Microsoft AZ-305 Test Practice Test Questions, Exam Dumps

Practice Exams:

Microsoft AZ-305 Exam Dumps & Practice Test Questions

Question No 1:

You manage an Azure subscription containing a custom application called Application1, which was created by an external company named Fabrikam, Ltd. Developers from Fabrikam have been assigned role-based access control (RBAC) permissions on various parts of Application1. All users have Microsoft 365 E5 licenses. You need to suggest a solution that meets the following criteria:

Sends a monthly email to the developers’ manager detailing their access permissions to Application1.
Automatically removes permissions for any developer whose access is not verified by the manager.
Requires minimal development or manual effort.

Which solution should you recommend?

A. Create an access review for Application1 in Azure Active Directory (Azure AD).
B. Use an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet.
C. Set up a custom role assignment for Application1 resources in Azure AD Privileged Identity Management (PIM).
D. Use an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet.

Answer: A

Explanation:

The scenario calls for a process to routinely verify and manage developer access to Application1. The solution must notify the manager monthly with details of the current access, automatically revoke permissions if the manager does not confirm continued access, and minimize the need for custom development or manual oversight.

Azure Active Directory’s Access Reviews (Option A) precisely address these requirements. This feature enables administrators to create scheduled access reviews for applications like Application1. During each review cycle, the assigned manager receives an email listing the users with access and is prompted to approve or deny their continued permissions. If the manager does not respond within the configured timeframe, Azure AD can automatically revoke the unverified permissions, ensuring access is always current and compliant with organizational policies.

This approach leverages a built-in, low-code solution requiring minimal configuration and no custom scripting, aligning perfectly with the requirement to minimize development effort. It also provides a clear audit trail and compliance management for access governance.

The other options present challenges or lack native features for this scenario:

Option B involves using Azure Automation with the Get-AzRoleAssignment cmdlet, which can retrieve role assignments but requires significant custom scripting to generate emails, track approvals, and perform automatic revocation, making it labor-intensive and error-prone.
Option C, Azure AD Privileged Identity Management, focuses on managing just-in-time access and privileged roles, not routine access reviews or automatic email notifications for regular app permissions.
Option D also requires custom scripting with Get-AzureADUserAppRoleAssignment cmdlet to gather app role assignments but does not provide a built-in review or approval workflow, increasing complexity.

Therefore, Option A is the most efficient and effective solution for this scenario, combining automation, minimal development, and built-in compliance features.

Question No 2:

You have an Azure subscription with a blob container containing multiple blobs. Ten finance users need access only during April. What security solution ensures access is limited to April only?

A. Shared access signatures (SAS)
B. Conditional Access policies
C. Certificates
D. Access keys

Answer: A

Explanation:

The requirement is to allow access to blob storage only during a specific time frame (April). Shared Access Signatures (SAS) are designed precisely for this scenario. SAS tokens grant limited, time-bound access to Azure Storage resources without exposing your account keys. They allow you to:

Define granular permissions (read, write, delete).
Specify an expiration time, such as April 30th.
Limit access scope to particular containers or blobs.

By generating SAS tokens valid only for April, you ensure that users cannot access blobs before or after this period.

The other options do not meet these requirements effectively:

Conditional Access policies control user sign-in conditions like device compliance or location but do not provide fine-grained, time-limited access to specific storage resources.
Certificates are used primarily for authentication or encryption but do not inherently enforce time-based resource access control.
Access keys provide full control over the entire storage account and do not support scoped or time-limited access, which risks overexposure.

Thus, SAS is the best fit to provide temporary, limited access to blob storage based on a specific time window.

Question No 3:

Your Azure AD tenant syncs with on-premises AD. An internal web app uses Integrated Windows Authentication (IWA). Remote users without VPN need Single Sign-On (SSO) access to this app. Which two features support this?

A. Azure AD Application Proxy
B. Azure AD Privileged Identity Management (PIM)
C. Conditional Access policies
D. Azure Arc
E. Azure AD enterprise applications
F. Azure Application Gateway

Answer: A, E

Explanation:

The goal is to enable remote users to access an internal web app using SSO without VPN. The ideal solution involves:

Azure AD Application Proxy (A): This service securely publishes on-premises web apps externally, enabling remote users to connect via Azure AD authentication. It bridges external access to internal resources, enforcing SSO and removing the need for VPN.
Azure AD Enterprise Applications (E): Registering the on-premises app as an enterprise application in Azure AD allows configuring SSO and managing user access centrally. This supports integrated authentication flows like IWA via the Application Proxy.

The other options are unsuitable:

PIM (B) manages privileged roles, not remote app access.
Conditional Access (C) controls access conditions but does not provide connectivity or SSO for on-premises apps.
Azure Arc (D) manages hybrid infrastructure but is unrelated to app proxying or SSO.
Azure Application Gateway (F) is a web traffic load balancer, not a proxy for integrated SSO to on-prem apps.

Together, Azure AD Application Proxy and enterprise applications enable secure, VPN-free, SSO access to internal web apps like WebApp1.

Question No 4:

You manage an Azure Active Directory (Azure AD) tenant named contoso.com, which includes a security group called Group1. Group1 currently has 50 members, of which 20 are guest users. You need to suggest a solution to evaluate Group1’s membership based on these conditions: the evaluation should automatically run every three months; every member should be able to report if they still need group membership; users who say they no longer need to be in Group1 or who don’t respond at all must be removed automatically.

What should you recommend?

A. Implement Azure AD Identity Protection
B. Change the Membership type of Group1 to Dynamic User
C. Create an access review
D. Implement Azure AD Privileged Identity Management (PIM)

Answer: C

Explanation:

The best approach for periodically reviewing and managing the membership of Group1 based on user feedback is to create an access review in Azure AD. Access reviews are a native feature designed to help organizations automatically evaluate users’ access to resources on a scheduled basis, ensuring that only the appropriate users maintain membership.

First, access reviews can be configured to run automatically at defined intervals, such as every three months, which satisfies the requirement for periodic evaluation without manual intervention. This automation saves administrators time and effort in maintaining group memberships accurately.

Second, during an access review, members of the group are prompted to confirm whether they still need access. This self-reporting mechanism allows users to declare if they need to remain in the group, directly aligning with the requirement that each member can report on their membership status.

Third, if users respond that they no longer require membership or if they fail to respond at all, the access review can be set to automatically remove them from the group. This ensures that the group membership stays current and relevant without requiring additional manual cleanup steps.

The other options do not meet all these requirements. Azure AD Identity Protection focuses on identity security risk detection rather than membership management. Changing Group1’s membership to Dynamic User bases group membership on attributes but doesn’t allow member feedback or automatic removal based on responses. Azure AD Privileged Identity Management manages privileged roles, not regular group memberships, so it’s unsuitable here.

Therefore, creating an access review provides the most efficient, automated, and user-inclusive solution to ensure that Group1’s membership is regularly evaluated and updated according to users’ needs.

Question No 5:

Your company has deployed multiple virtual machines (VMs) both on-premises and in Azure, connected via ExpressRoute. Some VMs are experiencing network connectivity problems. You want to analyze network traffic to identify if packets are being allowed or denied to these VMs.

You propose using Azure Traffic Analytics within Azure Network Watcher to analyze the traffic. Does this solution fulfill the goal?

A. Yes
B. No

Answer: A

Explanation:

Azure Traffic Analytics, a feature of Azure Network Watcher, is a powerful tool for monitoring and analyzing network traffic flows within an Azure environment. It leverages flow logs generated by Network Security Groups (NSGs) to provide insights into traffic patterns, including whether network packets are allowed or denied.

By using Traffic Analytics, you can visualize the sources and destinations of network traffic, identify common traffic paths, and pinpoint any dropped or blocked packets due to NSG or firewall rules. This granular visibility is crucial when troubleshooting connectivity issues on VMs connected via ExpressRoute to on-premises infrastructure.

Traffic Analytics helps detect problems such as misconfigured firewalls, incorrect routing, or network security policies that might block essential traffic. Since it integrates directly with Azure Network Watcher and NSG flow logs, it provides detailed and automated reporting, enabling faster identification of root causes behind network connectivity problems.

Other monitoring tools like Azure Monitor or Azure Advisor are more focused on resource performance, cost, or high-level recommendations rather than detailed traffic flow analysis. Therefore, they are not as suitable for diagnosing allowed or denied network packets.

Given these capabilities, using Azure Traffic Analytics meets the objective of analyzing network traffic to determine if packets to your VMs are allowed or denied. Hence, the correct answer is A.

Question No 6:

Your organization uses several virtual machines both on-premises and in Azure, connected through ExpressRoute. Recently, some VMs have encountered network connectivity issues. You consider using Azure Advisor to analyze the network traffic to check if packets are being allowed or denied by network configurations.

Will Azure Advisor fulfill this goal?

A. Yes
B. No

Answer: B

Explanation:

Azure Advisor is a service designed to provide recommendations to optimize your Azure resources in terms of cost efficiency, security, performance, and reliability. While it offers valuable guidance for improving your Azure environment, it does not provide detailed network traffic analysis or packet-level diagnostics required to troubleshoot connectivity issues.

Specifically, Azure Advisor does not analyze network traffic flows or determine if specific packets are allowed or denied by network security groups (NSGs), firewalls, or routing rules. It cannot provide real-time traffic insights or diagnose network connectivity problems by inspecting packet flow.

For detailed analysis of network traffic, tools like Azure Network Watcher and its features—such as Traffic Analytics and IP Flow Verify—are designed to capture and analyze packet flow data. These tools simulate traffic and report on whether packets are permitted or blocked by your network security policies, allowing for precise troubleshooting.

Because Azure Advisor focuses on high-level configuration recommendations and lacks the necessary packet-level analysis, it cannot meet the goal of diagnosing network connectivity issues by verifying traffic allowance or denial.

Therefore, the correct answer is B—Azure Advisor is not suitable for analyzing network traffic to determine if packets are allowed or denied. For this purpose, Azure Network Watcher’s diagnostic tools should be used instead.

Question No 7:

Your company uses several virtual machines (VMs) both on-premises and in Azure, connected via ExpressRoute for secure, high-performance networking. Some VMs are facing network connectivity problems. To troubleshoot, you want to analyze network traffic to check if packets are allowed or denied by network security rules, firewalls, or routing settings. You suggest using Azure Network Watcher’s IP flow verify tool to analyze traffic and confirm if packets are allowed or denied. Does this solution fulfill the requirement?

A. Yes
B. No

Answer: A

Explanation:

This scenario involves diagnosing network connectivity issues between on-premises VMs and Azure VMs connected over ExpressRoute. The goal is to understand whether network packets are being permitted or blocked by security or routing rules.

Azure Network Watcher is a specialized monitoring and diagnostic service within Azure designed precisely for these kinds of network issues. One of its key features is IP Flow Verify, which simulates network traffic flows and determines if packets would be allowed or denied based on Network Security Groups (NSGs), firewalls, or route tables.

Here’s why Azure Network Watcher with IP Flow Verify is the ideal choice:

Azure Network Watcher Overview: It offers tools to monitor, diagnose, and gain insights into Azure network resources. It helps validate network connectivity and analyze traffic patterns, making it a comprehensive solution for troubleshooting.
IP Flow Verify Feature: This tool allows you to specify a source IP, destination IP, port numbers, and protocol to simulate a network packet’s journey. It checks the packet against all relevant network security rules—such as NSGs and firewalls—and routing configurations to determine if it would be permitted or blocked. This is critical for pinpointing the root cause of connectivity issues.
Use with ExpressRoute: Since ExpressRoute provides private, high-speed connectivity between on-premises and Azure environments, the IP Flow Verify tool helps ensure that the network policies along this path are correctly configured and not inadvertently blocking traffic.
Practical Benefits: By running IP Flow Verify, you can directly observe the impact of NSGs, firewall rules, or routing settings on your traffic flows without manually analyzing complex rule sets or logs. This targeted simulation significantly speeds up diagnosis.

In conclusion, using Azure Network Watcher’s IP Flow Verify tool directly addresses the goal of analyzing network traffic to see if packets are allowed or denied, helping to troubleshoot connectivity issues efficiently. Therefore, the correct answer is A.

Question No 8:

You have an Azure subscription and you are designing a data platform solution that must store large amounts of structured and unstructured data. The solution needs to support querying by multiple users concurrently and provide near real-time analytics.

Which Azure service should you recommend to meet these requirements?

A. Azure Data Lake Storage Gen2
B. Azure Synapse Analytics
C. Azure Blob Storage
D. Azure SQL Database

Answer: B

Explanation:

The requirement specifies a data platform capable of storing large volumes of both structured and unstructured data, supporting multiple concurrent users querying data, and offering near real-time analytics capabilities.

Azure Synapse Analytics (Option B) is designed as an integrated analytics service that combines enterprise data warehousing and big data analytics. It allows querying data stored in both relational and non-relational formats using serverless or provisioned resources, supporting concurrency and near real-time insights. This makes it the best fit.

Azure Data Lake Storage Gen2 (Option A) provides scalable storage for big data but does not by itself support advanced analytics or concurrent querying. It serves more as a data repository than an analytics engine.

Azure Blob Storage (Option C) is optimized for storing unstructured data but lacks built-in query and analytics capabilities.

Azure SQL Database (Option D) supports structured data and offers high concurrency but is not optimized for unstructured data or large-scale analytics scenarios typical of big data workloads.

Thus, Azure Synapse Analytics offers the best combination of storage flexibility, concurrency, and analytics capabilities for this scenario.

Question No 9:

Your organization plans to deploy an Azure Kubernetes Service (AKS) cluster that requires integrated Azure Active Directory (Azure AD) authentication for users.

You want to ensure that only authorized users can access the Kubernetes API server using their Azure AD credentials. What should you do?

A. Enable Azure AD integration on the AKS cluster and configure RBAC within Kubernetes.
B. Use Azure AD Privileged Identity Management (PIM) to assign Kubernetes roles.

C. Create an Azure Automation runbook to manage Kubernetes user access.
D. Configure Azure AD Domain Services and join AKS nodes to the domain.

Answer: A

Explanation:

When securing access to an AKS cluster, enabling Azure AD integration allows users to authenticate to the Kubernetes API server using their Azure AD credentials. This enables centralized identity management and leverages existing Azure AD user accounts.

By enabling Azure AD integration on the AKS cluster (Option A), you link Kubernetes authentication to Azure AD, requiring users to sign in with their corporate credentials. Then, Kubernetes Role-Based Access Control (RBAC) is configured to assign permissions within the cluster based on user identities and groups defined in Azure AD.

Option B involves Azure AD Privileged Identity Management, which manages privileged roles in Azure but does not directly control Kubernetes API server access or role assignment within AKS.

Option C would require building custom scripts and does not provide the seamless Azure AD integrated experience.

Option D involves joining AKS nodes to an Azure AD Domain Services domain, which is not necessary for API server authentication and does not control user access to the Kubernetes API.

Therefore, enabling Azure AD integration with RBAC configuration (Option A) is the recommended approach to securely manage user access to the AKS cluster.

Question No 10:

You are designing a multi-region Azure SQL Database solution to ensure high availability and disaster recovery. You want to minimize data loss during failover and ensure that read-only workloads can be offloaded to a secondary region.

Which deployment option should you choose?

A. Geo-replication with auto-failover groups
B. Active geo-replication with manual failover
C. Azure SQL Managed Instance with zone-redundant configuration
D. Azure SQL Database Hyperscale tier

Answer: A

Explanation:

For a multi-region SQL Database setup that requires minimal data loss and support for read-only workloads on secondary replicas, Geo-replication with auto-failover groups (Option A) is ideal. Auto-failover groups provide automatic failover between primary and secondary databases in different regions, ensuring business continuity with minimal downtime and data loss.

Auto-failover groups also allow you to direct read-only traffic to the secondary database, which helps offload reporting and analytics workloads from the primary database. This enhances overall system performance and availability.

Active geo-replication with manual failover (Option B) provides geo-replication but requires manual intervention to failover, which can increase downtime and administrative overhead.

Azure SQL Managed Instance with zone-redundant configuration (Option C) offers high availability within a single region across availability zones but does not provide multi-region disaster recovery.

Azure SQL Database Hyperscale tier (Option D) supports very large databases with rapid scaling but does not inherently provide multi-region geo-replication or automatic failover.

Thus, Option A meets the requirements for multi-region disaster recovery, minimal data loss, and read workload offloading.