Azure administration means running cloud environments reliably as operational work shifts from manual portal tasks to repeatable, governed automation across subscriptions, teams and environments.
An Azure administrator does not need to become a software developer, but coding and scripting become important when work must be repeated, reviewed, audited or deployed safely at scale. The Azure portal remains useful for exploration, break-fix work and one-off changes, while PowerShell, Azure CLI, Bicep, YAML and KQL increasingly define how reliable day-to-day operations are performed.
Published: 30 June 2026. Last updated: 30 June 2026.
The practical threshold is scale. If an administrator needs to restart a single virtual machine, inspect a network security group rule or check a storage account setting, the portal is often the fastest and clearest option. If the same change must be made across several resource groups, repeated after every deployment or proven during an audit, scripting becomes the safer option because it reduces guesswork and produces a record of what happened.
Microsoft Learn frames the Azure administrator role around identity, governance, storage, compute, networking and monitoring. The current AZ-104 exam page is a useful reference point for that scope, because it shows that the role is operational rather than software-development focused. Even so, the work increasingly overlaps with automation, infrastructure as code and incident investigation, which means administrators benefit from being able to read and adjust scripts rather than relying only on the portal.
A simple decision rule helps: use the portal for discovery and low-risk one-offs, use PowerShell or Azure CLI for repeatable administrative tasks, use Bicep for environment builds, use YAML when deployments need approvals or pipeline control, and use KQL when monitoring data must answer an operational question. Readers who want role-aligned labs can use Azure Administrator training to compare these skills against the administration tasks commonly associated with AZ-104.
PowerShell is often the most natural starting point for administrators because it fits operational workflows: finding resources, changing configuration, exporting reports and applying policy-related updates. Azure CLI is equally useful, especially where teams already use Bash, Linux agents or cross-platform scripts. The important point is not which command-line tool is chosen first, but whether the administrator learns to make changes in a way that can be reviewed, rerun and stored in source control.
The following example shows a safe administrative pattern: query a scoped resource group and apply tags to resources that match an operational need. It avoids broad subscription-wide changes and demonstrates how scripts should begin with a narrow target.
$resourceGroup = "rg-admin-lab-uksouth"
$tagName = "workload"
$tagValue = "admin-lab"
Get-AzResource -ResourceGroupName $resourceGroup |
Where-Object { $_.ResourceType -like "Microsoft.Compute/*" } |
ForEach-Object {
$updatedTags = @{}
if ($_.Tags) { $_.Tags.GetEnumerator() | ForEach-Object { $updatedTags[$_.Key] = $_.Value } }
$updatedTags[$tagName] = $tagValue
Update-AzTag -ResourceId $_.ResourceId -Tag $updatedTags -Operation Replace
}
This script targets one resource group, changes only compute resources and keeps existing tags before adding the new value. In practice, administrators should run this kind of change from a repository, test it in a non-production subscription and use an identity with only the permissions required for the task.
Bicep becomes more valuable when environments are standardised. If each project has a different naming model, network pattern and approval process, infrastructure as code can become a place where inconsistency is copied faster. Once the organisation has agreed landing-zone patterns, tagging standards and deployment scopes, Bicep gives administrators a readable way to build and rebuild infrastructure consistently. Microsoft Learn and the Azure Architecture Center both treat infrastructure as code as a foundation for repeatable cloud operations, particularly where governance and drift control matter.
The example below creates a small lab pattern: a virtual network, subnet and network security group. It uses Bicep rather than ARM JSON because Bicep is easier to read and maintain for most operational teams, while still compiling to Azure Resource Manager templates.
param location string = resourceGroup().location
param vnetName string = 'vnet-admin-lab'
param nsgName string = 'nsg-admin-lab'
resource nsg 'Microsoft.Network/networkSecurityGroups@2024-05-01' = {
name: nsgName
location: location
properties: {
securityRules: [
{
name: 'AllowAzureBastionInbound'
properties: {
priority: 100
direction: 'Inbound'
access: 'Allow'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '443'
sourceAddressPrefix: 'AzureCloud'
destinationAddressPrefix: '*'
}
}
]
}
}
resource vnet 'Microsoft.Network/virtualNetworks@2024-05-01' = {
name: vnetName
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.40.0.0/16'
]
}
subnets: [
{
name: 'snet-workload'
properties: {
addressPrefix: '10.40.1.0/24'
networkSecurityGroup: {
id: nsg.id
}
}
}
]
}
}
The deployment creates a controlled network foundation without opening broad inbound access from the internet. Administrators should still validate the rule against organisational policy, because many environments restrict allowed service tags, require specific naming conventions or block deployment unless Azure Policy requirements are met.
YAML matters when infrastructure changes are delivered through a pipeline rather than from a local workstation. Azure administrators do not need to become full DevOps engineers to understand pipeline basics, but they should be able to read stages, identify approval gates, spot unsafe variables and understand where a deployment identity is used. That knowledge becomes especially important when operations teams share responsibility for production releases.
This short Azure Pipelines example validates a Bicep file before deployment. It is intentionally limited to validation because many organisations require separate approval before changes reach production.
trigger: none
pool:
vmImage: ubuntu-latest
variables:
resourceGroupName: rg-admin-lab-uksouth
location: uksouth
stages:
- stage: ValidateInfrastructure
jobs:
- job: ValidateBicep
steps:
- task: AzureCLI@2
inputs:
azureSubscription: sc-admin-lab-validation
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
az deployment group validate \
--resource-group $(resourceGroupName) \
--template-file infra/main.bicep
The pipeline uses a service connection rather than a personal account and performs a validation step before deployment. In a production model, approval checks, environment controls and branch policies would usually sit around this stage so that infrastructure changes are reviewed before they are applied.
KQL is the skill many administrators postpone until an incident forces them to learn it. That delay is costly. Azure Monitor, Log Analytics and Application Insights collect the evidence administrators need during outages, performance investigations and security reviews, and KQL is the language used to turn that evidence into answers.
The next query looks for failed administrative operations in the last day. It is a practical incident-response query because it focuses on failed write operations rather than general portal activity.
AzureActivity
| where TimeGenerated > ago(24h)
| where CategoryValue == "Administrative"
| where ActivityStatusValue == "Failed"
| project TimeGenerated, Caller, OperationNameValue, ResourceGroup, ResourceProviderValue, ActivityStatusValue
| order by TimeGenerated desc
This query helps an administrator identify who attempted a change, which operation failed and where it occurred. During an incident, it can be adapted to a narrower resource group or operation name so that the team works from evidence rather than portal screenshots or chat messages.
The most useful coding skills for Azure administrators are tied to ordinary work rather than abstract programming theory. A script that exports unused public IP addresses, a Bicep module that deploys a compliant subnet, a YAML stage that blocks unapproved deployment and a KQL query that explains failed changes all have direct operational value. These are not side projects; they are how cloud administration becomes repeatable.
From a hiring perspective, this shift is visible in the tasks candidates are asked to discuss. Administrators are increasingly expected to understand basic YAML, explain how a deployment identity is scoped, read a Bicep or ARM template, and write a simple KQL query under time pressure. The bar is usually not software engineering depth. It is enough practical fluency to prevent fragile manual work from becoming the default operating model.
| Administrative task | Most useful tool | Why it matters |
|---|---|---|
| Investigating one resource setting | Azure portal | Fastest for discovery, visual checks and low-risk one-offs. |
| Applying a repeated configuration change | PowerShell or Azure CLI | Creates a repeatable command history and reduces manual variation. |
| Building an environment | Bicep | Defines infrastructure consistently and supports review before deployment. |
| Controlling release steps | YAML pipeline | Adds validation, approvals and separation between authoring and deployment. |
| Investigating incidents | KQL | Turns logs and metrics into evidence for troubleshooting. |
The main risk with administrator automation is not syntax. It is running powerful changes through weak processes. Scripts stored on a desktop, deployments performed with personal credentials and pipelines that bypass approval controls can make the environment less reliable, even when the code itself works.
Identity is the first guardrail. Automation should normally use a managed identity or service principal with role-based access control scoped to the resource group, subscription or management group it genuinely needs. Broad owner permissions should be exceptional and time-bound. Cross-tenant automation needs even more care because identity, consent and policy boundaries can differ between tenants, and assumptions that work in one directory may fail in another.
Source control is the second guardrail. A script that changes production should be versioned, reviewed and documented in the same way as other operational artefacts. This is where many administrators make an avoidable mistake: they learn scripting but continue to treat scripts as personal files. Once automation affects shared infrastructure, it belongs in a repository with naming standards, review history and rollback guidance.
Drift control is the third guardrail. Azure Policy, template specs, deployment stacks and regular validation can help detect or prevent changes that move resources away from approved configurations. The practical challenge is sequencing: if policy is introduced after teams have already deployed inconsistent resources, administrators may need a remediation plan before enforcement is turned on. Otherwise, good governance can unintentionally block urgent operational work.
A realistic practice exercise is to build a small resource group that mirrors a common operations workflow. The administrator deploys a network and compute foundation with Bicep, configures settings with PowerShell, sends logs to Log Analytics, queries activity with KQL and validates the Bicep file through a YAML pipeline before any deployment stage is approved. This mirrors the hands-on style used in Readynez training without turning the exercise into a course catalogue.
The learning value comes from connecting the tools. Bicep shows the intended state, PowerShell handles repeatable operational configuration, KQL verifies what happened and YAML adds controlled delivery. If one part is skipped, the lab becomes less realistic: infrastructure without monitoring is hard to operate, scripts without source control are hard to trust, and pipelines without approval gates can create a larger blast radius than a careful manual change.
There are useful edge cases to include once the basic lab works. An administrator can test what happens when policy blocks a deployment, when the pipeline identity lacks a required role, or when a manual portal change creates drift from the Bicep definition. These failures teach more than a clean deployment because real Azure administration often involves diagnosing why a technically valid change did not pass governance controls.
This sequence works because it follows operational maturity. Teams usually gain more value by automating the repetitive 20 percent of admin work before trying to model every environment in infrastructure as code. Once the organisation has clearer standards, Bicep modules and pipeline controls become easier to maintain.
Administrators who want a broader Microsoft learning route can explore the Microsoft training catalogue, while teams that need repeated access to Microsoft role-based learning can compare options through unlimited Microsoft training. These paths are most useful when paired with a lab environment and a clear objective, such as reducing manual changes or improving incident response.
Azure administrators do not need software development depth, but they do need practical scripting and automation skills as environments grow. The portal is still useful, yet repeatable work is safer when it can be reviewed, rerun and audited.
PowerShell is often the most direct starting point for administrators in Microsoft environments. Azure CLI is also valuable, especially for cross-platform teams or pipeline agents that use Bash.
AZ-104 is an administrator exam, not an infrastructure-as-code exam, but understanding templates and deployment concepts supports the role. Bicep knowledge is especially useful when administrators help maintain repeatable Azure environments.
An administrator should be able to read a basic pipeline, understand stages and jobs, recognise approval points and identify which service connection or managed identity performs the deployment. Writing complex delivery platforms is usually a DevOps engineering responsibility.
Coding for Azure administration is best understood as operational control rather than application development. The goal is to make changes repeatable, visible and safe, while keeping identity, approvals and governance in view. PowerShell and Azure CLI handle everyday automation, Bicep defines infrastructure, YAML controls delivery and KQL explains what happened when something breaks.
A practical next step is to choose one routine administrative task and move it from the portal into a reviewed script or lab pipeline. Readers who want structured guidance can contact Readynez to discuss Azure administrator learning options, but the core principle remains the same: useful coding skill starts with real operational work and grows through disciplined repetition.
Get Unlimited access to ALL the LIVE Instructor-led Microsoft courses you want - all for the price of less than one course.
You're viewing our global site from United States
Would you like to view the site in
English
with prices in
Dollar?