rehydration (up to 15 hours for Standard priority).
Domain 4 — Networking (15–20%)
VNet peering is non-transitive by default. NSG rule priority: lower number = evaluated first. Private endpoints give a PaaS service a private IP in your VNet — accessible from on-premises. Service endpoints keep traffic on the Azure backbone but do not give a private IP.
Domain 5 — Monitor & Maintain (10–15%)
Platform metrics are collected automatically (93-day retention). Logs require a diagnostic setting. Backup vault supports Blobs/Disks/PostgreSQL; Recovery Services vault supports VMs/SQL/Files. ASR test failover is non-disruptive. Reprotect is mandatory before failback.
Reading Questions Carefully
'MOST appropriate' and 'BEST'
Two options may both be technically correct, but one is more aligned with Microsoft's recommended approach. The more targeted, purpose-built answer is usually correct over a generic one.
'FIRST' questions
What should the admin do FIRST? For RBAC questions, assign the role first. For VM questions, deallocate first. For Policy questions, assign the initiative at the management group scope first to catch all subscriptions.
'Minimum cost / least administrative effort'
AZ-104 loves least-effort scenarios. Azure Policy is less effort than manual auditing. Group-based licensing is less effort than per-user assignment. Lifecycle management is less effort than manual tiering.
Absolute words: 'always', 'never', 'only', 'must'
Usually traps. Microsoft rarely implements something with zero exceptions. Qualified language ('by default', 'typically') is usually more accurate than absolute language.
Common AZ-104 Distractor Patterns
Recognising these patterns lets you eliminate wrong answers in seconds.
1. Wrong scope for RBAC
A role is described as being assigned at the wrong scope. Owner at the resource group scope cannot manage subscriptions. Reader at the subscription scope cannot modify resources in child resource groups. Know what each scope covers.
2. Contributor can assign roles
The most common RBAC distractor. Contributor CANNOT assign roles. Only Owner and User Access Administrator can. If a question asks 'which role allows assigning roles', the answer is never Contributor.
3. GRS vs RA-GRS confusion
GRS replicates data to a secondary region but you CANNOT read from the secondary — you need RA-GRS for read access to the secondary endpoint. This distinction appears frequently.
4. Availability Set vs Availability Zone
Sets protect against rack-level failures within a datacenter (99.95% SLA). Zones protect against datacenter-level failures (99.99% SLA). They are mutually exclusive — and you cannot add an existing VM to an availability set.
5. NSG priority direction
Lower priority number = evaluated FIRST (higher precedence). This is the opposite of how most people read numbered lists. Rule 100 is evaluated before rule 200. Default rules have priority 65000+.
Day-Before Checklist
Do these in order the evening before your exam. Stop by 10pm — sleep matters more than cramming.
Exam strategy guide last reviewed 2026-05-01. AZ-104 exam format subject to change — verify the current format on the Microsoft Learn certification page.