Are you preparing for the Microsoft Azure Solutions Architect Expert Exam Questions (AZ-305)? Wondering what kind of questions are typically asked and how to boost your chances of success? In this blog, we’ll dive into key AZ-305 exam questions, offering insights into the types of scenarios you’ll encounter and how to approach them with confidence.
As an Azure Solutions Architect, you’ll be tasked with designing secure, scalable, and cost-effective cloud solutions across multiple domains. This includes computing, networking, storage, security, and more. Not only that, but you will also have to integrate various IT operations such as identity management, disaster recovery, and business continuity into your architecture.
While this can sound overwhelming, especially if you’re new to cloud architecture, don’t worry – you’re not alone. This role requires hands-on experience and collaboration with Azure Developers, Azure Administrators, and cloud DBAs to transform business requirements into effective Azure solutions.
If you’re preparing for the Microsoft Azure Solutions Architect Expert Certification (AZ-305), you’ve likely encountered challenges or uncertainties about how to approach your study material or practice exam questions. You’re not alone in feeling overwhelmed by the technical depth of the exam. The good news? We’ve got you covered.
Let’s take a look at some of the most common pain points Azure Solutions Architect candidates face, and how you can overcome them by reviewing these practice questions that mimic real exam scenarios. By doing so, you’ll be better prepared and confident for your AZ-305 exam.
Azure Solutions Architect Exam Questions
Q1. You have an Azure subscription that contains several virtual networks located in different Azure regions. The virtual networks host virtual machines that run business-critical applications.
You need to design a solution that allows the virtual machines in the virtual networks to communicate with each other over the Microsoft backbone network. The solution must meet the following requirements:
✑ Minimize latency between the virtual networks.
✑ Ensure that traffic does not travel over the public internet.
✑ Minimize administrative effort and cost.
Which feature should you include in the solution?
A. Azure VPN Gateway
B. Azure Virtual Network Peering
C. Azure ExpressRoute
D. Azure Application Gateway
Correct Answer: B
Explanation:
Azure Virtual Network Peering enables you to connect two Azure virtual networks so that traffic between them flows through the Microsoft backbone network. Peered virtual networks appear as a single network for connectivity purposes.
Virtual Network Peering provides low-latency, high-bandwidth connectivity and does not require a VPN gateway or public internet exposure.
Azure VPN Gateway would require additional infrastructure and configuration, while ExpressRoute is typically used for connectivity between on-premises networks and Azure.
Read: Microsoft Azure Certification Path
Q2. You have an Azure Active Directory (Microsoft Entra ID) tenant and an Azure subscription that contains several applications running in Azure App Service. The applications need to access secrets such as database connection strings and API keys.
You must ensure that the applications can securely retrieve the secrets without storing credentials in the application code.
Which feature should you include in the solution?
A. Microsoft Entra ID Conditional Access
B. Azure Managed Identities
C. Azure RBAC
D. Azure App Configuration
Correct Answer: B
Explanation:
Managed Identities for Azure resources allow applications to authenticate securely with Azure services without storing credentials in code.
When a managed identity is enabled for an Azure resource, Azure automatically creates an identity in Microsoft Entra ID. This identity can then be granted permissions to access resources such as Azure Key Vault.
Using managed identities improves security by eliminating the need to store passwords, connection strings, or API keys in application code.
Q3. You are designing a highly available architecture for a mission-critical application that runs on Azure virtual machines. The application must remain available if a datacenter within an Azure region becomes unavailable.
You need to ensure that the virtual machines are deployed across physically separate datacenters.
What should you include in the design?
A. Azure Availability Sets
B. Azure Availability Zones
C. Azure Load Balancer
D. Azure Virtual Machine Scale Sets
Correct Answer: B
Explanation:
Availability Zones are physically separate datacenters within an Azure region. Each zone has independent power, cooling, and networking infrastructure.
By deploying virtual machines across Availability Zones, you ensure that the application remains available even if a complete data center fails.
Availability Sets protect against hardware failures within a single datacenter but do not protect against full datacenter outages.
Read: Microsoft Azure Certification Path
Q4. You are designing a governance strategy for an Azure environment that contains multiple subscriptions across different departments in an organization.
You must ensure that all resources are deployed only in approved Azure regions and that certain resource types are restricted.
Which Azure feature should you use?
A. Azure Monitor
B. Azure Policy
C. Azure Advisor
D. Azure Backup
Correct Answer: B
Explanation:
Azure Policy enables organizations to enforce governance rules across Azure resources.
Policies can restrict resource deployment locations, enforce naming conventions, require resource tags, and block specific resource types from being deployed.
Azure Policy can be applied at different scopes such as management groups, subscriptions, resource groups, or individual resources.
Q5. You have an Azure subscription that contains several virtual machines used by system administrators. Administrators currently connect to the virtual machines using RDP over the public internet.
You need to recommend a solution that meets the following requirements:
✑ Allow administrators to securely connect to the virtual machines.
✑ Prevent exposure of RDP and SSH ports to the public internet.
✑ Minimize configuration complexity.
Which service should you include in the solution?
A. Azure Bastion
B. Azure Application Gateway
C. Azure Traffic Manager
D. Azure Load Balancer
Correct Answer: A
Explanation:
Azure Bastion is a fully managed service that provides secure RDP and SSH connectivity to Azure virtual machines directly from the Azure portal.
When Azure Bastion is deployed, administrators can connect to virtual machines without exposing public IP addresses or opening inbound ports.
This improves security by eliminating direct internet exposure of management ports.
Q6. You are designing a global web application that will be deployed in multiple Azure regions. The application must meet the following requirements:
✑ Automatically route users to the closest Azure region.
✑ Provide automatic failover if a regional endpoint becomes unavailable.
✑ Improve application availability.
Which Azure service should you include in the design?
A. Azure Load Balancer
B. Azure Traffic Manager
C. Azure Network Security Group
D. Azure Virtual Network Gateway
Correct Answer: B
Explanation:
Azure Traffic Manager is a DNS-based traffic routing service that distributes traffic across multiple Azure regions.
Traffic Manager supports routing methods such as performance routing, priority routing, and geographic routing.
This enables users to connect to the nearest available endpoint while ensuring automatic failover if a regional endpoint becomes unavailable.
Q7. You are designing an event-driven architecture that processes messages placed in an Azure Storage queue. The solution must automatically scale when the number of messages increases.
You also need to minimize infrastructure management and operational overhead.
Which Azure service should you recommend?
A. Azure Virtual Machines
B. Azure Functions
C. Azure Kubernetes Service
D. Azure Batch
Correct Answer: B
Explanation:
Azure Functions is a serverless compute service that allows code to run in response to events such as queue messages.
Azure Functions automatically scales based on demand and eliminates the need to manage servers or infrastructure.
This makes it ideal for event-driven workloads such as processing messages from queues or responding to events from other Azure services.
Q8. You are designing a storage solution for an application that stores large amounts of unstructured data, such as images, videos, and documents.
The solution must meet the following requirements:
✑ Provide high scalability.
✑ Allow access over HTTP or HTTPS.
✑ Minimize storage costs.
Which storage service should you recommend?
A. Azure SQL Database
B. Azure Files
C. Azure Blob Storage
D. Azure Table Storage
Correct Answer: C
Explanation:
Azure Blob Storage is designed for storing massive amounts of unstructured data, such as images, video files, backups, and documents.
Blob storage supports access via HTTP and HTTPS and provides high scalability. It also offers multiple access tiers, such as hot, cool, and archive, to optimize storage costs.
Q9. You have an Azure subscription that contains several virtual machines running business applications. You must ensure that network traffic to and from the virtual machines is filtered based on organizational security policies.
The solution must provide centralized network security management.
Which Azure service should you implement?
A. Azure Firewall
B. Azure Network Watcher
C. Azure Traffic Manager
D. Azure Application Gateway
Correct Answer: A
Explanation:
Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources.
It provides centralized control for filtering inbound and outbound traffic and allows administrators to create network rules and application rules to control traffic.
Azure Firewall helps enforce organizational security policies across multiple virtual networks.
Q10. You are designing a monitoring solution for an Azure environment that contains multiple services such as virtual machines, storage accounts, and databases.
You must collect performance metrics and diagnostic logs from these resources and generate alerts when certain thresholds are exceeded.
Which Azure service should you include in the solution?
A. Azure Monitor
B. Microsoft Defender for Cloud
C. Azure Backup
D. Azure Site Recovery
Correct Answer: A
Explanation:
Azure Monitor is a platform service that collects telemetry data, such as metrics and logs from Azure resources.
Administrators can analyze this data using tools such as Log Analytics and can configure alerts based on performance thresholds.
Azure Monitor also provides dashboards and visualizations that help track the health and performance of Azure environments.
Q11. You have a Microsoft Entra ID (formerly Azure Active Directory) tenant that syncs with an on-premises Active Directory domain.
You have an internal web app named WebApp1 that is hosted on-premises. WebApp1 uses Integrated Windows authentication.
Some users work remotely and do NOT have VPN access to the on-premises network.
You need to provide the remote users with single sign-on (SSO) access to WebApp1.
Which two features should you include in the solution? Each correct answer presents part of the solution.
A. Microsoft Entra ID Application Proxy
B. Microsoft Entra ID Privileged Identity Management (PIM)
C. Conditional Access policies
D. Azure Arc
E. Microsoft Entra ID enterprise applications
F. Azure Application Gateway
Correct Answer: A, C
Explanation
A: Microsoft Entra ID Application Proxy
Microsoft Entra ID Application Proxy enables secure remote access to on-premises web applications without requiring a VPN connection. It includes:
- Application Proxy service in Azure
- Application Proxy connector installed on an on-premises server
Application Proxy supports single sign-on (SSO) and integrates with Microsoft Entra ID authentication.
C: Conditional Access policies
Conditional Access allows organizations to enforce security requirements such as:
✑ Multi-Factor Authentication (MFA)
✑ Device compliance
✑ Location-based access control
Microsoft recommends combining Application Proxy with Conditional Access to secure remote access to internal applications.
Q12. You have a Microsoft Entra ID tenant named contoso.com that has a security group named Group1.
Group1 is configured for assigned membership.
Group1 has 50 members, including 20 guest users.
You need to recommend a solution for evaluating the membership of Group1. The solution must meet the following requirements:
✑ The evaluation must be repeated automatically every three months.
✑ Every member must be able to report whether they still require access.
✑ Users who report that they do not require access must be removed automatically.
✑ Users who do not respond must also be removed automatically.
What should you include in the recommendation?
A. Implement Microsoft Entra ID Identity Protection
B. Change the membership type of Group1 to Dynamic User
C. Create an access review
D. Implement Microsoft Entra ID Privileged Identity Management (PIM)
Correct Answer: C
Explanation
Access Reviews in Microsoft Entra ID allow organizations to periodically review user access to groups and applications.
Features include:
✑ Recurring reviews (weekly, monthly, quarterly, yearly)
✑ Self-attestation by users or approval by managers
✑ Automatic removal of users who are denied access or fail to respond
Access Reviews are commonly used to ensure least-privilege access and maintain compliance.
Q13. You are designing an Azure web application that will use Microsoft Entra ID for authentication.
You need to recommend a solution to provide users from multiple Microsoft Entra ID tenants with access to App1.
The solution must ensure that users use Multi-Factor Authentication (MFA) when accessing App1.
Which two types of objects should you include in the recommendation? Each correct answer presents part of the solution.
A. Microsoft Entra ID Conditional Access policies
B. Microsoft Entra ID managed identities
C. Identity Experience Framework policy
D. Azure application security group
E. Endpoint Manager app protection policy
F. Microsoft Entra ID guest accounts
Correct Answer: A, F
Explanation
F: Microsoft Entra ID Guest Accounts
Microsoft Entra ID B2B collaboration allows external users from other organizations to access applications as guest users in your tenant.
A: Conditional Access Policies
Conditional Access enables organizations to enforce security requirements such as:
✑ Multi-Factor Authentication
✑ Device compliance
✑ Location restrictions
Applying Conditional Access ensures that guest users must complete MFA before accessing the application.
Managed identities are designed for service authentication, not user authentication across tenants.
Q14. You are designing a large Azure environment that will contain many subscriptions.
You plan to use Azure Policy as part of a governance solution.
To which three scopes can you assign Azure Policy definitions? Each correct answer presents a complete solution.
A. Microsoft Entra ID administrative units
B. Microsoft Entra ID tenants
C. Subscriptions
D. Compute resources
E. Resource groups
F. Management groups
Correct Answer: C, E, F
Explanation
Azure Policy allows organizations to enforce rules and compliance across Azure resources.
Policies can be assigned at the following scopes:
✑ Management groups – apply policies across multiple subscriptions
✑ Subscriptions – enforce policies within a subscription
✑ Resource groups – apply policies to resources in a group
✑ Individual resources
Using management groups allows centralized governance across large Azure environments.
Q15. You have an Azure subscription that contains a custom application named Application1.
Application1 was developed by an external company named Fabrikam Ltd.
Developers at Fabrikam were assigned Azure role-based access control (RBAC) permissions to the Application1 components.
All users are licensed for Microsoft 365 E5.
You need to recommend a solution to verify whether the Fabrikam developers still require access to Application1.
The solution must meet the following requirements:
✑ Send a monthly email to the developers’ manager listing access permissions
✑ Automatically revoke permissions if access is not reviewed
✑ Minimize development effort
What should you recommend?
A. In Microsoft Entra ID, create an access review for Application1
B. Create an Azure Automation runbook using Get-AzRoleAssignment
C. In Microsoft Entra ID Privileged Identity Management, create a custom role assignment
D. Create an Azure Automation runbook using Get-AzureADUserAppRoleAssignment
Correct Answer: A
Explanation
Access Reviews in Microsoft Entra ID allow organizations to periodically review access to applications, groups, and roles.
Features include:
✑ Manager-based review workflows
✑ Automated email notifications
✑ Automatic removal of users if access is not approved
Access Reviews require Microsoft Entra ID P2, which is included in the Microsoft 365 E5 license.
Download the Complete Microsoft Azure Solutions Architect Exam Questions
When you have tested your knowledge by answering these AZ-305 exam questions, I hope you have a clear understanding in terms of your exam preparation.
Note: K21Academy also offers a complete AZ-305 Exam Questions Prep Guide where learners get to practice questions to test their Azure AZ-305 exam preparation before the actual exam.
To download the complete Azure Solutions Architect Exam Questions guide, click here.
Related/References
- AZ 305: Microsoft Azure Solutions Architect Expert: Step By Step Activity Guides (Hands-On Labs)
- Exam AZ-305: Azure Solutions Architect Expert Certification (New Version of AZ-303 & AZ-304)
- Azure Migrate Step-By-Step Server Setup
- Azure Migrate And Cloud Migration Strategy
Next Task For You
Begin your journey toward Mastering Azure Cloud and landing high-paying jobs. Just click on the register now button on the image below to register for a Free Class on Mastering Azure Cloud: How to Build In-Demand Skills and Land High-Paying Jobs. This class will help you understand better, so you can choose the right career path and get a higher-paying job.
