Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-305

Microsoft AZ-305 Exam
Designing Microsoft Azure Infrastructure Solutions (Page 12 )

Updated On: 12-Feb-2026
Page 12 of 67
PDF with 343 Questions

DRAG DROP (Drag and Drop is not supported)

You have a Microsoft Entra tenant that contains an administrative unit named MarketingAU. MarketingAU contains 100 users.

You create two users named User1 and User2.

You need to ensure that the users can perform the following actions in MarketingAU:

User1 must be able to create user accounts.

User2 must be able to reset user passwords.

The solution must use the principle of least privilege.

Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Note: Each correct selection is worth one point.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: User Administrator for the MarketingAU
User1 must be able to create user accounts.

User Administrator
Can manage all aspects of users and groups, including resetting passwords for limited admins.

Create users
Etc.

Roles that can be assigned with administrative unit scope
The following Microsoft Entra roles can be assigned with administrative unit scope.
* Helpdesk Administrator
* User Administrator
* Etc.

Box 2: Helpdesk Administrator for the MarketingAU
User2 must be able to reset user passwords.

Helpdesk Administrator
Can reset passwords for non-administrators and Helpdesk Administrators.

Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference https://learn.microsoft.com/en-us/azure/active-directory/roles/admin-units-assign-roles



HOTSPOT (Drag and Drop is not supported)

You are designing an app that will be hosted on Azure virtual machines that run Ubuntu. The app will use a third-party email service to send email messages to users. The third-party email service requires that the app authenticate by using an API key.

You need to recommend an Azure Key Vault solution for storing and accessing the API key. The solution must minimize administrative effort.

What should you recommend using to store and access the key? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Secret
Tutorial: Use Key Vault references in an ASP.NET Core app.

Add a secret to Key Vault
To add a secret to the vault, you need to take just a few additional steps. In this case, add a message that you can use to test Key Vault retrieval. The message is called Message, and you store the value “Hello from Key Vault” in it.

1. From the Key Vault properties pages, select Secrets.
2. Select Generate/Import.
3. In the Create a secret pane, enter the following values:
4. Upload options: Enter Manual.
5. Name: Enter Message.
6. Value: Enter Hello from Key Vault.
7. Leave the other Create secret properties with their default values.
8. Select Create.

Box 2: A managed service identity (MSI)
Grant your app access to Key Vault
Azure App Configuration won’t access your key vault. Your app will read from Key Vault directly, so you need to grant your app read access to the secrets in your key vault. This way, the secret always stays with your app. The access can be granted using either a Key Vault access policy or Azure role-based access control.

You use DefaultAzureCredential in your code above. It’s an aggregated token credential that automatically tries a number of credential types, like EnvironmentCredential, ManagedIdentityCredential, SharedTokenCacheCredential, and VisualStudioCredential.

Alternatively, you can set the AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET environment variables, and DefaultAzureCredential will use the client secret you have via the EnvironmentCredential to authenticate with your key vault. After your app is deployed to an Azure service with managed identity enabled, such as Azure App Service, Azure Kubernetes Service, or Azure Container Instance, you grant the managed identity of the Azure service permission to access your key vault. DefaultAzureCredential automatically uses ManagedIdentityCredential when your app is running in Azure. You can use the same managed identity to authenticate with both App Configuration and Key Vault.


Reference:

https://learn.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core



DRAG DROP (Drag and Drop is not supported)

You have two app registrations named App1 and App2 in Azure AD. App1 supports role-based access control (RBAC) and includes a role named Writer.

You need to ensure that when App2 authenticates to access App1, the tokens issued by Microsoft Entra ID include the Writer role claim.

Which blade should you use to modify each app registration? To answer, drag the appropriate blades to the correct app registrations. Each blade may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Note: Each correct selection is worth one point.

Select and Place:


  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: App roles
App1 supports role-based access control (RBAC) and includes a role named Writer.

Implement role-based access control
Define app roles
The first step for implementing RBAC for an application is to define the app roles for it and assign users or groups to it. After defining the app roles and assigning users or groups to them, access the role assignments in the tokens coming into the application and act on them accordingly.

Box 2: Token configuration
You need to ensure that when App2 authenticates to access App1, the tokens issued by Microsoft Entra ID include the Writer role claim.

Configure optional claims
You can configure optional claims for your application through the Azure portal or application manifest.

1. Go to the Azure portal.
2. Search for and select Microsoft Entra ID.
3. Under Manage, select App registrations.
4. Choose the application for which you want to configure optional claims based on your scenario and desired outcome.
5. Under Manage, select Token configuration
6. Etc.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-implement-rbac-for-apps https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims



You have an Azure subscription.

You plan to deploy a monitoring solution that will include the following:

Azure Monitor Network Insights

Application Insights

Microsoft Sentinel

VM insights

The monitoring solution will be managed by a single team.

What is the minimum number of Azure Monitor workspaces required?

  1. 1
  2. 2
  3. 3
  4. 4

Answer(s): C

Explanation:

1: A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple services.
1: With workspace-based resources, Application Insights sends telemetry to a common Log Analytics workspace, providing full access to all the features of Log Analytics while keeping your application, infrastructure, and platform logs in a single consolidated location.
1: VM insights collects its data from one or more Log Analytics workspaces in Azure Monitor. Prior to onboarding agents, you must create and configure a workspace.
The only requirement of the workspace is that it must be located in a supported location and be configured with the VMInsights solution.


Reference:



You have an Azure subscription that contains 10 web apps. The apps are integrated with Microsoft Entra ID and are accessed by users on different project teams.

The users frequently move between projects.

You need to recommend an access management solution for the web apps. The solution must meet the following requirements:

The users must only have access to the app of the project to which they are assigned currently.

Project managers must verify which users have access to their project’s app and remove users that are no longer assigned to their project.
Once every 30 days, the project managers must be prompted automatically to verify which users are assigned to their projects.

What should you include in the recommendation?

  1. Microsoft Entra ID Protection
  2. Microsoft Defender for Identity
  3. Microsoft Entra Permissions Management
  4. Microsoft Entra ID Governance

Answer(s): D

Explanation:

Microsoft Entra ID Governance allows you to balance your organization’s need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right principals have the right access to the right resources and at the right time.
The principals (or identities) whose access you can govern include users, groups, and applications (or service principals). The users can be your employees, business partners, vendors, or contractors. The resources to which you can govern access include groups, access packages, and privileged roles.
Note: Microsoft Entra access reviews
Use Microsoft Entra access reviews to configure one-time or recurring access reviews for attestation of a principal’s right to access Microsoft Entra resources. The principals are users or applications (service principals). The Microsoft Entra resources include groups, applications (service principals), access packages, and privileged roles. Access reviews is a feature of Microsoft Entra ID Governance.
Typical customer scenarios for access reviews include:
Customers can review and certify guest user access to groups through group memberships. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
Customers can review and certify employee access to Microsoft Entra resources.
Customers can review and audit assignments to Microsoft Entra privileged roles. This supports organizations in the management of privileged access.


Reference:






Post your Comments and Discuss Microsoft AZ-305 exam prep with other Community members:

Join the AZ-305 Discussion