Microsoft Azure Solutions Architect Expert · Difficulty

Medium AZ-305 practice questions

Applied — put a concept to work in a realistic situation. 157 medium questions available — no sign-up, always free.

Question 1 of 25

A retail company is designing a new order-processing backend on Azure. The workload consists of short, stateless functions triggered by messages arriving on an Azure Service Bus queue. Message volume is highly variable — near zero overnight and spiking to thousands per minute during flash sales. The development team wants the least operational overhead, automatic scaling driven directly by queue depth, and the ability to scale to zero to minimize cost during idle periods. They do not want to manage or configure any container orchestration or virtual machines. Which compute service should you recommend?

Reviewed for accuracy · Report an issue
Question 2 of 25

A logistics company runs an on-demand image-processing job several times a day. Each invocation spins up a container that runs for 3 to 8 minutes, then exits. Volume is unpredictable — sometimes zero jobs for hours, sometimes 40 concurrent jobs. The team wants to run these containerized workloads with per-second billing, no infrastructure or node pool to manage, and rapid startup, while avoiding paying for idle capacity. Which compute option best fits these requirements?

Reviewed for accuracy · Report an issue
Question 3 of 25

A company runs several production workloads across multiple Azure subscriptions. The operations team wants to be proactively notified whenever Azure declares a planned maintenance event or a service outage that could affect the regions where their resources are deployed. The notification must reach an on-call distribution list and trigger an automated remediation runbook. Which monitoring solution should you recommend?

Reviewed for accuracy · Report an issue
Question 4 of 25

A financial services company must be able to audit every create, update, and delete operation performed against Azure resources across all subscriptions, including who initiated each operation and from what IP address. The security team needs these records retained for seven years in immutable storage and made searchable for compliance investigations. Which logging source should be the primary basis for capturing this control-plane audit information?

Reviewed for accuracy · Report an issue
Question 5 of 25

A multinational company uses Microsoft Entra ID with a single tenant. The security team wants regional IT helpdesk staff to be able to reset passwords and manage users only for accounts belonging to their own region, without granting them tenant-wide directory roles. Group-based license assignment and Conditional Access must remain centrally managed by the global identity team. What should you recommend to delegate this scoped administration?

Reviewed for accuracy · Report an issue
Question 6 of 25

A retail company runs a mission-critical stateful application on Azure Database for MariaDB... no — the application runs on a single Azure SQL Database in the General Purpose tier. Business requires that in a full regional outage the database be recoverable in another Azure region within 1 hour (RTO) with no more than 5 minutes of data loss (RPO). The team wants the lowest operational overhead and does not want to manage replication manually. Which solution should you recommend?

Reviewed for accuracy · Report an issue
Question 7 of 25

A company runs a stateless microservices application on Azure Kubernetes Service (AKS) in a single region. Business requirements now mandate that the application remain available even if an entire Azure datacenter (availability zone) fails, with no manual intervention. The solution must minimize administrative overhead and avoid cross-region complexity. Which design should you recommend?

Reviewed for accuracy · Report an issue
Question 8 of 25

A retail company runs a stateful application on Azure Kubernetes Service (AKS). The application stores data on Azure Disk-backed persistent volumes (PVs) via the Azure Disk CSI driver. The architecture team requires a backup and recovery solution that can protect both the Kubernetes cluster resources (deployments, config maps, namespaces) and the persistent volume data, and can restore the entire application to a new AKS cluster in the same region if the original cluster is accidentally deleted. The solution must minimize operational overhead and use a native Azure service. What should you recommend?

Reviewed for accuracy · Report an issue
Question 9 of 25

A retail company runs a stateless containerized web API on Azure Kubernetes Service (AKS) in the East US region. The business requires the API to survive a full regional outage with an RTO of under 5 minutes and an RPO of zero (the workload holds no persistent state; all data lives in an externally managed Azure Cosmos DB account configured for multi-region writes). The solution must automatically route users away from a failed region without manual intervention and must minimize ongoing cost where possible. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 25

A retail company is migrating a monolithic .NET web application packaged as a single Linux container to Azure. The operations team is small, has no Kubernetes experience, and wants to minimize infrastructure management. The application requires deployment slots for zero-downtime releases, integrated authentication with Microsoft Entra ID, and the ability to scale automatically based on HTTP traffic. There is no requirement for complex service-to-service orchestration or multiple microservices. Which compute service should you recommend?

Reviewed for accuracy · Report an issue
Question 11 of 25

A retail company exposes several internal microservices through Azure API Management (Standard tier) to third-party partner developers. During flash sales, a few partners generate bursts of traffic that overwhelm the backend microservices, causing timeouts for all consumers. The architecture team wants to protect the backends by capping how many calls each partner subscription can make per time window, and reduce load for repeated identical read requests, without modifying the microservice code. Which combination of API Management capabilities should you recommend?

Reviewed for accuracy · Report an issue
Question 12 of 25

A retail company runs several microservices across Azure App Service and Azure Kubernetes Service. Development teams currently store configuration settings and feature toggles in each application's local files, requiring redeployments to change any value. The architect must recommend a solution that centralizes configuration, allows dynamic feature-flag changes without redeployment, supports point-in-time configuration snapshots for rollback, and integrates securely with Key Vault for secrets. Which Azure service should the architect recommend?

Reviewed for accuracy · Report an issue
Question 13 of 25

A retail company hosts a single public web application at www.contoso.com. Behind it are three backend pools of VMs: one serving the main storefront, one serving the /api/* endpoints, and one serving the /images/* static content. The architect must route incoming HTTPS traffic to the correct backend pool based on the URL path, terminate TLS at the edge, and protect the application against common web exploits such as SQL injection. Which Azure load-balancing solution should be recommended?

Reviewed for accuracy · Report an issue
Question 14 of 25

A company runs a single-region web application on Azure VMs behind a public endpoint in the East US region. Security requires that all inbound HTTPS traffic be inspected by a Layer 7 web application firewall, that TLS be terminated and re-encrypted to the backend pool, and that requests be routed based on URL path to different VM pools. The solution must stay within one region and must not introduce a global anycast entry point. Which service should you recommend?

Reviewed for accuracy · Report an issue
Question 15 of 25

A retail company is migrating a portfolio of 200 on-premises servers to Azure following the Cloud Adoption Framework. During the current phase, the migration team needs to build a business case that quantifies expected Azure costs, identifies dependencies between application servers, and assesses each server's readiness for migration before any workloads are moved. Which Cloud Adoption Framework methodology and Azure tooling should the architect recommend for this phase?

Reviewed for accuracy · Report an issue
Question 16 of 25

A retail company runs a customer-facing web application on Azure App Service (Premium v3) in the East US region. During a recent regional outage, the application was completely unavailable for several hours. The architect must redesign the solution so that the application remains available if an entire Azure region fails, while distributing user traffic to the closest healthy region for the lowest latency and automatic failover. Which design should the architect recommend?

Reviewed for accuracy · Report an issue
Question 17 of 25

A financial services company must satisfy an internal audit requirement stating that all users assigned privileged Azure AD (Microsoft Entra ID) directory roles, such as Global Administrator and User Administrator, be validated by their manager every 30 days. Assignments that are not explicitly approved during the validation cycle must be automatically removed, and all decisions must be captured for the auditors. The company has Microsoft Entra ID P2 licensing. Which solution should you recommend?

Reviewed for accuracy · Report an issue
Question 18 of 25

A company hosts a legacy internal web application on an on-premises IIS server that uses Integrated Windows Authentication (Kerberos). Employees now work primarily from home and connect over the internet. The security team requires that access be protected by Azure AD (Microsoft Entra ID) with Conditional Access and MFA, without deploying a VPN and without exposing the application directly to the internet. Users must experience single sign-on to the application. Which solution should you recommend?

Reviewed for accuracy · Report an issue
Question 19 of 25

A financial services company must comply with a regulatory mandate requiring phishing-resistant multifactor authentication for all administrators accessing Microsoft Entra ID. The security team wants to eliminate shared secrets and prevent credential phishing and man-in-the-middle attacks entirely. Users must be able to authenticate without entering a password. Which authentication method should you recommend?

Reviewed for accuracy · Report an issue
Question 20 of 25

A retail company is building a new customer-facing e-commerce web application. They need to allow millions of consumers to sign up and sign in using email/password as well as social identities (Google, Facebook). They also require customizable, branded sign-up and sign-in pages and the ability to collect custom attributes during registration. The company wants a fully managed identity solution that is separate from their employee (workforce) directory. Which authentication solution should you recommend?

Reviewed for accuracy · Report an issue
Question 21 of 25

A retail company runs a large on-premises Active Directory forest and is adopting Microsoft Entra ID (Azure AD). Security requires that user password hashes never be stored in the cloud in any form, and that all authentication requests are always validated directly against the on-premises domain controllers. However, the operations team also wants to avoid deploying and maintaining a highly available farm of federation servers and reverse proxies. Which authentication method should you recommend?

Reviewed for accuracy · Report an issue
Question 22 of 25

A SaaS company runs a multi-tenant line-of-business web application registered in Microsoft Entra ID. The application needs to authorize users into three permission levels (Reader, Contributor, Administrator) that are specific to this application only. The security team requires that the permission assignment appear directly in the user's access token as a claim, that assignments are managed per-application without polluting the directory with hundreds of security groups, and that a partner ISV consuming the same app can reuse the identical authorization model. Which approach should you recommend?

Reviewed for accuracy · Report an issue
Question 23 of 25

A financial services company must ensure that every external contractor and internal employee explicitly accepts a legal disclaimer before accessing a sensitive expense-reporting application. Auditors require a record proving each user consented to the current version of the disclaimer, and consent must be re-collected whenever the legal text is updated. The solution must integrate with the existing Microsoft Entra ID sign-in experience without custom code. What should you recommend?

Reviewed for accuracy · Report an issue
Question 24 of 25

Contoso runs a hybrid environment with 200 Windows and Linux servers hosted in an on-premises datacenter and a co-location facility. Compliance requires that the same Azure Policy definitions used to enforce security baselines and required configuration on Azure VMs also apply to these on-premises servers, with results visible in Azure and remediable at scale. Which solution should you recommend?

Reviewed for accuracy · Report an issue
Question 25 of 25

A company runs a stateful ASP.NET web application across a horizontally scaled Azure App Service plan with 8 instances behind a load balancer. Users report being unexpectedly logged out and losing shopping cart contents when their requests hit different instances. The architects want a solution that externalizes session state so any instance can serve any request, provides sub-millisecond read latency, and scales independently of the web tier without requiring code that pins users to a single instance. Which approach should they recommend?

Reviewed for accuracy · Report an issue