Home Guides Blogs Your Exams Certifications

    Exam: AZ-305: Azure Infrastructure Solutions

    Total Questions: 493
    Page of

    You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam,
    Ltd. Developers at Fabrikam were assigned role-based access control (RBAC) permissions to the Application1 components. All users are licensed for the
    Microsoft 365 E5 plan.
    You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1. The solution must meet the following requirements:
    - To the manager of the developers, send a monthly email message that lists the access permissions to Application1.
    - If the manager does not verify an access permission, automatically revoke that permission.
    - Minimize development effort.
    What should you recommend?
    A. In Azure Active Directory (Azure AD), create an access review of Application1.
    B. Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet.
    C. In Azure Active Directory (Azure AD) Privileged Identity Management, create a custom role assignment for the Application1 resources.
    D. Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet.
    A ✅ Explanation: Access reviews in Azure Active Directory (Azure AD) are designed specifically to meet this kind of scenario with minimal development effort. Let's map it to the requirements: Send monthly emails to a manager listing access permissions? ✔️ Azure AD Access Reviews can be scheduled (e.g., monthly), and they notify reviewers (managers) via email. Automatically revoke access if not reviewed? ✔️ Access Reviews can be configured to auto-remove access if no response is given within the review period. Minimize development effort? ✔️ This is a built-in Azure AD feature—no custom scripts or automation required. ❌ Why the other options are incorrect: B. Azure Automation with Get-AzRoleAssignment ✘ Requires custom scripting, email configuration, and manual logic to remove roles. C. Privileged Identity Management (PIM) with custom role assignment ✘ PIM is for elevated (privileged) roles, not for ongoing access verification of standard RBAC roles across apps. D. Azure Automation with Get-AzureADUserAppRoleAssignment ✘ Similar to B, this needs extensive custom development to fetch, email, and manage assignments.

    You have an Azure subscription. The subscription has a blob container that contains multiple blobs.
    Ten users in the finance department of your company plan to access the blobs during the month of April.
    You need to recommend a solution to enable access to the blobs during the month of April only.
    Which security solution should you include in the recommendation?
    A. shared access signatures (SAS)
    B. Conditional Access policies
    C. certificates
    D. access keys
    A ✅ Explanation: To grant temporary, time-limited access to Azure Blob Storage resources (like blobs in a container), the best solution is to use a Shared Access Signature (SAS). Why SAS fits perfectly: Time-bound access: You can configure the SAS token to expire at the end of April. Granular permissions: You can specify read-only, write, delete, etc., on specific blobs or containers. No need to manage permanent credentials: Users don’t need full storage account access or long-term roles. ❌ Why the other options are incorrect: B. Conditional Access policies ✘ Conditional Access applies to Azure AD identities and SaaS apps, not directly to Azure Blob access. C. Certificates ✘ Not applicable for granting access to blob storage; mostly used for client authentication in other Azure services. D. Access keys ✘ These provide full access to the storage account and do not support time-limited access — not secure for this scenario. ✅ Summary: To enable temporary access to blobs for the month of April, the best practice is to use:

    You have an Azure Active Directory (Azure AD) tenant that syncs with an on-premises Active Directory domain.
    You have an internal web app named WebApp1 that is hosted on-premises. WebApp1 uses Integrated Windows authentication.
    Some users work remotely and do NOT have VPN access to the on-premises network.
    You need to provide the remote users with single sign-on (SSO) access to WebApp1.
    Which two features should you include in the solution? Each correct answer presents part of the solution.
    NOTE: Each correct selection is worth one point.
    A. Azure AD Application Proxy
    B. Azure AD Privileged Identity Management (PIM)
    C. Conditional Access policies
    D. Azure Arc
    E. Azure AD enterprise applications
    F. Azure Application Gateway
    AE ✅ Explanation: To provide remote users with SSO access to an on-premises application (WebApp1) that uses Integrated Windows Authentication, and without requiring VPN, the following features are essential: ✔️ A. Azure AD Application Proxy This is the key technology that enables secure remote access to on-premises web apps (like WebApp1) without requiring VPN. It publishes the internal app externally via Azure and handles authentication via Azure AD. Supports Single Sign-On (SSO) with Integrated Windows Authentication (IWA) through a connector. ✔️ E. Azure AD Enterprise Applications The Enterprise Applications blade in Azure AD is used to configure SSO settings and manage access to published applications like WebApp1. It enables management of user assignments, conditional access, and SSO configuration for the application published via Application Proxy. ❌ Why the others are incorrect: B. Azure AD Privileged Identity Management (PIM) ✘ PIM is used for managing just-in-time privileged role assignments, not for SSO or app publishing. C. Conditional Access policies ✘ Useful for adding extra security, but not required for basic SSO access setup. D. Azure Arc ✘ Azure Arc is for managing non-Azure infrastructure, not for publishing web apps or enabling SSO. F. Azure Application Gateway ✘ This is a layer 7 load balancer and doesn’t provide SSO or remote publishing of on-prem apps via Azure AD. ✅ Summary: To allow remote, VPN-less SSO access to an on-premises web app (WebApp1) using Azure AD: ✔ A. Azure AD Application Proxy ✔ E. Azure AD Enterprise Applications

    You have an Azure Active Directory (Azure AD) tenant named contoso.com that has a security group named Group1. Group1 is configured for assigned membership. Group1 has 50 members, including 20 guest users.
    You need to recommend a solution for evaluating the membership of Group1. The solution must meet the following requirements:
    - The evaluation must be repeated automatically every three months.
    - Every member must be able to report whether they need to be in Group1.
    - Users who report that they do not need to be in Group1 must be removed from Group1 automatically.
    - Users who do not report whether they need to be in Group1 must be removed from Group1 automatically.
    What should you include in the recommendation?
    A. Implement Azure AD Identity Protection.
    B. Change the Membership type of Group1 to Dynamic User.
    C. Create an access review.
    D. Implement Azure AD Privileged Identity Management (PIM
    C ✅ Explanation: Azure Active Directory (Azure AD) Access Reviews are designed specifically to address scenarios like this. Here’s how access reviews meet the stated requirements: Automatic recurrence every three months: Access reviews can be scheduled to occur on a recurring basis, such as every 3 months. Member self-evaluation: Access reviews can be configured to allow users to review their own access and indicate whether they still need group membership. Automatic removal of unconfirmed or declined access: Access reviews support automated actions to remove users who either respond that they no longer need access or fail to respond at all by the deadline. Guest users supported: Access reviews also support reviewing access for guest users. Incorrect options: A. Azure AD Identity Protection: This is focused on risk-based conditional access and user risk detection — not group membership evaluations. B. Dynamic User Group: Dynamic groups are populated based on user attributes (e.g., department, location). They do not support self-evaluation or periodic review. D. Privileged Identity Management (PIM): PIM is for managing privileged roles (like Azure AD admin roles), not general group membership.

    You plan to deploy Azure Databricks to support a machine learning application. Data engineers will mount an Azure Data Lake Storage account to the Databricks file system. Permissions to folders are granted directly
    to the data engineers.
    You need to recommend a design for the planned Databrick deployment. The solution must meet the following requirements:
    - Ensure that the data engineers can only access folders to which they have permissions.
    - Minimize development effort.
    - Minimize costs.
    What should you include in the recommendation? To answer, select the appropriate options in the answer area.
    NOTE: Each correct selection is worth one point.
    Hot Area:
    Question image
    Answer image

    You plan to deploy an Azure web app named App1 that will use Azure Active Directory (Azure AD) authentication.
    App1 will be accessed from the internet by the users at your company. All the users have computers that run Windows 10 and are joined to Azure AD.
    You need to recommend a solution to ensure that the users can connect to App1 without being prompted for authentication and can access App1 only from company-owned computers.
    What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
    NOTE: Each correct selection is worth one point.
    Hot Area:
    Question image
    Answer image

    Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
    correct solution, while others might not have a correct solution.
    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
    Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity.
    Several virtual machines exhibit network connectivity issues.
    You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.
    Solution: Use Azure Traffic Analytics in Azure Network Watcher to analyze the network traffic.
    Does this meet the goal?
    A. Yes
    B. No
    B

    Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
    correct solution, while others might not have a correct solution.
    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
    Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity.
    Several virtual machines exhibit network connectivity issues.
    You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.
    Solution: Use Azure Advisor to analyze the network traffic.
    Does this meet the goal?
    A. Yes
    B. No
    B

    Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one
    correct solution, while others might not have a correct solution.
    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
    Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity.
    Several virtual machines exhibit network connectivity issues.
    You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.
    Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic.
    Does this meet the goal?
    A. Yes
    B. No
    A ✅ Explanation: The solution does meet the goal. Azure Network Watcher – IP Flow Verify is specifically designed to help diagnose network connectivity issues for a virtual machine by verifying whether a packet is allowed or denied by Azure Network Security Groups (NSGs). Why this works: IP Flow Verify checks source IP, destination IP, port, protocol, and the NSG rules applied to the network interface or subnet. It reports whether the traffic is allowed or denied, and which rule is responsible. It’s ideal for diagnosing VM-level connectivity problems — both in Azure and when hybrid connectivity like ExpressRoute is involved. ❌ What it doesn’t do: It doesn’t show actual packet capture or deep inspection, but for the stated goal (checking if packets are allowed or denied), it’s sufficient. Therefore: ✅ The proposed solution meets the goal.

    You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016 and Linux.
    You need to use Azure Monitor to design an alerting strategy for security-related events.
    Which Azure Monitor Logs tables should you query? To answer, drag the appropriate tables to the correct log types. Each table may be used once, more than once, or not at all. You may need to drag the split bar
    between panes or scroll to view content.
    NOTE: Each correct selection is worth one point.
    Select and Place:
    Question image
    Answer image
    Back View All Questions