Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-305

Microsoft AZ-305 Exam
Designing Microsoft Azure Infrastructure Solutions (Page 11 )

Updated On: 12-Feb-2026
Page 11 of 67
PDF with 343 Questions

HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription that contains an Azure key vault named KV1 and a virtual machine named VM1. VM1 runs Windows Server 2022: Azure Edition.

You plan to deploy an ASP.Net Core-based application named App1 to VM1.

You need to configure App1 to use a system-assigned managed identity to retrieve secrets from KV1. The solution must minimize development effort.

What should you do? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Client Credentials flow
Client Credentials flow – The only flow that does not require immediate user interaction, usually used when the Oauth client is acting on-behalf of itself, when user-consent doesn’t make sense, or when authorization primitives could be configured out-of-band (for instance via Microsoft Entra ID)

Note: Authenticating to Azure Services
Local machines don’t support managed identities for Azure resources. As a result, the Microsoft.Azure.Services.AppAuthentication library uses your developer credentials to run in your local development environment.
When the solution is deployed to Azure, the library uses a managed identity to switch to an Oauth 2.0 client credential grant flow. This approach means you can test the same code locally and remotely without worry.

Incorrect:
* Authorization code flow – Requires user interaction and consent, typically via the web browser, to get a code which is then used to issue an access token.

* Implicit grant flow – Created for single page web / mobile webview apps, where token creation and handling is done entirely from the front end.

Box 2: Oauth 2.0 access token endpoint of Microsoft Entra ID

Example: Issuing & inspecting our first Oauth token
At this stage, we should be able to issue tokens to Service A, on behalf of Service B – let’s see that in action.

1. In Microsoft Entra application registration blade, go to Service B (as shown in previous steps)
2. In the Overview blade, Click on the `Endpoints’ button at the command bar
3. In the opened Endpoints blade, copy the Oauth 2.0 token endpoint (v2) URL
4. Issue a HTTP POST call for the given URL with the following parameters $> curl -s -XPOST <token-v2-endpoint> \
-d grant_type=client_credentials \
-d client_id=<service-b-app-id> \
-d client_secret=<service-b-client-secret> \
-d scope=<service-a-application-id-uri>/.default

5. Etc.


Reference:

https://medium.com/@dany74q/service-to-service-auth-with-azure-ad-msi-oauth-2-0-step-by-step- a1aed196b1e1
https://learn.microsoft.com/en-us/dotnet/api/overview/azure/service-to-service-authentication



Your company has the divisions shown in the following table.



Sub1 contains an Azure App Service web app named App1. App1 uses Microsoft Entra ID for single-tenant user authentication. Users from contoso.com can authenticate to App1.

You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1.

What should you recommend?

  1. Configure Microsoft Entra join.
  2. Configure Microsoft Entra ID Protection.
  3. Configure a Conditional Access policy.
  4. Configure Supported account types in the application registration and update the sign-in endpoint.

Answer(s): D

Explanation:

Correct:
* Use Microsoft Entra entitlement management to govern external users.
* Configure Supported account types in the application registration and update the sign-in endpoint.

Incorrect:
* Configure a Conditional Access policy.
* Configure assignments for the fabrikam.com users by using Microsoft Entra Privileged Identity Management (PIM).
* Configure Microsoft Entra ID Protection.
* Configure Microsoft Entra join.
* Configure the Microsoft Entra provisioning service
* Enable Microsoft Entra pass-through authentication and update the sign-in endpoint.
Note:
* Use Microsoft Entra entitlement management to govern external users.
Govern access for external users in Microsoft Entra entitlement management Microsoft Entra entitlement management uses Microsoft Entra business-to-business (B2B) to share access so you can collaborate with people outside your organization. With Microsoft Entra B2B, external users authenticate to their home directory, but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.
* Configure Supported account types in the application registration and update the sign-in endpoint.
Identity and account types for single- and multi-tenant apps You, as a developer, can choose if your app allows only users from your Microsoft Entra tenant, any Microsoft Entra tenant, or users with personal Microsoft accounts. You can configure your app to be either single tenant or multitenant during app registration in Azure.
Note: A required part of application registration in Microsoft Entra ID is your selection of supported account types.
While IT Pros in administrator roles decide who can consent to apps in their tenant, you, as a developer, specify who can use your app based on account type.
When a tenant doesn’t allow you to register your application in Microsoft Entra ID, administrators will provide you with a way to communicate those details to them through another mechanism.
You’ll choose from the following supported account type options when registering your application.
Accounts in this organizational directory only (O365 only – Single tenant) Accounts in any organizational directory (Any Microsoft Entra directory – Multitenant) Accounts in any organizational directory (Any Microsoft Entra directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
Personal Microsoft accounts only
Incorrect:
* Configure Microsoft Entra ID Protection
Microsoft Entra ID Protection allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to other tools.


Reference:



HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription named Sub1 that is linked to a Microsoft Entra tenant named contoso.com.

You plan to implement two ASP.NET Core apps named App1 and App2 that will be deployed to 100 virtual machines in Sub1. Users will sign in to App1 and App2 by using their contoso.com credentials.

App1 requires read permissions to access the calendar of the signed-in user. App2 requires write permissions to access the calendar of the signed-in user.

You need to recommend an authentication and authorization solution for the apps. The solution must meet the following requirements:

Use the principle of least privilege.

Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Application registration in Microsoft Entra ID
To get an access token, your app must be registered with the Microsoft identity platform and be granted Microsoft Graph permissions by a user or administrator.

Note: Register your app with the Microsoft identity platform Before your app can get a token from the Microsoft identity platform, it must be registered in the Azure portal. Registration integrates your app with the Microsoft identity platform and establishes the information that it uses to get tokens, including:

Application ID: A unique identifier assigned by the Microsoft identity platform. Redirect URI/URL: One or more endpoints at which your app will receive responses from the Microsoft identity platform. (For native and mobile apps, the URI is assigned by the Microsoft identity platform.) Client secret: A password or a public/private key pair that your app uses to authenticate with the Microsoft identity platform. (Not needed for native or mobile apps.)

Box 2: Delegated permissions
Access scenarios
The method that an app uses to authenticate with the Microsoft identity platform will depend on how you want the app to access the data. This access can be in one of two ways.

Delegated access, an app acting on behalf of a signed-in user.
App-only access, an app acting with its own identity.

Note: Calendars permissions
Delegated permissions
* Calendars.Read
Read user calendars – Allows the app to read events in user calendars.

* Calendars.ReadWrite
Have full access to user calendars – Allows the app to create, read, update, and delete events in user calendars.

Incorrect:
* Application permissions
Calendar Application permissions
* Calendars.Read
Read calendars in all mailboxes – Allows the app to read events of all calendars without a signed-in user.

* Calendars.ReadWrite
Read and write calendars in all mailboxes – Allows the app to create, read, update, and delete events of all calendars without a signed-in user.


Reference:

https://learn.microsoft.com/en-us/graph/auth/auth-concepts https://learn.microsoft.com/en-us/graph/permissions-reference



HOTSPOT (Drag and Drop is not supported)

You have a Microsoft Entra tenant that contains a management group named MG1.

You have the Azure subscriptions shown in the following table.



The subscriptions contain the resource groups shown in the following table.



The tenant contains the Azure AD security groups shown in the following table.



The tenant contains the user accounts shown in the following table.




You perform the following actions:

Assign User3 the Contributor role for Sub1.

Assign Group1 the Virtual Machine Contributor role for MG1.

Assign Group3 the Contributor role for the Tenant Root Group.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
User1 is member of Group1.
Group1 is assigned the Virtual Machine Contributor role for MG1.

MG1 is in Sub1.
RG1 is in Sub1.

Virtual Machine Contributor
Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC.

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls.

If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

Box 2: No
User2 is a member of Group2.
User2 has no special permissions to Group2.

Box 3: Yes
User3 is a member of Group3.
Group3 is assigned the Contributor role for the Tenant Root Group. As a member of the Tenant Root Group User3 can create storage accounts in RG2.

Note: Each Microsoft Entra tenant is given a single top-level management group called the root management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This group allows global policies and Azure role assignments to be applied at the directory level.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://learn.microsoft.com/en-us/azure/governance/management-groups/manage https://learn.microsoft.com/en-us/azure/defender-for-cloud/management-groups-roles



You have an Azure subscription that contains 1,000 resources.

You need to generate compliance reports for the subscription. The solution must ensure that the resources can be grouped by department.

What should you use to organize the resources?

  1. application groups and quotas
  2. Azure Policy and tags
  3. administrative units and Azure Lighthouse
  4. resource groups and role assignments

Answer(s): B

Explanation:

Compliance Report using Azure Policy
Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole

Azure deployment.
Enforce tags for resource creation
So, why tags? Why we need to add tags to all Azure resources? The Microsoft Azure environments are getting bigger and bigger and managed by multiple people and teams. That makes it difficult to understand who created a resource and what is the purpose of that resource. Another critical matter that we need tags is Cost Management. At the Azure Cost Management Portal, we can sort and arrange the resource cost using the Tags. This way we can provide an expense dashboard with the actual cost of the resources per department, project or whatever tags we have added to the Resource.


Reference:






Post your Comments and Discuss Microsoft AZ-305 exam prep with other Community members:

Join the AZ-305 Discussion