How to Ace the AZ305: AZ305 Expert Guide

Question 1 · Design identity, governance, and monitoring solutions

Your organization needs to centralize logs from multiple Azure services to identify security threats across 50+ subscriptions. Which solution should you recommend?

• Azure Monitor with Log Analytics workspace
• Application Insights only
• Azure Storage account with blob analytics
• Azure Event Hub for real-time streaming only

Correct answer: Azure Monitor with Log Analytics workspace

Azure Monitor with Log Analytics workspace provides centralized log collection, analysis, and threat detection across multiple subscriptions using Kusto Query Language (KQL). While Event Hub and Storage account can be routing destinations, Log Analytics is the primary solution for this scenario. Application Insights focuses on application performance monitoring.

Question 2 · Design identity, governance, and monitoring solutions

Your company requires diagnostic logs from Azure SQL Database to be archived for 7 years for compliance purposes, while keeping recent logs queryable. Which routing solution is most cost-effective?

• Send all logs to Log Analytics workspace only
• Stream logs to Azure Storage for archival and also to Log Analytics for short-term querying
• Use Event Hubs to route logs to multiple destinations
• Store logs in Azure SQL Database's built-in audit table indefinitely

Correct answer: Stream logs to Azure Storage for archival and also to Log Analytics for short-term querying

Using tiered routing with Storage for long-term archival (cost-effective) and Log Analytics for queryable recent data provides optimal cost and functionality. Event Hubs is for streaming scenarios, not archival. SQL audit tables have retention limits and are not suitable for 7-year compliance storage.

Question 3 · Design identity, governance, and monitoring solutions

You need to monitor the performance and health of applications running on Azure VMs in real-time, including CPU, memory, and network metrics. Which monitoring solution should you implement?

• Azure Monitor with VM Insights
• Application Insights with custom collectors
• Azure Policy compliance scanning
• Log Analytics without metrics collection

Correct answer: Azure Monitor with VM Insights

VM Insights is the Azure Monitor feature specifically designed for comprehensive monitoring of Azure VMs, including performance metrics, dependency mapping, and health status. Application Insights is for application performance, not VM-level metrics. Azure Policy is for compliance, not monitoring.

Question 4 · Design identity, governance, and monitoring solutions

Your organization has hybrid environments with on-premises Active Directory and needs to enable users to authenticate to cloud resources without password sync. Which solution should you recommend?

• Microsoft Entra ID with pass-through authentication
• Implement password hash synchronization
• Use Azure AD B2B for all identities
• Configure Azure VPN for on-premises authentication

Correct answer: Microsoft Entra ID with pass-through authentication

Pass-through authentication validates credentials against on-premises Active Directory without syncing password hashes, meeting security requirements for hybrid environments. Password hash sync sends hashes to cloud, which contradicts the requirement. B2B is for external identities, and VPN doesn't address authentication.

Question 5 · Design identity, governance, and monitoring solutions

Your company needs to manage identities for contractors, partners, and employees across multiple Azure subscriptions. Which identity management solution should you use?

• Microsoft Entra ID as the central identity provider
• Individual Azure subscriptions with separate user accounts
• Azure Local accounts on each VM
• Azure SQL Database authentication for all identities

Correct answer: Microsoft Entra ID as the central identity provider

Microsoft Entra ID (Azure AD) is the cloud-based identity management solution that provides centralized user and device management across Azure subscriptions, supporting employees, contractors, and B2B identities. Other options lack centralized management, scalability, or security controls needed for enterprise scenarios.

Question 6 · Design identity, governance, and monitoring solutions

You need to grant a team access to Azure resources in production subscriptions while ensuring they cannot escalate privileges. Which authorization approach is most appropriate?

• Assign Azure RBAC roles with least privilege principle at subscription scope
• Add team members as co-administrators on each subscription
• Use Azure Key Vault access policies for all authorizations
• Implement only Owner role to simplify management

Correct answer: Assign Azure RBAC roles with least privilege principle at subscription scope

Azure RBAC with least privilege (assigning only needed roles at subscription scope) prevents privilege escalation and is the security best practice. Co-administrator and Owner roles grant excessive permissions. Key Vault policies are for secret/key access only, not general resource authorization.

Question 7 · Design identity, governance, and monitoring solutions

Your organization's on-premises users need seamless access to cloud resources without additional login prompts. Which solution enables this?

• Microsoft Entra ID with Seamless SSO and conditional access
• Azure ExpressRoute with forced authentication
• Azure Site-to-Site VPN with local authentication
• Azure AD Connect with password hash sync only

Correct answer: Microsoft Entra ID with Seamless SSO and conditional access

Seamless Single Sign-On with Microsoft Entra ID allows on-premises domain-joined users to access cloud resources automatically using their cached credentials, providing seamless access. ExpressRoute is for networking, VPN requires separate authentication, and password hash sync alone doesn't enable SSO without additional configuration.

Question 8 · Design identity, governance, and monitoring solutions

Your application requires secure storage of API keys, database connection strings, and SSL certificates. Which Azure service should you use?

• Azure Key Vault
• Azure Storage account with public access
• Azure SQL Database with encrypted columns
• Configuration files in application source code

Correct answer: Azure Key Vault

Azure Key Vault is the dedicated service for managing secrets, keys, and certificates with access controls, encryption, and audit logging. Storage accounts are not designed for secure secret management. Storing credentials in source code or unencrypted SQL Database violates security best practices.

Question 9 · Design identity, governance, and monitoring solutions

You need to organize 200 Azure subscriptions across multiple business units with different billing and governance requirements. Which structure should you implement?

• Management groups hierarchy aligned with business units, then subscriptions, then resource groups by workload
• Place all subscriptions under root management group with tags for organization
• Create one resource group per subscription
• Use only subscription-level RBAC without management groups

Correct answer: Management groups hierarchy aligned with business units, then subscriptions, then resource groups by workload

The recommended structure is management groups reflecting organizational hierarchy (business units) -> subscriptions (billing/environments) -> resource groups (workloads/components). This provides inheritance of policies, RBAC, and enables cost tracking. Using only tags or flat structures limits governance and scalability.

Question 10 · Design identity, governance, and monitoring solutions

Your organization needs to enforce consistent resource naming and tagging across all departments. Which solution should you implement?

• Azure Policy with naming convention and mandatory tag requirements
• Manual review process for each resource deployment
• Resource Group naming only, without tagging
• Azure RBAC permissions to deny non-compliant names

Correct answer: Azure Policy with naming convention and mandatory tag requirements

Azure Policy provides automated enforcement of naming conventions and tag requirements across all resources, ensuring compliance without manual intervention. Manual reviews don't scale, RBAC doesn't validate naming conventions, and resource group naming alone is insufficient for organization.