Design identity, governance, and monitoring solutions
Drill 20 practice questions focused entirely on Design identity, governance, and monitoring solutions for the Microsoft AZ-305 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A company runs several production workloads across multiple Azure subscriptions. The operations team wants to be proactively notified whenever Azure declares a planned maintenance event or a service outage that could affect the regions where their resources are deployed. The notification must reach an on-call distribution list and trigger an automated remediation runbook. Which monitoring solution should you recommend?
A financial services company must be able to audit every create, update, and delete operation performed against Azure resources across all subscriptions, including who initiated each operation and from what IP address. The security team needs these records retained for seven years in immutable storage and made searchable for compliance investigations. Which logging source should be the primary basis for capturing this control-plane audit information?
A multinational company uses Microsoft Entra ID with a single tenant. The security team wants regional IT helpdesk staff to be able to reset passwords and manage users only for accounts belonging to their own region, without granting them tenant-wide directory roles. Group-based license assignment and Conditional Access must remain centrally managed by the global identity team. What should you recommend to delegate this scoped administration?
Contoso runs a legacy line-of-business application on a physical Windows server in an on-premises datacenter. The application must connect to an Azure SQL Database. Security requires that no passwords or connection-string secrets be stored on the server, and the solution must avoid deploying or managing certificates manually. What should you recommend to authenticate the application to Azure SQL Database?
A financial services company must satisfy an internal audit requirement stating that all users assigned privileged Azure AD (Microsoft Entra ID) directory roles, such as Global Administrator and User Administrator, be validated by their manager every 30 days. Assignments that are not explicitly approved during the validation cycle must be automatically removed, and all decisions must be captured for the auditors. The company has Microsoft Entra ID P2 licensing. Which solution should you recommend?
A company hosts a legacy internal web application on an on-premises IIS server that uses Integrated Windows Authentication (Kerberos). Employees now work primarily from home and connect over the internet. The security team requires that access be protected by Azure AD (Microsoft Entra ID) with Conditional Access and MFA, without deploying a VPN and without exposing the application directly to the internet. Users must experience single sign-on to the application. Which solution should you recommend?
A financial services company must comply with a regulatory mandate requiring phishing-resistant multifactor authentication for all administrators accessing Microsoft Entra ID. The security team wants to eliminate shared secrets and prevent credential phishing and man-in-the-middle attacks entirely. Users must be able to authenticate without entering a password. Which authentication method should you recommend?
A retail company is building a new customer-facing e-commerce web application. They need to allow millions of consumers to sign up and sign in using email/password as well as social identities (Google, Facebook). They also require customizable, branded sign-up and sign-in pages and the ability to collect custom attributes during registration. The company wants a fully managed identity solution that is separate from their employee (workforce) directory. Which authentication solution should you recommend?
A company recently acquired two smaller firms, each running its own independent Active Directory forest with no trust relationships between them. The parent company already synchronizes its primary forest to Microsoft Entra ID using Microsoft Entra Connect Sync with a single server. The IT team must integrate identities from the two newly acquired forests into the existing Entra tenant as quickly as possible, minimize on-premises infrastructure footprint, and support lightweight, agent-based deployment that is resilient to server outages. Which identity synchronization approach should you recommend for the two acquired forests?
Contoso synchronizes its on-premises Active Directory to Microsoft Entra ID using Microsoft Entra Connect. The identity team creates and manages cloud security groups in Entra ID for SaaS app access. However, several legacy on-premises file shares grant permissions based on AD security groups only. Contoso wants users assigned to cloud-managed Entra groups to automatically gain access to these on-premises file shares without manually recreating groups in AD. Which solution should you recommend?
A retail company runs a large on-premises Active Directory forest and is adopting Microsoft Entra ID (Azure AD). Security requires that user password hashes never be stored in the cloud in any form, and that all authentication requests are always validated directly against the on-premises domain controllers. However, the operations team also wants to avoid deploying and maintaining a highly available farm of federation servers and reverse proxies. Which authentication method should you recommend?
A SaaS company runs a multi-tenant line-of-business web application registered in Microsoft Entra ID. The application needs to authorize users into three permission levels (Reader, Contributor, Administrator) that are specific to this application only. The security team requires that the permission assignment appear directly in the user's access token as a claim, that assignments are managed per-application without polluting the directory with hundreds of security groups, and that a partner ISV consuming the same app can reuse the identical authorization model. Which approach should you recommend?
A financial services company must ensure that every external contractor and internal employee explicitly accepts a legal disclaimer before accessing a sensitive expense-reporting application. Auditors require a record proving each user consented to the current version of the disclaimer, and consent must be re-collected whenever the legal text is updated. The solution must integrate with the existing Microsoft Entra ID sign-in experience without custom code. What should you recommend?
Contoso runs a hybrid environment with 200 Windows and Linux servers hosted in an on-premises datacenter and a co-location facility. Compliance requires that the same Azure Policy definitions used to enforce security baselines and required configuration on Azure VMs also apply to these on-premises servers, with results visible in Azure and remediable at scale. Which solution should you recommend?
A financial services company stores encryption keys used by several Azure VM disk encryption and Azure SQL Transparent Data Encryption workloads. Compliance mandates that (1) the key material must be protected by FIPS 140-2 Level 3 validated hardware, and (2) the key vault must not be reachable from the public internet — only from specific virtual networks. You must recommend a solution that satisfies both requirements while minimizing operational overhead. What should you recommend?
A managed service provider (MSP) needs to administer resources across 40 separate customer Azure tenants. Each customer requires that the MSP's engineers can perform operations (VM management, monitoring, patching) without creating individual accounts in each customer directory, and that access can be centrally revoked. Customers also insist that their own Azure AD user and group objects never appear in the MSP tenant, and that the MSP's own subscription billing remains completely separate. Which identity and access solution should you recommend?
A retail company runs dozens of App Service web apps whose CPU and request volume vary widely by day of week and time of day, with heavy seasonal spikes. The operations team currently uses static metric alerts, but they generate excessive false positives during predictable peaks while missing genuine anomalies during low-traffic periods. The architect must recommend a monitoring approach that automatically adapts alert thresholds to each app's historical behavior without requiring manual tuning per app. What should the architect recommend?
A company runs 200 VMs across multiple subscriptions. The operations team needs near-real-time performance dashboards refreshed every minute for capacity planning, while a separate compliance team requires that guest OS event logs be retained for seven years at the lowest possible storage cost, with only occasional ad-hoc querying. You must recommend a monitoring and retention design that minimizes ongoing cost while meeting both requirements. What should you recommend?
Your company runs 60 Windows and Linux VMs across two Azure regions hosting a multi-tier line-of-business application. Operations engineers report intermittent slowdowns but cannot determine which process or downstream dependency is causing them. You must recommend a monitoring solution that provides performance metrics, process-level detail, and an automatically discovered map of network connections and dependencies between the VMs, with minimal custom configuration. Which solution should you recommend?
A financial services company must ensure that all new resources are deployed only to the 'West Europe' and 'North Europe' regions to meet data residency requirements. The compliance team also needs a report of any existing resources that already violate this rule, but they do not want the reporting process to delete or modify any current resources. You must recommend a governance approach that enforces the restriction on future deployments while surfacing existing violations. What should you recommend?
More AZ-305 practice
Keep going with the other Microsoft Azure Solutions Architect Expert domains, or take a full timed mock exam.
← Back to AZ-305 overview