AZ-305 Exam Overview
Prepare for the Microsoft AZ-305 certification exam
with our comprehensive study guide. This study material contains 273 practice questions
sourced from real exams and expert-verified for accuracy. Each question includes the correct answer
and a detailed explanation to help you understand the material thoroughly.
The AZ-305 exam — Designing Microsoft Azure Infrastructure Solutions — is offered by Microsoft.
Passing this exam earns you the Microsoft Certified: Azure Solutions Architect Expert credential,
an industry-recognized certification that validates your expertise.
Our study materials were last updated on 2026-02-14 to reflect the
most recent exam objectives and content.
About the Microsoft Certified: Azure Solutions Architect Expert
The Microsoft Certified: Azure Solutions Architect Expert is awarded by Microsoft
to professionals who demonstrate competence in the skills measured by the AZ-305 exam.
According to the
official Microsoft certification page,
this certification validates your ability to work with the technologies covered in the exam objectives.
According to the
Global Knowledge IT Skills and Salary Report,
certified IT professionals earn 15-25% more than their non-certified peers.
Certifications from Microsoft are among the most recognized credentials in the IT industry,
with strong demand across enterprise organizations worldwide.
Free Sample — 15 Practice Questions
Preview 15 of 273 questions from the AZ-305 exam.
Try before you buy — purchase the full study guide for all 273 questions with answers and explanations.
Question 251
You have the Azure resources shown in the following table.
You need to deploy a new Azure Firewall policy that will contain mandatory rules for all Azure Firewall deployments. The new policy will be configured as a parent policy for the existing policies.
What is the minimum number of additional Azure Firewall policies you should create?
Show Answer
Correct Answer: D
Explanation:
Azure Firewall supports hierarchical policies, but a key constraint is that a parent (base) policy must be in the same Azure region as its child policy. In the given scenario, the existing Azure Firewall policies are located in three different regions. To apply mandatory rules as a parent policy to each existing policy without moving or recreating the children, you must create one parent policy per region. Therefore, a minimum of three additional Azure Firewall policies are required.
Question 215
HOTSPOT -
Your company has 20 web APIs that were developed in-house.
The company is developing 10 web apps that will use the web APIs. The web apps and the APIs are registered in the company s Azure Active Directory (Azure
AD) tenant. The web APIs are published by using Azure API Management.
You need to recommend a solution to block unauthorized requests originating from the web apps from reaching the web APIs. The solution must meet the following requirements:
✑ Use Azure AD-generated claims.
Minimize configuration and management effort.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Show Answer
Correct Answer: Azure AD
Azure API Management
Explanation:
Grant application permissions in Azure AD so web apps obtain Azure AD–issued access tokens with required claims. Enforce authorization centrally by configuring the validate-jwt policy in Azure API Management to block requests without valid tokens, minimizing per-API configuration.
Question 52
You are developing a sales application that will contain several Azure cloud services and handle different components of a transaction. Different cloud services will process customer orders, billing, payment, inventory, and shipping.
You need to recommend a solution to enable the cloud services to asynchronously communicate transaction information by using XML messages.
What should you include in the recommendation?
A. Azure Service Bus
B. Azure Blob Storage
C. Azure Notification Hubs
D. Azure Application Gateway
Show Answer
Correct Answer: A
Explanation:
Azure Service Bus is designed for reliable, asynchronous messaging between distributed cloud services. It supports message queues and topics/subscriptions, enabling decoupled components to exchange XML messages for workflows such as orders, billing, payment, inventory, and shipping. The other options do not provide asynchronous inter-service messaging capabilities.
Question 162
HOTSPOT -
You are designing a software as a service (SaaS) application that will enable Azure Active Directory (Azure AD) users to create and publish online surveys. The
SaaS application will have a front-end web app and a back-end web API. The web app will rely on the web API to handle updates to customer surveys.
You need to design an authorization flow for the SaaS application. The solution must meet the following requirements:
✑ To access the back-end web API, the web app must authenticate by using OAuth 2 bearer tokens.
✑ The web app must authenticate by using the identities of individual users.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Show Answer
Correct Answer: Access tokens generated by:
Azure AD
Authorization decisions performed by:
A web API
Explanation:
In OAuth 2.0 with Azure AD, Azure AD acts as the authorization server and issues bearer access tokens containing the signed-in user’s identity (delegated access). The back-end web API is the resource server and validates the token, then enforces authorization based on claims/scopes for each request.
Question 39
You have 12 Azure subscriptions and three projects. Each project uses resources across multiple subscriptions.
You need to use Microsoft Cost Management to monitor costs on a per project basis. The solution must minimize administrative effort.
Which two components should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. budgets
B. resource tags
C. custom role-based access control (RBAC) roles
D. management groups
E. Azure boards
Show Answer
Correct Answer: A, B
Explanation:
To monitor costs per project across multiple Azure subscriptions with minimal administrative effort, you should use resource tags and budgets. Resource tags allow you to label resources by project regardless of which subscription they are in, and Microsoft Cost Management can aggregate and filter costs based on those tags. Budgets can then be created using those tags to monitor spending and trigger alerts per project. Management groups organize subscriptions but do not solve per-project cost tracking when projects span multiple subscriptions, and the other options are not directly related to cost monitoring.
Question 14
You have an Azure subscription that contains an Azure Cosmos DB for NoSQL account named account1 and an Azure Synapse Analytics workspace named Workspace1. The account1 account contains a container named Contained that has the analytical store enabled.
You need to recommend a solution that will process the data stored in Contained in near-real-time (NRT) and output the results to a data warehouse in Workspace1 by using a runtime engine in the workspace. The solution must minimize data movement.
Which pool in Workspace1 should you use?
A. Apache Spark
B. serverless SQL
C. dedicated SQL
D. Data Explorer
Show Answer
Correct Answer: A
Explanation:
The requirement is near-real-time processing of Azure Cosmos DB analytical store data using a runtime engine in Azure Synapse Analytics while minimizing data movement. Apache Spark pools in Synapse integrate directly with Azure Cosmos DB analytical store through Azure Synapse Link, enabling distributed, near-real-time processing without copying data. Spark is designed for streaming and iterative analytics and can write results directly to a data warehouse in the same workspace. Serverless and dedicated SQL pools are better suited for querying rather than NRT processing, and Data Explorer is optimized for log/telemetry analytics rather than Cosmos DB analytical store processing in this scenario.
Question 205
You have an on-premises application that consumes data from multiple databases. The application code references database tables by using a combination of the server, database, and table name.
You need to migrate the application data to Azure.
To which two services can you migrate the application data to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. SQL Server Stretch Database
B. SQL Server on an Azure virtual machine
C. Azure SQL Database
D. Azure SQL Managed Instance
Show Answer
Correct Answer: B, D
Explanation:
The application references tables using a three-part or four-part naming convention that includes server and database names and consumes data from multiple databases. SQL Server on an Azure virtual machine preserves full SQL Server functionality, including cross-database and cross-server references, with no application changes. Azure SQL Managed Instance also provides near-complete SQL Server instance compatibility, supporting cross-database queries and server-level features. Azure SQL Database (single/elastic) does not natively support the same server-level references in the same way, and Stretch Database is not a full migration target.
Question 239
HOTSPOT -
Your company develops a web service that is deployed to an Azure virtual machine named VM1. The web service allows an API to access real-time data from
VM1.
The current virtual machine deployment is shown in the Deployment exhibit.
The chief technology officer (CTO) sends you the following email message: "Our developers have deployed the web service to a virtual machine named VM1.
Testing has shown that the API is accessible from VM1 and VM2. Our partners must be able to connect to the API over the Internet. Partners will use this data in applications that they develop."
You deploy an Azure API Management (APIM) service. The relevant API Management configuration is shown in the API exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Show Answer
Correct Answer: Yes
Yes
No
Explanation:
APIM is deployed in External mode, so the API is reachable from the internet. APIM is integrated into the same VNet as VM1, and by default subnets can communicate, allowing access to VM1. Because APIM is internet-facing, partners do not need a VPN gateway.
Question 228
You plan to deploy an application named App1 that will run on five Azure virtual machines. Additional virtual machines will be deployed later to run App1.
You need to recommend a solution to meet the following requirements for the virtual machines that will run App1:
✑ Ensure that the virtual machines can authenticate to Azure Active Directory (Azure AD) to gain access to an Azure key vault, Azure Logic Apps instances, and an Azure SQL database.
✑ Avoid assigning new roles and permissions for Azure services when you deploy additional virtual machines.
✑ Avoid storing secrets and certificates on the virtual machines.
✑ Minimize administrative effort for managing identities.
Which type of identity should you include in the recommendation?
A. a system-assigned managed identity
B. a service principal that is configured to use a certificate
C. a service principal that is configured to use a client secret
D. a user-assigned managed identity
Show Answer
Correct Answer: D
Explanation:
A user-assigned managed identity can be shared across multiple virtual machines and reused when new VMs are added, so you do not need to reassign roles or permissions each time. Managed identities authenticate to Azure AD–protected services such as Key Vault, Logic Apps, and Azure SQL without storing secrets or certificates on the VMs. Using a single user-assigned identity also minimizes administrative overhead compared to managing separate system-assigned identities or service principals.
Question 78
You have an on-premises Microsoft SQL Server 2008 instance that hosts a 50-GB database.
You need to migrate the database to an Azure SQL managed instance. The solution must minimize downtime.
What should you use?
A. Azure Migrate
B. Azure Data Studio
C. WANdisco LiveData Platform for Azure
D. SQL Server Management Studio (SSMS)
Show Answer
Correct Answer: B
Explanation:
To minimize downtime when migrating a SQL Server 2008 database to Azure SQL Managed Instance, the recommended Microsoft-supported approach is to use the Azure SQL migration extension in Azure Data Studio. This uses Azure Database Migration Service (DMS) to perform an online migration, keeping the source database operational during data synchronization and requiring only a short cutover downtime.
Question 269
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company deploys several virtual machines on-premises and to Azure. ExpressRoute is deployed and configured for on-premises to Azure connectivity.
Several virtual machines exhibit network connectivity issues.
You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.
Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic.
Does this meet the goal?
Show Answer
Correct Answer: A
Explanation:
Azure Network Watcher IP flow verify is specifically designed to determine whether traffic to or from an Azure virtual machine is allowed or denied based on NSGs and user-defined routes. Using it directly meets the goal of analyzing packet allowance or denial for the affected virtual machines.
Question 211
You need to design a highly available Azure SQL database that meets the following requirements:
✑ Failover between replicas of the database must occur without any data loss.
✑ The database must remain available in the event of a zone outage.
✑ Costs must be minimized.
Which deployment option should you use?
A. Azure SQL Database Hyperscale
B. Azure SQL Database Premium
C. Azure SQL Database Basic
D. Azure SQL Managed Instance General Purpose
Show Answer
Correct Answer: B
Explanation:
The requirements imply synchronous replication with automatic failover (no data loss) and zone redundancy, at the lowest possible cost. Azure SQL Database Premium supports zone-redundant configuration with synchronous replicas, providing automatic failover without data loss during a zone outage. Basic does not support zone-redundant databases, Hyperscale is generally more expensive than necessary for this requirement, and Azure SQL Managed Instance General Purpose is typically higher cost and not the most economical choice for a single highly available database. Therefore, Premium best meets the requirements at minimal cost.
Question 222
You need to design a highly available Azure SQL database that meets the following requirements:
✑ Failover between replicas of the database must occur without any data loss.
✑ The database must remain available in the event of a zone outage.
✑ Costs must be minimized.
Which deployment option should you use?
A. Azure SQL Database Serverless
B. Azure SQL Database Business Critical
C. Azure SQL Database Basic
D. Azure SQL Database Standard
Show Answer
Correct Answer: B
Explanation:
The requirements are zero data loss, availability during a zone outage, and minimized cost. Zero data loss requires synchronous replication, and zone-outage resilience requires zone-redundant high availability. Azure SQL Database Business Critical provides multiple synchronous replicas across availability zones with automatic failover and RPO = 0. Basic and Standard tiers do not support zone redundancy, and Serverless (General Purpose) relies on remote storage and does not provide the same synchronous multi-replica architecture for zone-outage HA. Therefore, Business Critical is the lowest-cost option that fully satisfies all requirements.
Question 85
You need to design a highly available Azure SQL database that meets the following requirements:
• Failover between replicas of the database must occur without any data loss.
• The database must remain available in the event of a zone outage.
• Costs must be minimized.
Which deployment option should you use?
A. Azure SQL Database Hyperscale
B. Azure SQL Database Premium
C. Azure SQL Database Standard
D. Azure SQL Managed Instance General Purpose
Show Answer
Correct Answer: B
Explanation:
The requirements demand synchronous replicas with zero data loss (RPO=0) and availability during an availability zone outage. Azure SQL Database Premium (DTU-based) uses the Business Critical architecture with multiple synchronous replicas and supports zone redundancy. Standard tier does not provide this level of HA, Managed Instance General Purpose relies on remote storage and does not meet the zero–data-loss zone-outage requirement, and Hyperscale can meet HA needs but at higher cost. Therefore, Premium satisfies the requirements at the lowest cost among the valid options.
Question 75
Your company has the divisions shown in the following table.
Sub1 contains an Azure App Service web app named App1. App1 uses Azure AD for single-tenant user authentication. Users from contoso.com can authenticate to App1.
You need to recommend a solution to enable users in the fabrikam.com tenant to authenticate to App1.
What should you recommend?
A. Use Azure AD entitlement management to govern external users.
B. Enable Azure AD pass-through authentication and update the sign-in endpoint.
C. Configure a Conditional Access policy.
D. Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM).
Show Answer
Correct Answer: A
Explanation:
App1 is configured as a single-tenant Azure AD app, so users from another tenant (fabrikam.com) cannot authenticate unless they are onboarded as external (B2B) users. Azure AD Entitlement Management is designed to manage access for external users by inviting them as guests and assigning them access packages, enabling authentication without converting the app to multi-tenant. Pass-through authentication, Conditional Access, and PIM do not enable cross-tenant authentication for a single-tenant app.