Microsoft AZ-305 Online Practice
Questions and Exam Preparation
AZ-305 Exam Details
Exam Code
:AZ-305
Exam Name
:Designing Microsoft Azure Infrastructure Solutions
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:395 Q&As
Last Updated
:Jul 13, 2026
Microsoft AZ-305 Online Questions &
Answers
Question 361:
HOTSPOT
You are designing a data analytics solution that will use Azure Synapse and Azure Data Lake Storage Gen2.
You need to recommend Azure Synapse pools to meet the following requirements:
1. Ingest data from Data Lake Storage into hash-distributed tables.
2. Implement query, and update data in Delta Lake.
What should you recommend for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: A dedicated SQL pool Ingest data from Data Lake Storage into hash distributed tables.
Guidance for designing distributed tables using dedicated SQL pool in Azure Synapse Analytics You can design hash-distributed and round-robin distributed tables in dedicated SQL pools.
Box 2: A serverless SQL pool Implement query, and update data in Delta Lake.
You can query Delta Lake files using serverless SQL pool in Azure Synapse Analytics
You can write a query using serverless Synapse SQL pool to read Delta Lake files. Delta Lake is an open-source storage layer that brings ACID (atomicity, consistency, isolation, and durability) transactions to Apache Spark and big data workloads.
The serverless SQL pool in Synapse workspace enables you to read the data stored in Delta Lake format, and serve it to reporting tools. A serverless SQL pool can read Delta Lake files that are created using Apache Spark, Azure Databricks, or any other producer of the Delta Lake format.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has deployed several virtual machines (VMs) on-premises and to Azure. Azure ExpressRoute has been deployed and configured for on-premises to Azure connectivity.
Several VMs are exhibiting network connectivity issues.
You need to analyze the network traffic to determine whether packets are being allowed or denied to the VMs.
Solution: Use Azure Network Watcher to run IP flow verify to analyze the network traffic Does the solution meet the goal?
A. Yes B. No
A. Yes
Explanation
The Network Watcher Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.
Note:
IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.
IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.
You create a storage account that will store documents.
You need to configure the storage account to meet the following requirements:
1. Ensure that retention policies are standardized across the subscription.
2. Ensure that data can be purged if the data is copied to an unauthorized location.
Which two settings should you enable? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: Enable soft delete for containers Ensure that retention policies are standardized across the subscription.
Container soft delete protects your data from being accidentally or erroneously modified or deleted. When container soft delete is enabled for a storage account, a container and its contents may be recovered after it has been deleted, within a retention period that you specify.
Box 2: Enable permanent delete for soft deleted items Ensure that data can be purged if the data is copied to an unauthorized location.
Incorrect:
Enable versioning for blobs
You can enable Blob storage versioning to automatically maintain previous versions of a blob when it is modified or deleted. When blob versioning is enabled, then you can restore an earlier version of a blob to recover your data if it is erroneously modified or deleted.
Enable version-level immutability support
Immutable storage for Azure Blob Storage enables users to store business-critical data in a WORM (Write Once, Read Many) state. While in a WORM state, data can't be modified or deleted for a user-specified interval. By configuring immutability policies for blob data, you can protect your data from overwrites and deletes. Immutability policies include time-based retention policies and legal holds.
You have an Azure subscription that contains 10 web apps. The apps are integrated with Azure AD and are accessed by users on different project teams.
The users frequently move between projects.
You need to recommend an access management solution for the web apps. The solution must meet the following requirements:
1. The users must only have access to the app of the project to which they are assigned currently.
2. Project managers must verify which users have access to their project's app and remove users that are no longer assigned to their project.
3. Once every 30 days, the project managers must be prompted automatically to verify which users are assigned to their projects.
What should you include in the recommendation?
A. Azure AD Identity Protection B. Microsoft Defender for Identity C. Microsoft Entra Permissions Management D. Azure AD Identity Governance
D. Azure AD Identity Governance
Explanation
Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right principals have the right access to the right resources and at the right time.
The principals (or identities) whose access you can govern include users, groups, and applications (or service principals). The users can be your employees, business partners, vendors, or contractors. The resources to which you can govern access include groups, access packages, and privileged roles.
Note: Azure AD access reviews
Use Azure AD access reviews to configure one-time or recurring access reviews for attestation of a principal's right to access Azure AD resources. The principals are users or applications (service principals). The Azure AD resources include groups, applications (service principals), access packages, and privileged roles. Access reviews is a feature of Azure AD Identity Governance.
Typical customer scenarios for access reviews include:
Customers can review and certify guest user access to groups through group memberships. Reviewers can use the insights that are provided to efficiently decide whether guests should have continued access.
Customers can review and certify employee access to Azure AD resources.
Customers can review and audit assignments to Azure AD privileged roles. This supports organizations in the management of privileged access.
You need to deploy an Azure Kubernetes Service (AKS) solution that will use Windows Server 2019 nodes.
The solution must meet the following requirements:
1. Minimize the time it takes to provision compute resources during scale-out operations.
2. Support autoscaling of Windows Server containers.
Which scaling option should you recommend?
A. cluster autoscaler B. horizontal pod autoscaler C. Kubernetes version 1.20.2 or newer D. Virtual nodes with Virtual Kubelet ACI
A. cluster autoscaler
Explanation
Azure Container Instances (ACI) lets you quickly deploy container instances without additional infrastructure overhead. When you connect with AKS, ACI becomes a secured, logical extension of your AKS cluster. The virtual nodes component, which is based on Virtual Kubelet, is installed in your AKS cluster that presents ACI as a virtual Kubernetes node. Kubernetes can then schedule pods that run as ACI instances through virtual nodes, not as pods on VM nodes directly in your AKS cluster. Your application requires no modification to use virtual nodes. Deployments can scale across AKS and ACI and with no delay as cluster autoscaler deploys new nodes in your AKS cluster.
Note: AKS clusters can scale in one of two ways: The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes. The horizontal pod autoscaler uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand.
Your on-premises network contains a server named Server1 that runs an ASP.NET application named App1.
You have a hybrid deployment of Azure Active Directory (Azure AD).
You need to recommend a solution to ensure that users sign in by using their Azure AD account and Azure Multi-Factor Authentication (MFA) when they connect to App1 from the internet.
Which three features should you recommend be deployed and configured in sequence? To answer, move the appropriate features from the list of features to the answer area and arrange them in the correct order.
Select and Place:
AD Application Proxy
AD Enterprise Application
AD Conditional access policy
https://thesleepyadmins.com/2019/02/
Question 367:
Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
Your company, Contoso, Ltd., has a Microsoft Entra tenant named contoso.com that uses Privileged Identity Management (PIM) and is linked to an Azure subscription named Sub1.
You use Azure Backup to back up all the resources in Sub1 to a Recovery Services vault named Vault1.
An external company, Fabrikam, Inc., provides security management services to Contoso. Fabrikam has a Microsoft Entra tenant named fabrikam.com and an Azure subscription.
You need to prevent a compromised administrator account in contoso.com from modifying backup policies in Sub1 and from deleting backups from Sub1.
Solution: You configure Multi-User Authorization (MUA) in Sub1 by using a Resource Guard from fabrikam.com.
Does this meet the goal?
A. Yes B. No
B. No
Question 368:
HOTSPOT
You have an Azure subscription. The subscription contains an Azure SQL managed instance that stores employee details, including social security numbers and phone numbers.
You need to configure the managed instance to meet the following requirements:
1. The helpdesk team must see only the last four digits of an employee's phone number.
2. Cloud administrators must be prevented from seeing the employee's social security numbers.
What should you enable for each column in the managed instance? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: Dynamic data masking
The helpdesk team must see only the last four digits of an employee's phone number.
Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal effect on the application layer. It's a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database isn't changed.
Masking functions: A set of methods that control the exposure of data for different scenarios.
Credit card
Masking method, which exposes the last four digits of the designated fields and adds a constant string as a prefix in the form of a credit card.
XXXX-XXXX-XXXX-1234 Box 2: Always Encrypted
Cloud administrators must be prevented from seeing the employee's social security numbers.
Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national/regional identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database, Azure SQL Managed Instance, and SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine. This provides a separation between those who own the data and can view it, and those who manage the data but should have no access - on-premises database administrators, cloud database operators, or other high-privileged unauthorized users. As a result, Always Encrypted enables customers to confidently store their sensitive data in the cloud, and to reduce the likelihood of data theft by malicious insiders.
You need to implement a policy to ensure that all new resource groups include a value for a tag named Department.
The solution must ensure that if a value is NOT entered for the Department tag, a resource group is created.
Which effect should you use?
A. deny B. modify C. manual D. deploylfNotExists
B. modify
Question 370:
HOTSPOT
Your on-premises network contains an Active Directory Domain Services (AD DS) forest. The forest contains a top-level domain, three child domains, and an on-premises server named Server1.
You have a Microsoft Entra tenant. Server1 uses Microsoft Entra Connect Sync to replicate all the user objects from the three child domains to the tenant.
New contractors and employees are onboarded manually by using the Workday cloud-based human resources (HR) application.
You plan to automatically provision accounts for new users in one of the on-premises child domains and the Microsoft Entra tenant. The provisioning logic for the employees will be distinct from the provisioning logic for the contractors.
You need to identify the following:
The minimum number of apps to register in the Microsoft Entra tenant
The minimum number of Microsoft Entra Connect provisioning agents to deploy
The solution must minimize implementation effort.
What should you identify? To answer, select the appropriate options in the answer area.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-305 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.