Free Microsoft AZ-305 Practice Test & Real Exam Questions

  • Exam Code/Number: AZ-305
  • Exam Name/Title: Designing Microsoft Azure Infrastructure Solutions
  • Certification Provider: Microsoft
  • Corresponding Certification: Microsoft Azure Solutions Architect Expert
  • Exam Questions: 475
  • Updated On: Jul 09, 2026
Hotspot Question
You have the Free edition of a hybrid Azure Active Directory (Azure AD) tenant. The tenant uses password hash synchronization.
You need to recommend a solution to meet the following requirements:
- Prevent Active Directory domain user accounts from being locked out
as the result of brute force attacks targeting Azure AD user accounts.
- Block legacy authentication attempts to Azure AD integrated apps.
- Minimize costs.
What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:

Explanation:
Box 1: Smart lockout
Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute- force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive.
Box 2: Conditional access policies
If your environment is ready to block legacy authentication to improve your tenant's protection, you can accomplish this goal with Conditional Access.
How can you prevent apps using legacy authentication from accessing your tenant's resources?
The recommendation is to just block them with a Conditional Access policy. If necessary, you allow only certain users and specific network locations to use apps that are based on legacy authentication.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
Hotspot Question
You company has offices in New York City, Sydney, Paris, and Johannesburg.
The company has an Azure subscription.
You plan to deploy a new Azure networking solution that meets the following requirements:
- Connects to ExpressRoute circuits in the Azure regions of East US,
Southeast Asia, North Europe, and South Africa
- Minimizes latency by supporting connection in three regions
- Supports Site-to-site VPN connections
- Minimizes costs
You need to identify the minimum number of Azure Virtual WAN hubs that you must deploy, and which virtual WAN SKU to use.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:

Explanation:
To deploy at least three Azure Virtual WAN hubs in order to minimize latency by supporting connections in three regions.
As for the SKU, the Basic SKU does not support ExpressRoute or site-to-site VPN connections, so you would need to use the Standard SKU to meet all the requirements.
You plan to deploy an application named App1 that will run in containers on Azure Kubernetes Service (AKS) clusters. The AKS clusters will be distributed across four Azure regions.
You need to recommend a storage solution to ensure that updated container images are replicated automatically to all the Azure regions hosting the AKS clusters.
Which storage solution should you recommend?
Correct Answer: C Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
You have an Azure App Service web app named App1 that runs on a Windows App Service plan and is deployed as code.
Users report that the webpages of App1 load slowly.
You enable diagnostic logging for App1.
You need to identify webpage response times by using the Azure portal. The solution must minimize administrative effort.
Which logs should you review?
Correct Answer: D Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
Case Study 1 - Litware
Existing Environment
Azure Environment
Litware has 10 Azure subscriptions that are linked to the Litware.com tenant and five Azure subscriptions that are linked to the dev.litware.com tenant. All the subscriptions are in an Enterprise Agreement (EA).
The litware.com tenant contains a custom Azure role-based access control (Azure RBAC) role named Role1 that grants the DataActions read permission to the blobs and files in Azure Storage.
On-Premises Environment
The on-premises network of Litware contains the resources shown in the following table.

Network Environment
Litware has ExpressRoute connectivity to Azure.
Planned Changes and Requirements
Litware plans to implement the following changes:
* Migrate DB1 and DB2 to Azure.
* Migrate App1 to Azure virtual machines.
* Migrate the external storage used by App1 to Azure Storage.
* Deploy the Azure virtual machines that will host App1 to Azure dedicated hosts.
Authentication and Authorization Requirements
Litware identifies the following authentication and authorization requirements:
* Only users that manage the production environment by using the Azure portal must connect from a hybrid Azure AD-joined device and authenticate by using Azure Multi-Factor Authentication (MFA).
* The Network Contributor built-in RBAC role must be used to grant permissions to the network administrators for all the virtual networks in all the Azure subscriptions.
* To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host the app.
* RBAC roles must be applied at the highest level possible.
Resiliency Requirements
Litware identifies the following resiliency requirements:
* Once migrated to Azure, DB1 and DB2 must meet the following requirements:
- Maintain availability if two availability zones in the local Azure region fail.
- Fail over automatically.
- Minimize I/O latency.
* App1 must meet the following requirements:
- Be hosted in an Azure region that supports availability zones.
- Be hosted on Azure virtual machines that support automatic scaling.
- Maintain availability if two availability zones in the local Azure region fail.
Security and Compliance Requirements
Litware identifies the following security and compliance requirements:
* Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of new and existing data is prevented for a period of three years.
* On-premises users and services must be able to access the Azure Storage account that will host the data in App1.
* Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.
* All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.
* App1 must NOT share physical hardware with other workloads.
Business Requirements
Litware identifies the following business requirements:
* Minimize administrative effort.
* Minimize costs.
Drag and Drop Question
You need to configure an Azure policy to ensure that the Azure SQL databases have Transparent Data Encryption (TDE) enabled. The solution must meet the security and compliance requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Correct Answer:

Explanation:
Scenario: All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.
Step 1: Create an Azure policy definition that uses the deployIfNotExists identity. The first step is to define the roles that deployIfNotExists and modify needs in the policy definition to successfully deploy the content of your included template.
Step 2: Create an Azure policy assignment
When creating an assignment using the portal, Azure Policy both generates the managed identity and grants it the roles defined in roleDefinitionIds.
Step 3: Invoke a remediation task
Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is to a management group, a subscription, a resource group, or an individual resource.
During evaluation, the policy assignment with deployIfNotExists or modify effects determines if there are non-compliant resources or subscriptions. When non-compliant resources or subscriptions are found, the details are provided on the Remediation page.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Case Study 1 - Litware
Existing Environment
Azure Environment
Litware has 10 Azure subscriptions that are linked to the Litware.com tenant and five Azure subscriptions that are linked to the dev.litware.com tenant. All the subscriptions are in an Enterprise Agreement (EA).
The litware.com tenant contains a custom Azure role-based access control (Azure RBAC) role named Role1 that grants the DataActions read permission to the blobs and files in Azure Storage.
On-Premises Environment
The on-premises network of Litware contains the resources shown in the following table.

Network Environment
Litware has ExpressRoute connectivity to Azure.
Planned Changes and Requirements
Litware plans to implement the following changes:
* Migrate DB1 and DB2 to Azure.
* Migrate App1 to Azure virtual machines.
* Migrate the external storage used by App1 to Azure Storage.
* Deploy the Azure virtual machines that will host App1 to Azure dedicated hosts.
Authentication and Authorization Requirements
Litware identifies the following authentication and authorization requirements:
* Only users that manage the production environment by using the Azure portal must connect from a hybrid Azure AD-joined device and authenticate by using Azure Multi-Factor Authentication (MFA).
* The Network Contributor built-in RBAC role must be used to grant permissions to the network administrators for all the virtual networks in all the Azure subscriptions.
* To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host the app.
* RBAC roles must be applied at the highest level possible.
Resiliency Requirements
Litware identifies the following resiliency requirements:
* Once migrated to Azure, DB1 and DB2 must meet the following requirements:
- Maintain availability if two availability zones in the local Azure region fail.
- Fail over automatically.
- Minimize I/O latency.
* App1 must meet the following requirements:
- Be hosted in an Azure region that supports availability zones.
- Be hosted on Azure virtual machines that support automatic scaling.
- Maintain availability if two availability zones in the local Azure region fail.
Security and Compliance Requirements
Litware identifies the following security and compliance requirements:
* Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of new and existing data is prevented for a period of three years.
* On-premises users and services must be able to access the Azure Storage account that will host the data in App1.
* Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.
* All Azure SQL databases in the production environment must have Transparent Data Encryption (TDE) enabled.
* App1 must NOT share physical hardware with other workloads.
Business Requirements
Litware identifies the following business requirements:
* Minimize administrative effort.
* Minimize costs.
You need to implement the Azure RBAC role assignments for the Network Contributor role. The solution must meet the authentication and authorization requirements.
What is the minimum number of assignments that you must use?
Correct Answer: A Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
Hotspot Question
You have an Azure subscription that contains a third-party ecommerce app named App1.
You need to share the REST interface of App1 with external partners. The solution must meet the following requirements:
- Ensure that the partners can connect to the interface from remote
networks.
- Ensure that specific rate limits can be applied to each partner.
- Use a minimum of TLS 1.2.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:

Explanation:
Box 1: Azure API Management
To share a third-party application's Azure REST interface, you'll need to register the application, obtain an access token, and potentially use Azure API Management for enhanced control and security. The process involves creating an application in Microsoft Entra ID, granting it permissions to access the necessary Azure resources, and then using the application's credentials to make API calls.
Box 2: Inbound
In Azure API Management, inbound rate limiting restricts the number of requests a client can make within a specified time period, while outbound rate limiting controls the number of requests the API sends to its backend service. Inbound limits are typically applied before the request reaches the backend, while outbound limits are applied after the response is received from the backend.
Reference:
https://azure.microsoft.com/en-us/products/api-management
https://learn.microsoft.com/en-us/microsoft-cloud/dev/dev-proxy/concepts/implement-rate-limiting-azure-api-management
Hotspot Question
You have an Azure subscription that contains the resources shown in the following table.

You create an Azure SQL database named DB1 that is hosted in the East US region.
To DB1, you add a diagnostic setting named Settings1. Settings1 archives SQLInsights to storage1 and sends SQLInsights to Workspace1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selections is worth one point.
Correct Answer:

Explanation:
Box 1: Yes
A single diagnostic setting can define no more than one of each of the destinations. If you want to send data to more than one of a particular destination type (for example, two different Log Analytics workspaces), then create multiple settings.
Each resource can have up to 5 diagnostic settings.
Note: This diagnostic telemetry can be streamed to one of the following Azure resources for analysis.
* Log Analytics workspace
* Azure Event Hubs
* Azure Storage
Box 2: Yes
Box 3: Yes
References:
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings
https://docs.microsoft.com/en-us/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure?tabs=azure-portal