Hard AZ-305 practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 29 hard questions available — no sign-up, always free.
A retail company runs a stateful microservices application on Azure Kubernetes Service (AKS) in the East US region. The application uses Azure Disk-backed persistent volumes for a self-hosted database and configuration state. Leadership requires a documented disaster recovery plan that can bring the full application—including its persistent data—back online in the West US region within an RTO of 2 hours and an RPO of 30 minutes if East US becomes unavailable. The team wants a repeatable, automated, cloud-native approach that captures both Kubernetes objects and volume data. Which approach best meets these requirements?
A retail company runs a stateless web API on Azure Virtual Machine Scale Sets deployed in two regions: East US and West Europe. Customers are global, and the company wants all inbound API traffic to be automatically directed to the nearest healthy regional deployment based on network latency, with automatic failover if one region becomes unavailable. The solution must operate at the TCP/UDP layer because the API uses a custom binary protocol over a non-HTTP port, and it must expose a single static anycast IP address to clients. Which Azure load-balancing service should you recommend?
Contoso runs a legacy line-of-business application on a physical Windows server in an on-premises datacenter. The application must connect to an Azure SQL Database. Security requires that no passwords or connection-string secrets be stored on the server, and the solution must avoid deploying or managing certificates manually. What should you recommend to authenticate the application to Azure SQL Database?
A company recently acquired two smaller firms, each running its own independent Active Directory forest with no trust relationships between them. The parent company already synchronizes its primary forest to Microsoft Entra ID using Microsoft Entra Connect Sync with a single server. The IT team must integrate identities from the two newly acquired forests into the existing Entra tenant as quickly as possible, minimize on-premises infrastructure footprint, and support lightweight, agent-based deployment that is resilient to server outages. Which identity synchronization approach should you recommend for the two acquired forests?
Contoso synchronizes its on-premises Active Directory to Microsoft Entra ID using Microsoft Entra Connect. The identity team creates and manages cloud security groups in Entra ID for SaaS app access. However, several legacy on-premises file shares grant permissions based on AD security groups only. Contoso wants users assigned to cloud-managed Entra groups to automatically gain access to these on-premises file shares without manually recreating groups in AD. Which solution should you recommend?
A financial services company runs a mission-critical SQL Server workload on an Azure VM. Compliance requires that database backups be retained for 7 years and be protected against accidental or malicious deletion, including deletion attempts by rogue administrators. The solution must minimize operational overhead and avoid deploying separate backup infrastructure. Which approach should you recommend?
A company runs 200 VMs across multiple subscriptions. The operations team needs near-real-time performance dashboards refreshed every minute for capacity planning, while a separate compliance team requires that guest OS event logs be retained for seven years at the lowest possible storage cost, with only occasional ad-hoc querying. You must recommend a monitoring and retention design that minimizes ongoing cost while meeting both requirements. What should you recommend?
Contoso operates 30 subscriptions across multiple business units. The security operations team needs a single, centralized location to query Azure Firewall logs, NSG flow logs, and Azure Activity logs from all subscriptions for cross-subscription threat hunting and correlation. Individual business units must retain the ability to access only the logs from their own resources for troubleshooting. Which logging design should you recommend?
A financial services company allows employees to access Microsoft 365 and internal SaaS apps from both corporate and personal devices. Security requires that when users access a highly sensitive expense-approval app from an unmanaged device, they must reauthenticate every hour and be prevented from downloading or printing content. Access from compliant, Intune-managed devices should retain normal sign-in frequency. The solution must apply only to the expense-approval app without affecting other apps. What should you recommend?
A financial services company has detected several incidents where attackers exfiltrated session tokens from compromised endpoints and replayed them from unmanaged devices to access Microsoft 365. Users authenticate with phishing-resistant MFA, but the stolen tokens bypass the MFA requirement because the session is already established. The security architect must recommend a Conditional Access capability that cryptographically binds the issued session token to the specific device, so a replayed token from a different device is rejected. Which capability should be recommended?
A retail company has 12 subscriptions organized under a management group hierarchy. The finance team needs to allocate costs by business unit (BU) and cost center. Currently, resource owners inconsistently apply tags, and many existing resources have no tags at all. The architect must design a governance solution that (1) ensures new resources automatically inherit the 'CostCenter' and 'BusinessUnit' tags from their parent resource group when not specified, and (2) brings the large number of existing untagged resources into compliance without manually editing each one. Which combination of Azure Policy capabilities should the architect recommend?
Contoso is acquiring Fabrikam, which operates in a separate Microsoft Entra tenant. Fabrikam employees (guest users invited via B2B) must access Contoso's Azure resources. Contoso already enforces MFA through Conditional Access. To avoid forcing Fabrikam users to re-register for MFA in Contoso's tenant while still requiring MFA, which approach should you recommend?
A financial services company is acquiring another firm that has its own Azure AD tenant and several Azure subscriptions. During the 18-month integration period, both tenants must remain separate for regulatory reasons. The central platform team needs to enforce a mandatory 'CostCenter' tag on all resource groups across both tenants, produce a unified compliance report on tag adherence, and delegate remediation to a small operations team without recreating those admins as guest accounts in the acquired tenant. Which approach best meets these requirements?
Contoso operates three separate Microsoft Entra tenants after two acquisitions, each with its own Azure subscriptions and Log Analytics workspaces. The central security operations team needs a single pane to run KQL queries across activity logs, security events, and Defender alerts from all three tenants without migrating subscriptions or duplicating log ingestion. They also want to minimize custom code and ongoing maintenance. What should you recommend?
A financial services company runs 60 microservices on Azure Kubernetes Service. Their security team requires that authentication and audit events be retained for 3 years and be fully searchable with KQL and included in analytics-based alerts. Meanwhile, the platform team generates roughly 4 TB per day of high-volume debug and verbose application traces that are rarely queried but must be available for interactive investigation for up to 30 days when incidents occur. Management wants to minimize Log Analytics ingestion and retention costs while meeting both requirements. What should you recommend?
A retail company is redesigning its order-processing platform on Azure. When a customer places an order, a single event must reliably trigger multiple independent downstream systems: an inventory service, a shipping service, and an analytics pipeline. Each subscriber processes messages at its own pace, and no subscriber should lose messages if it is temporarily offline. The publisher must not know or be coupled to the number of subscribers. Which messaging design should the architect recommend?
A gaming company runs a multiplayer backend as a set of stateless microservices on Azure. Players are distributed across North America, Europe, and Asia. Currently all traffic routes to a single region in East US, and players in Asia experience high write latency because game state updates must travel to East US. The architects want each region to accept local writes with low latency while keeping data eventually synchronized globally. Which architectural approach should you recommend?
A company is designing a hub-and-spoke network topology in Azure. Multiple spoke virtual networks host workloads that must reach a shared set of on-premises resources through an ExpressRoute circuit, and spokes must also be able to communicate with each other. The design must minimize the number of gateways deployed and route all inter-spoke and on-premises traffic through a central point where a network virtual appliance (NVA) inspects the traffic. Which combination should you recommend?
A company collects verbose application and system logs from 200 Azure VMs into a single Log Analytics workspace using the Azure Monitor Agent. Compliance requires that security-relevant events be retained, but the operations team reports that ingesting all raw logs is driving costs too high. Approximately 60% of the ingested log volume is low-value debug and informational entries that are never queried. The architect must reduce ingestion cost while keeping the required security events and continuing to use the Azure Monitor Agent. What should the architect recommend?
A multinational company has three business units (Finance, HR, and Retail), each managing its own set of Azure resources within a single subscription. Security requires that each business unit's operations team be able to query only the logs generated by their own resources, while a central security operations center (SOC) must retain the ability to run cross-unit queries for threat hunting. The company also wants to minimize the number of Log Analytics workspaces to reduce administrative overhead. What should you recommend?
A financial services company must retain Azure Active Directory (Microsoft Entra ID) sign-in and audit logs for 7 years to satisfy regulatory requirements. The logs must be tamper-proof, and auditors will occasionally perform ad-hoc queries against the most recent 90 days of data using KQL. The solution should minimize ongoing storage cost for the older data while ensuring it cannot be modified or deleted before the retention period expires. Which logging solution should you recommend?
A retail company runs a stateless web API on 12 on-premises Windows servers behind a hardware load balancer. They are migrating to Azure and want a phased cutover: some traffic served on-premises and some in Azure during a validation window, with the ability to shift the weighting gradually and roll back quickly if error rates rise. On-premises and Azure are connected via ExpressRoute. Which approach best supports a controlled, weighted migration cutover with fast rollback?
A company uses a hub-and-spoke topology in Azure. The hub virtual network contains an ExpressRoute gateway that provides connectivity to the on-premises datacenter. Two spoke virtual networks (Spoke-A and Spoke-B) are each peered with the hub. Users report that on-premises servers cannot reach resources in the spokes, and the spokes cannot reach each other. Which combination of configuration changes should you recommend to enable connectivity with minimal administrative overhead?
A SaaS analytics company runs a multi-tenant PostgreSQL workload on-premises. The largest tenant table has grown to 12 TB, and both transactional inserts and large analytical aggregation queries have become slow because a single node can no longer handle the volume. The team wants a managed Azure service that horizontally scales storage and compute across multiple nodes by distributing (sharding) tables, while keeping full PostgreSQL compatibility so their existing application queries continue to work. Which storage solution should you recommend?
A gaming company is building a global player profile service. Player state (inventory, scores, session data) is stored as JSON documents and must be readable and writable with single-digit millisecond latency from any of five Azure regions. The application can tolerate reading data that is a few seconds stale in exchange for higher availability during regional issues, but the same document must never be seen going backward in time by a given client session. Which storage solution and configuration should you recommend?