Skip to main content
Cloud Computing ⭐ Premium

Designing Microsoft Azure Infrastructure Solutions (AZ-305) - 340 Questions

By Webmaster Certland ❤️ 0 likes

Practice exam for AZ-305: Designing Microsoft Azure Infrastructure Solutions. Covers identity, governance, monitoring, data storage, business continuity, and infrastructure design.

🔒

Premium Content

This exam is exclusive to Premium users. Upgrade to get unlimited access!

Become Premium

👁️ Free Preview (5 of 340 questions)

1. An enterprise architect must design an identity solution for a multinational corporation that has 50,000 employees spread across 12 subsidiaries. Each subsidiary currently runs its own on-premises Active Directory domain. The requirement is to provide seamless single sign-on (SSO) to Azure-hosted SaaS applications while maintaining each subsidiary's existing local authentication infrastructure. Password hash synchronization must NOT be used due to regulatory constraints. Which solution best satisfies these requirements?

A Deploy Azure AD Connect with Password Hash Synchronization for all 12 subsidiaries, using separate Azure AD tenants per subsidiary federated to a parent tenant.
B Deploy Azure AD Connect with Pass-through Authentication (PTA) agents in each subsidiary, synchronized into a single Azure AD tenant, enabling SSO without storing password hashes in the cloud.
C Configure Azure AD B2B collaboration for all 12 subsidiaries, inviting each subsidiary's users as guest accounts into a central Azure AD tenant.
D Deploy Active Directory Federation Services (AD FS) farms in each subsidiary and federate each farm directly to a separate Azure AD tenant per subsidiary.

2. A financial services company is deploying a new Azure environment and must enforce strict governance from day one. The architect must ensure that: (1) all new resource groups must have specific mandatory tags applied at creation time, (2) certain resource types such as public IP addresses must be denied in production subscriptions, and (3) these controls must be applied consistently across 30 subscriptions that belong to different business units. Which TWO Azure services should the architect combine to meet all three requirements most effectively?

A Azure Policy assigned at the Management Group level to enforce tag requirements and deny prohibited resource types across all 30 subscriptions.
B Azure Blueprints to package and deploy Policy assignments, RBAC role assignments, and ARM templates as a single governed artifact across all subscriptions.
C Azure Security Center (Defender for Cloud) Regulatory Compliance dashboard to monitor tag compliance and block public IP creation.
D Azure Resource Locks applied at the subscription level to prevent creation of non-compliant resource types.
E Azure Cost Management budgets and alerts configured per subscription to enforce tagging policies through cost allocation.

3. An enterprise architect is designing an access control model for an Azure environment where developers need to deploy resources in their own sandbox subscriptions but must not be able to modify networking or identity configurations. Security administrators must be able to manage RBAC assignments only within the security scope without gaining access to application workloads. A least-privilege model is mandatory. Which approach best achieves this separation of duties?

A Assign developers the Contributor role at the subscription level and assign security administrators the User Access Administrator role at the subscription level.
B Create custom RBAC roles that grant developers permissions scoped to compute and storage only, and grant security administrators permissions scoped to Microsoft.Authorization actions only, assigned at appropriate management group or subscription scopes.
C Use Azure AD Privileged Identity Management (PIM) to grant just-in-time Owner access to both developers and security administrators, requiring approval for each activation.
D Assign developers the DevTest Labs User role and assign security administrators the Security Admin role in Microsoft Defender for Cloud.

4. A company requires that all privileged Azure AD role assignments for Global Administrator and Privileged Role Administrator be time-limited, require multi-factor authentication at activation, and generate an alert to the security team whenever an activation occurs. The solution must also enforce that eligible assignments expire after 90 days unless recertified. Which Azure service and configuration satisfies all of these requirements?

A Azure AD Conditional Access policies configured to require MFA for all privileged role sign-ins, combined with Azure Monitor alerts on Azure AD sign-in logs.
B Azure AD Privileged Identity Management (PIM) with just-in-time eligible role assignments, activation requiring MFA, access reviews scheduled every 90 days, and alert notifications configured for role activation events.
C Azure AD Identity Protection risk policies set to block high-risk sign-ins, combined with manual role assignment reviews conducted quarterly by the security team.
D Azure Security Center Just-in-Time VM access policies extended to Azure AD roles, with email notifications sent via Azure Logic Apps when policies are triggered.

5. An enterprise architect must design a monitoring solution for a large Azure environment spanning 15 subscriptions. The requirements are: centralized log collection from all subscriptions, the ability to run cross-subscription Kusto queries, automated alerting when specific security events occur, and a 2-year log retention for compliance. The solution must minimize operational overhead. Which architecture best satisfies these requirements?

A Deploy an Azure Monitor workspace per subscription, export logs to Azure Blob Storage for long-term retention, and use Azure Data Factory to run cross-subscription queries.
B Deploy a centralized Azure Monitor Log Analytics workspace, configure Diagnostic Settings on all resources across all 15 subscriptions to send data to this workspace, configure Data Export to Azure Storage for 2-year retention, and use Azure Monitor Alert rules with Action Groups for automated notifications.
C Deploy Microsoft Sentinel in each subscription independently, use workbooks for cross-subscription visibility, and store logs in each subscription's native storage account.
D Use Azure Service Health alerts per subscription for security event monitoring and Azure Advisor recommendations to identify compliance gaps across subscriptions.

Want to test yourself for real?

Create a free account and run our exam simulation engine.

Free No credit card
  • Simulation engine
  • Up to 10 questions per attempt
  • Score & basic stats
Create free account Already have an account? Sign in
Best
Premium 7-day trial
  • All 340 questions
  • Detailed explanations
  • Smart Practice + Focus Mode
⭐ Start 7-day free trial

Information

Questions 340
Time 2h 30min
Difficulty Hard
Minimum Score 70.00%
🤍 Like

Related Exams

Free

AZ-900: Fundamentos do Microsoft Azure – 340 perguntas

340 questions · 1 attempts
Free

Praticante de nuvem certificado pela AWS (CLF-C02) - 340 Questoes

340 questions · 1 attempts
Free

Líder digital do Google Cloud (CDL) - 340 perguntas

340 questions · 0 attempts
Free

Practicante de nube certificado por AWS (CLF-C02) - 340 preguntas

340 questions · 0 attempts

Discussion

No comments yet. Be the first to start the discussion!

Sign in to join the discussion.