AZ-104 logo
Focused certification exam prep
Start practice
Home / Study Resources / Domain Deep Dives / AZ-104 Domain 1: Manage Azure identities and

AZ-104 Domain 1: Manage Azure identities and governance (20-25%) - Complete Study Guide 2026

Updated 11 min read AZ-104 Exam Prep
Table of Contents
TL;DR
  • Domain 1 carries 20-25% of the AZ-104 exam weight, tied for the largest single domain alongside compute.
  • Microsoft Entra ID (formerly Azure AD) is the backbone of this domain - expect deep questions on users, groups, and identity federation.
  • RBAC assignments, Azure Policy, and management group hierarchy are consistently high-value exam topics with interactive question types.
  • The passing score is 700 on Microsoft's scaled model, not a raw 70% - every Domain 1 question answered correctly compounds your scaled result.

What Domain 1 Actually Covers

Domain 1 of the AZ-104 exam - Manage Azure identities and governance - is not a soft introduction. It demands that candidates understand how Azure authenticates identities, how access is controlled at every layer, and how organizations enforce compliance across potentially dozens of subscriptions. If you have browsed the AZ-104 Exam Domains 2026: Complete Guide to All 5 Content Areas, you already know this domain shares the top weighted position alongside Domain 3 (compute) at 20-25%.

The official skills measured as of April 17, 2026 break Domain 1 into four major skill areas:

  • Manage Microsoft Entra users and groups - creating and managing user accounts, bulk operations, external identities, and group types (assigned vs. dynamic, security vs. Microsoft 365).
  • Manage access to Azure resources - Role-Based Access Control (RBAC), custom roles, and the principle of least privilege applied at different scopes.
  • Manage Azure subscriptions and governance - management groups, subscription policies, resource locks, Azure Policy, initiatives, and cost management basics.
  • Manage Microsoft Entra ID - tenant configuration, self-service password reset (SSPR), multi-factor authentication settings, and Conditional Access fundamentals.

Each of these translates directly into scenarios you will encounter in a live Azure environment - which is exactly why Microsoft may include performance-based lab tasks testing these specific configurations.

Why the 20-25% Weight Changes Your Prep Strategy

Score Impact: At 20-25% of the exam, Domain 1 represents roughly one in every four to five questions. Mastering it thoroughly is one of the most efficient ways to build buffer above the 700 scaled-score passing threshold. Neglecting it in favor of flashier compute topics is one of the most common strategic errors candidates make.

The AZ-104 exam uses Microsoft's scaled scoring model, where the passing mark is 700 out of 1000 - not a simple 70% of raw questions answered correctly. Different questions carry different weights, and interactive or lab-based tasks can carry more weight than a standard multiple-choice item. Because Domain 1 questions appear frequently and may include drag-and-drop, hot-area, and case study formats, a candidate who understands the concepts deeply but cannot apply them in a configuration scenario is still at risk.

Understanding the difficulty profile of the AZ-104 exam helps here: identity and governance questions tend to trip up candidates not because the concepts are obscure, but because Azure's naming conventions evolved (Azure AD became Microsoft Entra ID), and the portal UI used in labs does not always match study materials written before the rebrand.

Microsoft Entra ID: The Core of Domain 1

Users and Groups

Candidates must be comfortable creating user accounts via the Azure portal, Microsoft Entra admin center, PowerShell (New-AzureADUser or the newer New-MgUser via Microsoft Graph PowerShell), and Azure CLI. Bulk operations - importing users via CSV, bulk deletion, bulk invite of external (B2B) users - are explicitly testable.

Group types matter significantly. You must know the difference between:

  • Security groups - used for RBAC assignments and resource access.
  • Microsoft 365 groups - collaboration-focused, with mailbox, SharePoint site, and Teams integration.
  • Assigned membership - manually managed.
  • Dynamic membership - rule-based, auto-populated from user or device attributes (requires Microsoft Entra ID P1 licensing).

Microsoft Entra ID - High-Priority Subtopics

These are the specific areas that generate the most Domain 1 exam questions based on the published skills outline:

  • Creating and managing user accounts and external (guest) identities
  • Configuring SSPR and MFA per-user and via Conditional Access policies
  • Understanding Entra ID license tiers (Free, P1, P2) and feature availability per tier
  • Managing device registration, including Entra ID Join vs. Hybrid Entra ID Join
  • Configuring administrative units to delegate scoped admin rights

Conditional Access and MFA

Conditional Access is a Microsoft Entra ID P1/P2 feature that enforces access rules based on signals: user, location, device compliance, and app being accessed. The exam tests whether candidates can configure a Conditional Access policy in the portal - selecting assignments (users/groups, cloud apps, conditions) and access controls (grant/block, require MFA, require compliant device). Knowing which license tier unlocks which feature is fair game for a question.

Administrative Units

Administrative units are a scoping mechanism that allows tenant administrators to delegate directory management to a subset of users. For example, a regional IT manager might be a User Administrator only for the users and groups within their administrative unit, not the entire tenant. Questions often present a scenario requiring you to identify the correct delegation approach - administrative units versus custom RBAC roles versus subscription-level assignments.

RBAC, Azure Policy, and Governance Controls

Role-Based Access Control at Every Scope

Azure RBAC is the authorization system controlling who can do what with which Azure resources. The exam expects you to understand the full scope hierarchy: management group → subscription → resource group → individual resource. A role assignment at a higher scope is inherited by all child scopes. Candidates must know the four fundamental built-in roles (Owner, Contributor, Reader, User Access Administrator) and when to apply each.

Custom roles are also testable. You need to know that custom roles are defined in JSON, can be scoped to one or more subscriptions or management groups, and are created via PowerShell, CLI, or ARM templates. The key properties - Actions, NotActions, DataActions, NotDataActions, and AssignableScopes - appear in hot-area and build-list question formats where you must construct or evaluate a role definition.

RBAC vs. Azure Policy - A Critical Distinction: RBAC controls who can take action on resources. Azure Policy controls what configuration is allowed regardless of who performs it. Many candidates conflate the two. An RBAC Contributor can deploy a VM in any region - but an Azure Policy assignment with a "deny" effect can block that deployment even if the Contributor role is assigned.

Azure Policy

Azure Policy evaluates resources against business rules expressed as policy definitions. Key concepts to master:

  • Policy definitions - individual rules (built-in or custom) written in JSON.
  • Initiatives (policy sets) - collections of related policy definitions assigned together.
  • Effects - Audit, AuditIfNotExists, Deny, DeployIfNotExists, Append, Modify. The exam tests which effect is appropriate for a described outcome.
  • Compliance view - understanding how to interpret the compliance dashboard and trigger remediation tasks.
  • Scope of assignment - policies can be assigned at management group, subscription, or resource group scope.

Resource Locks

Resource locks prevent accidental deletion or modification. The two lock types are CanNotDelete (read and modify allowed, deletion blocked) and ReadOnly (no modifications or deletions). Locks apply to all users including Owners and propagate to child resources. Exam scenarios often describe an accidental deletion incident and ask which control would have prevented it.

Subscriptions and Management Groups

Scope Level What You Can Assign Here Typical Use Case
Management Group RBAC, Azure Policy, Initiatives Enforce organization-wide governance across all subscriptions
Subscription RBAC, Azure Policy, Budgets, Resource Locks Billing boundary, isolate environments (prod/dev)
Resource Group RBAC, Azure Policy, Resource Locks, Tags Lifecycle management - deploy and delete resources together
Resource RBAC, Resource Locks, Tags Granular access or protection for a single resource

Management groups nest up to six levels deep beneath the root management group. The root is automatically created for every Entra tenant and cannot be moved or deleted. Assigning a Global Administrator to elevate access to the root management group is a specific, testable task - the portal option is buried in Entra ID properties, and questions may describe the symptom (can't see subscriptions in management group) and ask you to identify the fix.

Cost management basics - configuring budgets, budget alerts, and using Azure Cost Management + Billing - appear at the edges of Domain 1. You do not need deep FinOps expertise, but you should know how to create a budget with alert thresholds and understand that cost alerts are informational and do not block spending.

How Domain 1 Topics Appear on Exam Day

The AZ-104 exam runs for 100 minutes (the full appointment with check-in, tutorial, and survey is longer). Candidates commonly see roughly 40-60 questions across multiple-choice, case study, drag-and-drop, build-list, hot-area, and other interactive formats. Performance-based lab tasks may also appear.

Domain 1 lends itself particularly well to scenario-based formats. Expect questions structured like:

  • "A developer needs to deploy VMs but must not be able to modify RBAC assignments. Which built-in role should you assign?" (Contributor, not Owner)
  • "You need to ensure all resources created in a subscription have a 'CostCenter' tag. What should you configure?" (Azure Policy with Append or Modify effect)
  • "Users in the HR department are being added to a security group manually. You need to automate membership based on the department attribute. What is the prerequisite?" (Microsoft Entra ID P1 license for dynamic group membership)

Case studies present a multi-page company scenario and ask a series of questions referencing the same environment. For Domain 1, a case study might describe a hybrid identity setup and ask you to determine the correct sync configuration, the appropriate Conditional Access policy, and the RBAC role assignments needed - all from the same fictional environment document.

Practice with realistic exam-style questions before your test date. Working through a full set of AZ-104 practice tests covering Domain 1 scenarios will surface the exact gaps in your RBAC and policy knowledge before they cost you points on exam day.

A Domain-Specific Study Schedule for Identities and Governance

Week 1

Microsoft Entra ID Foundations

  • Create and manage users and groups in the portal and via PowerShell/CLI
  • Configure SSPR end-to-end in a free Azure trial tenant
  • Understand Entra ID license tiers and feature gates
  • Practice bulk user import using a CSV file
Week 2

RBAC and Custom Roles

  • Assign built-in roles at subscription, resource group, and resource scope
  • Create a custom role in JSON and assign it via CLI
  • Verify inherited permissions using the "Check access" tool in the portal
  • Distinguish DataActions from Actions in a role definition
Week 3

Azure Policy, Locks, and Management Groups

  • Assign a built-in policy (e.g., "Allowed locations") at subscription scope
  • Create a custom initiative and assign it to a resource group
  • Apply CanNotDelete and ReadOnly locks; test behavior as a Contributor
  • Configure a management group hierarchy in a trial tenant

Spending three focused weeks on Domain 1 before moving to storage and compute makes strategic sense given the weight. The concepts here - particularly RBAC inheritance and policy effects - also underpin governance questions that appear throughout other domains. For a broader week-by-week plan covering all five domains, the AZ-104 Study Guide 2026: How to Pass on Your First Attempt provides a structured sequence from registration through exam day.

Where Candidates Lose Points in Domain 1

Key Takeaway

The single most common Domain 1 mistake is conflating RBAC and Azure Policy. RBAC governs who can act; Azure Policy governs what configuration is permitted. Exam scenarios are deliberately written to test whether you know which control to apply - and assigning the wrong one in a lab task will cost you the full question weight.

Other frequent point-loss patterns in Domain 1:

  • Missing the Entra ID P1 license requirement for Conditional Access and dynamic group membership. Exam scenarios often imply a budget-constrained environment - you must know which features require which license tier.
  • Confusing role assignment scope with role definition scope. A custom role may be defined at management group scope but assigned only at subscription scope - candidates mix up where you set AssignableScopes versus where you perform the assignment.
  • Forgetting that ReadOnly locks block operations that look like reads. Listing storage account keys is a POST operation, not a GET - a ReadOnly lock will block it, which surprises candidates who have not tested this behavior.
  • Ignoring administrative units. This feature is underrepresented in third-party study materials but appears on the official skills outline. Know when administrative units are the right delegation tool versus a custom RBAC role.
  • Using outdated "Azure Active Directory" terminology in answers. While Microsoft has maintained backward compatibility, questions in the current exam use Microsoft Entra ID branding, and portal-based lab tasks reflect the renamed admin center.

Pairing hands-on lab work with timed AZ-104 practice exam questions in Domain 1 format is the most reliable way to identify and correct these gaps before your appointment. The exam fee is $165 USD in the United States - catching these mistakes in practice rather than on exam day is a straightforward return on preparation time. For a full breakdown of exam pricing by region, see the AZ-104 Certification Cost 2026: Complete Pricing Breakdown.

Also worth noting: the AZ-104 certification renews every 12 months through a free online Microsoft Learn renewal assessment - not a paid re-exam. But the renewal assessment also covers identity and governance topics, so building genuine understanding now pays forward to renewal as well.

If you are evaluating whether the investment in preparation is justified by career outcomes, the AZ-104 Salary Guide 2026: Complete Earnings Analysis provides qualitative context on how the Azure Administrator credential affects compensation across different roles and markets.

Frequently Asked Questions

Is Microsoft Entra ID the same as Azure Active Directory for exam purposes?

Microsoft rebranded Azure Active Directory to Microsoft Entra ID. The underlying technology and most features are the same, but the AZ-104 exam as of April 2026 uses the Microsoft Entra ID naming convention throughout. Portal-based lab tasks will show the Entra admin center UI. Study materials that still reference "Azure AD" are conceptually valid but make sure you can navigate the renamed portal sections.

Do I need a Microsoft Entra ID P1 or P2 license to study Domain 1?

A free Azure trial account gives you access to Microsoft Entra ID Free tier, which supports the majority of Domain 1 hands-on tasks including user/group management, RBAC, and Azure Policy. Features requiring P1 (Conditional Access, dynamic groups) can be trialed with the Microsoft Entra ID P2 30-day trial available within any tenant. Enable the trial specifically to practice those policy and Conditional Access scenarios.

How many Domain 1 questions should I expect on the AZ-104?

Microsoft does not publish a fixed per-domain question count. Given the 20-25% domain weight and a typical question count of roughly 40-60 items, you can reasonably expect somewhere in the range of 8-15 Domain 1 questions - but this varies per delivery. Some questions in other domains (particularly compute and networking) will touch governance topics like RBAC at the resource level, extending Domain 1 knowledge indirectly.

Can lab tasks in Domain 1 involve the Azure portal or only PowerShell?

Performance-based lab tasks, when scheduled for your delivery, can require you to complete objectives using any available method - the Azure portal, PowerShell, or Azure CLI. Domain 1 lab tasks commonly involve the portal (creating users, assigning roles, configuring policies) but you may also need to execute CLI commands in a Cloud Shell instance within the lab environment. Practice all three interfaces during your preparation.

How does Domain 1 relate to the other AZ-104 domains in terms of prerequisites?

Domain 1 is foundational. RBAC concepts from Domain 1 reappear in Domain 2 (storage account access), Domain 3 (VM managed identity assignments), and Domain 4 (network resource permissions). Understanding governance scope hierarchy helps when Domain 5 asks about monitoring at subscription versus resource group level. Master Domain 1 first - it makes every other domain more tractable. For coverage of how all five domains interrelate, see the AZ-104 Domain 3: Deploy and manage Azure compute resources (20-25%) - Complete Study Guide 2026 and AZ-104 Domain 2: Implement and manage storage (15-20%) - Complete Study Guide 2026.

Continue reading:

Ready to pass your AZ-104 exam?

Put this into practice with free AZ-104 questions across every exam domain.