In May 2025 I passed exam AZ-104 and earned Microsoft Certified: Azure Administrator Associate. For me that credential closes a loop I'd been quietly aware of for years: at ThreeBIT we don't just build software on Azure, we run it — and the skills that ship a feature are not quite the same skills that keep it healthy at three in the morning. This certification is about the second half of that sentence.
I'm a developer by instinct and a founder by circumstance. I like writing the thing that didn't exist yesterday. But the longer ThreeBIT has been around, the more I've come to believe that the interesting, hard, unglamorous work happens after the deploy: the identities that need governing, the storage that needs securing, the network that needs to actually route traffic, and the monitoring that tells you something is wrong before a customer does. AZ-104 is Microsoft's name for that body of knowledge, and I wanted the credential to say out loud what we already practise.
What Azure Administrator Associate is
Microsoft Certified: Azure Administrator Associate is an intermediate-level, role-based certification for the Azure administrator role. Microsoft's own description is blunt and useful: a candidate "should have subject matter expertise in implementing, managing, and monitoring an organization's Azure environment, including virtual networks, storage, compute, identity, security, and governance."
The part I appreciate most is the framing of the role itself. Microsoft describes the Azure administrator as someone who "often serves as part of a larger team dedicated to implementing an organization's cloud infrastructure" and who "coordinates with other roles to deliver Azure networking, security, database, application development, and DevOps solutions." That is exactly what running customer environments looks like in a small, full-stack shop. You are rarely the only person who touches a system, and you are almost never finished — you're the person who keeps it correct.
You earn the certification by passing a single exam, AZ-104. Microsoft lists the recommended background plainly: you should be familiar with operating systems, networking, servers and virtualization, and you should have hands-on experience with PowerShell, the Azure CLI, the Azure portal, Azure Resource Manager (ARM) templates or Bicep, and Microsoft Entra ID. None of that is theoretical for us. Bicep in particular is how we describe infrastructure at ThreeBIT, so seeing it sit right there in the prerequisites felt like a fair fight rather than a stretch.
One more thing worth stating up front, because it changes how you should read any role-based Microsoft cert: it expires after twelve months. Microsoft made role-based and specialty certifications renew annually "to ensure that tech professionals keep skills up-to-date with evolving technology." Renewal is free — a shorter online assessment on Microsoft Learn (about 45 minutes), available in the six months before the certification lapses. A cloud platform that ships changes every week shouldn't hand out lifetime badges, and I respect that it doesn't.
What it actually certifies
This is the part people skip, and it's the part that matters. AZ-104 measures five skill areas, and Microsoft publishes the rough weighting of each. Here's the breakdown as the exam stands today, with what each one means in plain terms.
- Manage Azure identities and governance (20–25%). Microsoft Entra users and groups, licenses, external users, self-service password reset; role-based access control — assigning built-in roles at the right scope and being able to interpret who can do what; and the governance layer most teams underinvest in until it bites them: Azure Policy, resource locks, tags, resource groups, subscriptions, management groups, and cost control via budgets, alerts and Azure Advisor.
- Implement and manage storage (15–20%). Securing access to storage (firewalls, SAS tokens, stored access policies, access keys, identity-based access for Azure Files); configuring storage accounts and redundancy; and the day-to-day of Azure Files and Blob Storage — tiers, soft delete, lifecycle management, versioning.
- Deploy and manage Azure compute resources (20–25%). Automating deployments with ARM templates or Bicep; creating and configuring virtual machines (disks, sizes, availability zones and sets, scale sets, encryption at host); containers in the portal via Azure Container Registry, Container Instances and Container Apps; and Azure App Service — plans, scaling, TLS and certificates, custom domains, deployment slots, networking.
- Implement and manage virtual networking (15–20%). Virtual networks and subnets, peering, public IPs, user-defined routes; secure access with network security groups and application security groups, Azure Bastion, service and private endpoints; and name resolution and load balancing with Azure DNS and the Azure load balancer.
- Monitor and maintain Azure resources (10–15%). Azure Monitor — metrics, log settings, log queries, alert rules and action groups, Insights; Network Watcher and Connection Monitor; and backup and recovery with Recovery Services vaults, Azure Backup, and Azure Site Recovery including failover to a secondary region.
A couple of exam facts so nobody has to guess: it's a single exam, the passing score is 700 (on Microsoft's scaled 1–1000 range, so 700 is not 70%), and Microsoft publishes a free practice assessment and an exam sandbox so you can see the question formats before you commit. The exam is updated periodically — the version I'm describing reflects Microsoft's current published skills outline — and localized versions, including German, typically follow the English update by about eight weeks.
What strikes me reading that list back is how little of it is "click here to make a VM." The weighting tells the story: identity and governance and compute carry the most marks, and the questions are about judgement — the right scope for a role assignment, the right redundancy for a storage account, the right failover plan — far more than about memorising a blade in the portal.
Why I bothered to certify
Honest answer first: I didn't need a certificate to deploy a virtual network. We've been doing this in production for years. So why sit a timed exam as a founder with plenty else to do?
Because building and operating are genuinely different disciplines, and I wanted to be tested on the second one. When you build, you can choose your battles — you control the surface area, you decide what's in scope, you ship and move on. When you operate a customer's environment, the environment chooses the battles for you. An identity is misconfigured and someone can't sign in. A storage firewall is one rule too tight and a nightly job fails silently. A network security group blocks the exact port that the integration needs. None of those are coding problems. They're administration problems, and they're the ones that erode trust with a customer fastest, because they're invisible right up until they aren't.
There's also a discipline in studying for an exam that you don't get from day-to-day work. On the job you learn the path you walk most often and you stay on it. AZ-104 forced me back through the corners I'd been avoiding — object replication, stored access policies, the precise difference between service endpoints and private endpoints, the parts of Azure Site Recovery I'd touched once and hoped never to touch again. Half the value of a role-based cert isn't the badge; it's being made to revisit the 30% of the platform you'd quietly stopped learning.
And the renewal cadence keeps that honest. An annual, free reassessment means the credential is a standing claim about current skills, not a souvenir from the year I happened to study hard. For a shop that asks customers to trust us with their production Azure tenants, "this person re-proves their Azure operations knowledge every year" is a much stronger promise than a one-time pass from years ago.
How it shows up in our work at ThreeBIT
ThreeBIT is a Microsoft-stack company in Ibbenbüren, building on Azure and .NET. We make products — Xircuit and Outastory — and we run environments for customers in industries where a failure isn't a cosmetic bug but a missed export, a failed payment, or a compliance finding. The five AZ-104 domains aren't abstract to me; they map almost one-to-one onto the work week.
Identity and governance is where it starts and where the consequences are biggest. Getting Microsoft Entra users, groups and role assignments right — at the correct scope, least-privilege by default — is the difference between a tidy tenant and a security incident waiting to be written up. The governance pieces, Azure Policy and resource locks and tagging and cost alerts, are what stop a customer's subscription from drifting into chaos and surprise bills. That's not glamorous, and it's some of the most valuable work we do.
Networking and storage are the plumbing our applications stand on. Virtual networks, NSGs, private endpoints, Bastion — when those are configured deliberately, our apps are reachable exactly where they should be and nowhere else. Storage redundancy, soft delete, lifecycle management and SAS scoping decide whether a customer's data is durable and access is tight, or whether one bad afternoon becomes a very bad week.
Compute and monitoring close it out. We describe infrastructure as Bicep — which is squarely on the exam — so deployments are repeatable and reviewable rather than hand-clicked and forgotten. And monitoring is the honesty layer of the whole thing: Azure Monitor metrics and logs, alert rules wired to the right action groups, and a real backup and recovery posture with Recovery Services vaults and Site Recovery. The goal is simple and unromantic — we want to know something is wrong before our customer does, and we want a tested way back when it is.
That's the loop the certification closes for me. We've always taken "build it" seriously. AZ-104 is me putting the same seriousness, on the record and renewed every year, into "run it." Both halves are the job.
Sources & further reading
- Microsoft Learn — Microsoft Certified: Azure Administrator Associate (certification overview, level, role, 12-month renewal): https://learn.microsoft.com/en-us/credentials/certifications/azure-administrator/
- Microsoft Learn — Study guide for Exam AZ-104: Microsoft Azure Administrator (skills measured, weightings, audience profile, passing score, practice assessment): https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-104
- Microsoft Learn — Renew your Microsoft Certification and renewal FAQ (annual expiry, free online assessment, ~45 minutes, available six months before expiry): https://learn.microsoft.com/en-us/credentials/certifications/renew-your-microsoft-certification
- Microsoft Learn — Course AZ-104T00-A: Microsoft Azure Administrator (recommended background, course scope): https://learn.microsoft.com/en-us/training/courses/az-104t00
Image credits
All images are used under their respective Creative Commons or public-domain terms; we are grateful to the creators.
- Rack with varoius servers — © Aaron Hall, CC BY-SA 2.0, via Wikimedia Commons (source).
- Azaleos NOC — © Azaleos, CC BY-SA 3.0, via Wikimedia Commons (source).
- EHR Interface Design = a giant MESS — © juhansonin, CC BY 2.0, via Flickr (source).