AZ-305: Azure Solutions Architect Expert Practice Exam

What the AZ-305 exam covers

• Design Identity, Governance, and Monitoring Solutions170 questions
• Design Data Storage Solutions146 questions
• Design Business Continuity Solutions132 questions
• Design Infrastructure Solutions143 questions

Free AZ-305 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 591.

1. Question 1Design Identity, Governance, and Monitoring Solutions

   Tailwind Traders is adopting Azure and plans to onboard 12 business units over the next year. The enterprise architect must design an Azure landing zone that enforces company-wide security baselines while allowing each business unit to manage its own workloads independently. Certain business units operate in regulated industries and require additional compliance controls. The solution must minimize ongoing administrative effort. What should the architect recommend?

   • ADeploy separate Microsoft Entra ID tenants for each business unit and federate them using Microsoft Entra ID B2B collaboration
   • BCreate individual subscriptions for each business unit without management groups and assign policies directly to each subscription
   • CCreate a single subscription for all business units and use resource groups to separate workloads, applying Azure Policy at the resource group level
   • DDeploy the Azure Landing Zone accelerator with a management group hierarchy, apply company-wide policies at the intermediate management group level, and create child management groups per business unit for additional compliance policiesCorrect
   ✓ Correct answer: D

   The Azure Landing Zone accelerator provides a prescriptive, modular approach to implementing enterprise-scale governance in Azure. It uses management group hierarchies to enforce security baselines at the intermediate level while enabling business units to apply additional compliance policies at their own management group levels. This design satisfies the dual requirement of enforcing company-wide baselines while maintaining autonomy. Management groups provide scope inheritance for policies and role assignments, significantly reducing administrative overhead compared to managing policies across individual subscriptions. The architecture supports regulated business units by allowing child management groups to layer additional compliance controls without conflicting with parent-level policies.

   Why the other options are wrong

   • ADeploy separate Microsoft Entra ID tenants for each business unit and federate them using Microsoft Entra ID B2B collaboration is incorrect because B2B federation is designed for cross-tenant user collaboration, not subscription governance, and it creates identity fragmentation rather than leveraging a unified directory.
   • BCreate individual subscriptions for each business unit without management groups and assign policies directly to each subscription is incorrect because this approach requires policy management at every subscription individually, creating administrative overhead that doesn't scale and lacks the policy inheritance benefits of management groups.
   • CCreate a single subscription for all business units and use resource groups to separate workloads, applying Azure Policy at the resource group level is incorrect because Azure Policy at the resource group level does not propagate to all resources uniformly and doesn't support the hierarchical governance model needed for enterprise-scale deployments.
2. Question 2Design Identity, Governance, and Monitoring SolutionsSelect all that apply

   Fabrikam Inc. needs to design a monitoring strategy for their Azure environment. They require: (1) centralized collection of logs from Azure resources, on-premises servers, and third-party applications, (2) automated responses to specific security events, and (3) long-term retention of logs for compliance. Which three components should be included in the design? (Choose three.)

   • AAzure Service Health alerts
   • BAzure Monitor Log Analytics workspaceCorrect
   • CAzure Blob Storage with lifecycle management policiesCorrect
   • DMicrosoft Sentinel with automation rules and playbooksCorrect
   • EAzure Event Grid with webhook subscriptions
   • FAzure Traffic Manager
   ✓ Correct answer: B, C, D

   Azure Monitor Log Analytics workspace provides centralized collection and queryable storage of logs from Azure resources, on-premises servers through agents, and third-party applications via custom ingestion, serving as the single aggregation point for all log data. Azure Blob Storage with lifecycle management policies automatically transitions older logs to lower cost storage tiers and implements retention policies that delete logs after the 7-year compliance period expires, providing cost-optimized long-term retention without requiring manual management. Microsoft Sentinel provides automated threat detection through built-in and custom analytics rules, and automation rules combined with playbooks enable auto-remediation of detected incidents through Logic Apps integration, allowing teams to respond to security events without manual intervention. Together these three services address centralized collection (Log Analytics), long-term retention (Blob Storage), and automated response (Sentinel).

   Why the other options are wrong

   • AAzure Service Health alerts is incorrect because this provides notifications about Azure platform incidents rather than centralized log collection or security event response. Application Insights for end-user performance metrics is incorrect because this addresses application monitoring, not security event collection or compliance logging.
   • EAzure Event Grid with webhook subscriptions is incorrect because while Event Grid can route events, it doesn't provide the log aggregation and retention capabilities needed for this design.
   • FAzure Traffic Manager is incorrect because this is a traffic routing service unrelated to monitoring, logging, or security response.
3. Question 3Design Identity, Governance, and Monitoring Solutions

   Fabrikam Inc. has a hybrid identity environment with on-premises Active Directory synced to Microsoft Entra ID using Microsoft Entra ID Connect. They want to ensure that when a user's password is changed on-premises, the change is reflected in Microsoft Entra ID within minutes. They also need users to be able to reset their passwords from the cloud and have those changes written back to on-premises AD. What should the architect configure?

   • AMicrosoft Entra ID Connect with password hash synchronization and self-service password reset with password writebackCorrect
   • BMicrosoft Entra ID Connect with pass-through authentication only
   • CMicrosoft Entra ID Domain Services with password synchronization
   • DMicrosoft Entra ID Connect with federation using AD FS
   ✓ Correct answer: A

   This solution addresses the hybrid identity synchronization challenge that requires bidirectional password management. Password hash synchronization enables on-premises changes to sync to the cloud within minutes, while password writeback sends cloud-based password resets back to on-premises Active Directory, creating a seamless experience for users across both directories. Combined with self-service password reset, this approach reduces helpdesk costs and improves user productivity. The architecture maintains password consistency across environments while adhering to security best practices through hash-based synchronization.

   Why the other options are wrong

   • BMicrosoft Entra ID Connect with pass-through authentication only is incorrect because it doesn't provide password writeback, preventing cloud-based password resets from synchronizing back to on-premises AD.
   • CMicrosoft Entra ID Domain Services with password synchronization is incorrect because Azure AD Domain Services is used for legacy authentication protocols and doesn't support password writeback to on-premises AD.
   • DMicrosoft Entra ID Connect with federation using AD FS is incorrect because federation validates against on-premises AD directly and doesn't provide the password synchronization and writeback capabilities required by the scenario.
4. Question 4Design Data Storage SolutionsSelect all that apply

   Tailwind Traders is designing a data analytics platform. They need to store semi-structured JSON data from IoT devices, run real-time analytical queries, and support global distribution with low-latency reads. Which two features of Azure Cosmos DB should they leverage? (Choose two.)

   • AAzure Cosmos DB Table API for key-value pair storage
   • BAzure Cosmos DB for NoSQL API with automatic indexing of all propertiesCorrect
   • CAzure Cosmos DB change feed for real-time processing of data changesCorrect
   • DAzure Cosmos DB MongoDB API for relational data modeling
   ✓ Correct answer: B, C

   For an IoT data analytics platform storing semi-structured JSON from IoT devices with real-time query requirements and global distribution, these features provide comprehensive support. The NoSQL API with automatic indexing enables flexible querying of semi-structured JSON without pre-defined schemas, and automatic indexing optimizes query performance across all properties without manual tuning. Change feed enables real-time processing of data mutations, allowing applications to react instantly to new or updated sensor readings for real-time analytics and dashboards.

   Why the other options are wrong

   • AAzure Cosmos DB Table API for key-value pair storage is incorrect because the Table API is optimized for simple key-value access patterns, not semi-structured JSON analytics with complex queries.
   • DAzure Cosmos DB MongoDB API for relational data modeling is incorrect because MongoDB API is designed for document storage compatible with MongoDB applications, not optimized for the automatic indexing and real-time analytics features needed for IoT analytical workloads.
5. Question 5Design Data Storage Solutions

   Which database service should you recommend for a globally distributed NoSQL workload?

   • AAzure Cosmos DBCorrect
   • BAzure Table Storage
   • CAzure Database for PostgreSQL
   • DAzure SQL Database
   ✓ Correct answer: A

   Globally distributed NoSQL workloads require a database service with automatic multi-region replication, flexible data models, and tunable consistency levels. Azure Cosmos DB provides native support for document, key-value, graph, and table data models while automatically replicating data across unlimited Azure regions. Applications can write to the nearest region with guarantee of strong consistency within seconds or eventual consistency for maximum availability. Cosmos DB is the only Azure service specifically designed for this global NoSQL scale.

   Why the other options are wrong

   • BAzure Table Storage is incorrect because Table Storage is regional and lacks the global distribution and multi-model capabilities required for globally distributed workloads.
   • CAzure Database for PostgreSQL is incorrect because PostgreSQL is a relational database, not a NoSQL service, and requires manual replication setup.
   • DAzure SQL Database is incorrect because SQL Database is relational, not NoSQL, and not designed for the global distribution patterns of NoSQL workloads.
6. Question 6Design Business Continuity SolutionsSelect all that apply

   Munson's Pickles and Preserves Farm runs their e-commerce platform on Azure. They need to ensure business continuity with the following requirements: (1) the web tier must remain available during a regional outage with automatic traffic redirection, and (2) the database tier must failover to a secondary region with minimal data loss. Which two solutions should you implement? (Choose two.)

   • AAzure SQL Database with locally redundant automated backups
   • BAzure Front Door with health probes and backend pools in two regionsCorrect
   • CAzure SQL Database failover groups with a grace period policyCorrect
   • DAzure Load Balancer Standard with cross-region load balancing
   ✓ Correct answer: B, C

   E-commerce platform business continuity requires coordinated failure detection and failover across both web and database tiers to maintain continuous availability during regional outages. Azure Front Door provides application-layer failover by monitoring health of backend pools in two regions and automatically routing traffic to healthy regions when primary region becomes unavailable. Front Door's health probes detect application layer failures faster than lower-level network detection, triggering traffic redirection to the secondary region within seconds. The configuration with backend pools in two regions enables active-active or active-passive deployments depending on traffic distribution preferences. Azure SQL Database failover groups coordinate database-layer failover independently, detecting database connectivity loss and automatically promoting the secondary database to primary. The grace period policy allows configuration of the time window before automatic promotion occurs, preventing unnecessary failovers during brief connectivity glitches. Together, these two components provide comprehensive application and database tier failover orchestration that addresses both requirements: automatic traffic redirection for the web tier and managed database failover. The combination ensures that web and database tiers failover in coordination without manual intervention.

   Why the other options are wrong

   • AAzure SQL Database with locally redundant automated backups is incorrect because backups alone do not provide the automatic failover capability required for regional disaster scenarios.
   • DAzure Load Balancer Standard with cross-region load balancing is incorrect because Load Balancer does not provide automatic region-level failure detection or the traffic management capabilities needed for true cross-region disaster recovery. Note: Both B and C are correct answers required for this multi-answer question.
7. Question 7Design Infrastructure Solutions

   Contoso Ltd needs to securely connect their on-premises datacenter to Azure with a dedicated private connection that provides consistent latency and higher bandwidth than a VPN. They also need a fallback connection in case the primary connection fails. Which solution should you recommend?

   • AAzure Virtual WAN with point-to-site VPN connections
   • BAzure ExpressRoute with Global Reach as the only connection
   • CTwo site-to-site VPN connections for redundancy
   • DAzure ExpressRoute as the primary connection with a site-to-site VPN as a failbackCorrect
   ✓ Correct answer: D

   ExpressRoute gives Contoso the dedicated private circuit with consistent latency and higher bandwidth than a VPN, satisfying the performance requirement. For resilience, pairing it with a site-to-site VPN as a backup means that if the ExpressRoute circuit goes down or is under maintenance, connectivity automatically continues over the VPN. This hybrid model delivers both the high-performance primary path and the required fallback at lower cost than a second ExpressRoute circuit. It is Microsoft's recommended pattern for ExpressRoute resiliency on a budget.

   Why the other options are wrong

   • AVirtual WAN with point-to-site VPN is aimed at distributed remote-user access, not a dedicated, consistent-performance datacenter-to-Azure circuit.
   • BExpressRoute with Global Reach as the only connection provides no backup path, so any circuit outage or maintenance causes downtime, failing the fallback requirement.
   • CTwo site-to-site VPNs both run over the public internet with lower bandwidth and higher, less predictable latency than ExpressRoute, so they do not meet the dedicated high-performance requirement.
8. Question 8Design Infrastructure SolutionsSelect all that apply

   You are designing a landing zone architecture for a large enterprise deploying to Azure. Which TWO components are essential for a well-designed Azure landing zone? (Select two.)

   • AIndividual Microsoft Entra ID tenants for each business unit
   • BA single subscription for all workloads to simplify management
   • CHub-and-spoke or Virtual WAN network topology for centralized connectivityCorrect
   • DManagement groups with a hierarchical structure for policy and RBAC inheritanceCorrect
   ✓ Correct answer: C, D

   An Azure landing zone is a foundational infrastructure architecture that enables organizations to scale and govern their cloud deployments effectively. Hub-and-spoke (or Virtual WAN) network topologies provide centralized connectivity, allowing all traffic between spokes to route through a central hub where security appliances and monitoring can be implemented, creating a controlled network perimeter. Management groups enable hierarchical policy and RBAC inheritance, allowing organizations to apply governance policies consistently across multiple subscriptions while maintaining flexibility at lower levels of the hierarchy. These two components work together to provide both network isolation and centralized governance that enterprise deployments require.

   Why the other options are wrong

   • AIndividual Microsoft Entra ID tenants for each business unit is incorrect because Azure landing zones operate within a single Entra ID tenant; multiple tenants create management complexity and break single sign-on capabilities.
   • BA single subscription for all workloads to simplify management is incorrect because it violates subscription scalability limits, prevents proper RBAC delegation, and makes cost allocation and resource isolation impossible for large enterprises.
9. Question 9Design Data Storage Solutions

   Which best practice should be followed when managing Solutions within Design Data Storage Solutions?

   • ADisable access controls for faster day-to-day workflows
   • BImplement role-based access control with least privilegeCorrect
   • CUse a single shared service account for the entire team
   • DGrant full administrator access to all team members
   ✓ Correct answer: B

   Role-based access control (RBAC) is a fundamental security practice in Azure that aligns with the principle of least privilege. This approach ensures that users and service principals are granted only the minimum permissions necessary to perform their assigned tasks. In AZ-305 design scenarios, RBAC protects data storage solutions from unauthorized access and reduces the attack surface by limiting what compromised accounts can do. Proper RBAC implementation, combined with regular access reviews and strong authentication mechanisms, creates multiple layers of security that protect sensitive data and maintain compliance requirements.

   Why the other options are wrong

   • ADisable access controls for faster day-to-day workflows is incorrect because disabling access controls creates security vulnerabilities and exposes sensitive data to unauthorized access, defeating the purpose of a secure data storage solution.
   • CUse a single shared service account for the entire team is incorrect because shared accounts eliminate accountability, make it impossible to audit individual actions, and create significant security risks when team members change or leave the organization.
   • DGrant full administrator access to all team members is incorrect because granting excessive permissions violates the principle of least privilege and increases the risk of accidental or malicious data modifications.
10. Question 10Design Data Storage SolutionsSelect all that apply

    Trey Research needs to implement a solution that involves event sourcing and a specific service. Which two components should the administrator configure? (Choose two.)

    • AAzure Disk Encryption
    • Bdata migration strategy
    • Cpolyglot persistence
    • Devent sourcingCorrect
    • Eencryption at rest strategyCorrect
    ✓ Correct answer: D, E

    Implementing a solution incorporating event sourcing requires complementary security and data persistence strategies to ensure integrity and confidentiality throughout the system. Event sourcing is an architectural pattern that stores all state changes as immutable events in a sequence, allowing applications to rebuild state from event logs. Encryption at rest strategy protects these event logs and snapshots by encrypting data when stored, ensuring that sensitive events and state information remain confidential even if storage is compromised. The combination creates an audit trail that is both cryptographically protected and recoverable, critical for systems requiring compliance, forensic analysis, and state reconstruction capabilities.

    Why the other options are wrong

    • AAzure Disk Encryption is incorrect because disk-level encryption is not the preferred method for event store protection; database-level or application-level encryption is more appropriate.
    • BData migration strategy is incorrect as migration is not related to event sourcing implementation.
    • CPolyglot persistence is incorrect because while it may be used with event sourcing, it is not a required configuration component for the pattern itself.

AZ-305 practice exam FAQ