freefiles

Microsoft AZ-305 Exam Dumps & Practice Test Questions

Question No 1:

Contoso, Ltd. operates a hybrid cloud setup with an Azure Active Directory (Azure AD) tenant connected to Microsoft 365 and an active Azure subscription. The company’s on-premises identity infrastructure includes servers running Active Directory Domain Services (AD DS) and Azure AD Connect.

Contoso has partnered with Fabrikam, Inc., which has a similar setup, including a Microsoft 365 tenant and on-premises Active Directory infrastructure with Azure AD Connect.

Contoso is starting an Azure-based development project and needs to grant 10 Fabrikam developers access to a specific resource group within Contoso’s Azure subscription. The developers need to be assigned the Contributor role to manage resources within the resource group. Additionally, the solution should allow Fabrikam users to use their existing credentials without requiring new accounts or changes to their identity infrastructure.

Which solution would you recommend to meet these requirements effectively?

A. In the Azure AD tenant of Contoso, create cloud-only user accounts for the Fabrikam developers.
B. Configure a forest trust between the on-premises Active Directory forests of Contoso and Fabrikam.
C. Configure an organization relationship between the Microsoft 365 tenants of Fabrikam and Contoso.
D. In the Azure AD tenant of Contoso, create guest accounts for the Fabrikam developers.

Correct Answer: D. In the Azure AD tenant of Contoso, create guest accounts for the Fabrikam developers.

Explanation:

To enable external users, such as the Fabrikam developers, to securely access Azure resources in another organization's tenant, Microsoft recommends using Azure AD B2B collaboration. This feature allows Contoso to invite external users to their Azure AD tenant as guest users.

By choosing option D, Contoso can create guest accounts for the 10 Fabrikam developers within their Azure AD. These external users can log in using their existing Fabrikam credentials, allowing them to access the necessary Azure resources without needing new accounts. This solution also maintains security and compliance standards, as guest users are authenticated through their original Azure AD tenant.

Once invited as guest users, Contoso can assign them the Contributor role for the specific resource group, granting them the required permissions to manage resources.

Other options do not meet the needs effectively:

  • Option A (cloud-only user accounts) would require the creation and management of separate credentials for Fabrikam users, which would complicate administration.

  • Option B (forest trust) is primarily used for on-premises authentication, not Azure AD cross-tenant access, and is more complex to implement.

  • Option C (organization relationship) is used for Exchange Online services, not for role-based access control or Azure resource management.

Thus, guest accounts in Azure AD provide a seamless and secure solution for cross-organization collaboration.

Question No 2:

Your company has multiple divisions with users from the domains contoso.com and fabrikam.com. Currently, there is an Azure subscription named Sub1, which hosts an Azure App Service web app called App1. This app uses Azure Active Directory (Azure AD) for single-tenant authentication, allowing only users from the contoso.com tenant to sign in.

Now, the business has expanded, and you need to allow users from fabrikam.com to authenticate and access App1 using their existing Azure AD credentials.

What would you recommend to enable users from fabrikam.com to authenticate to App1 using Azure AD?

A. Configure the Azure AD provisioning service.
B. Enable Azure AD pass-through authentication and update the sign-in endpoint.
C. Use Azure AD entitlement management to govern external users.
D. Configure Azure AD join.

Correct Answer: C. Use Azure AD entitlement management to govern external users.

Explanation:

Currently, App1 is configured as a single-tenant Azure AD application, which means only users from the contoso.com tenant can sign in. To allow fabrikam.com users to access App1, the application must be configured for multi-tenant authentication or an alternative solution should be implemented for managing external users.

The most effective solution is Azure AD Entitlement Management, which is part of Azure AD Identity Governance. Entitlement Management allows Contoso to create access packages that external users from Fabrikam can request to gain access to App1 and other resources. Once external users are granted access through these packages, they are added as guest users in Contoso’s Azure AD tenant, allowing them to authenticate and access the app with their existing credentials.

Entitlement Management also facilitates B2B collaboration, automated access requests, approval workflows, and lifecycle management for guest users.

Here’s why the other options are not suitable:

  • Option A (Azure AD provisioning) is used for syncing users between tenants but does not handle authentication for applications.

  • Option B (Pass-through authentication) is relevant for hybrid identity setups in a single organization and does not apply to cross-tenant authentication.

  • Option D (Azure AD Join) is intended for device management, not user authentication for cross-tenant app access.

Therefore, entitlement management offers a streamlined and secure approach to managing external user access while maintaining compliance.

Question No 3:

Which of the following is the most appropriate method for securing sensitive data in an Azure solution that involves storing the data in a cloud storage account?

A) Encrypt the data at rest using Azure Storage Service Encryption (SSE)
B) Use an Azure Virtual Network (VNet) to isolate the storage account
C) Implement Azure AD Conditional Access policies to protect access to the storage account
D) Use a storage account with public access to allow unrestricted data retrieval

Correct Answer: A

Explanation:

To secure sensitive data in an Azure solution, it's crucial to implement the right combination of encryption, access controls, and network isolation. Let's break down the options:

A) Encrypt the data at rest using Azure Storage Service Encryption (SSE):
This option directly addresses the protection of sensitive data stored in Azure. Azure Storage Service Encryption (SSE) is a built-in feature that encrypts data automatically when stored in Azure Storage accounts, ensuring that data at rest is protected using strong encryption algorithms, such as AES 256-bit encryption. By default, SSE is enabled for most Azure storage services, including Blob storage, File storage, and Queue storage. This method is an essential step in securing sensitive data and complies with industry standards for data encryption.

B) Use an Azure Virtual Network (VNet) to isolate the storage account:
While isolating resources within a Virtual Network (VNet) is a good practice for securing network traffic and controlling access to Azure resources, this option does not directly secure the data itself in storage. VNets can restrict network access to the storage account but don’t address the encryption of the stored data. It’s an important consideration for network security, but encryption of data at rest (as in Option A) is the more comprehensive security measure.

C) Implement Azure AD Conditional Access policies to protect access to the storage account:
Conditional Access policies in Azure Active Directory (Azure AD) allow organizations to enforce access controls based on factors such as user location, device health, or authentication method. While this is a critical component for managing access to Azure resources, including storage accounts, it does not directly secure the data at rest. Conditional Access can control who can access the data but does not address the encryption of sensitive data when stored.

D) Use a storage account with public access to allow unrestricted data retrieval:
This is the least secure option. Allowing public access to the storage account means anyone on the internet can retrieve or modify data, which opens up the storage account to potential unauthorized access or data breaches. This approach is not recommended for storing sensitive or confidential information.

In conclusion, Option A, encrypting data at rest using Azure Storage Service Encryption (SSE), is the most effective and directly relevant method for securing sensitive data in an Azure storage solution. It ensures that the data is protected even if unauthorized access to the storage account occurs, which is a fundamental principle of securing sensitive information in cloud environments.

Question No 4:

Your organization needs to generate a monthly report of all new Azure Resource Manager (ARM) resource deployments within your Azure subscription. As a cloud administrator, 

Which Azure service would you recommend to efficiently track and report these deployments?

A. Azure Log Analytics
B. Azure Arc
C. Azure Analysis Services
D. Application Insights

Correct Answer: A. Azure Log Analytics

Explanation:

To generate accurate monthly reports for new Azure Resource Manager (ARM) resource deployments, you need a solution that can track and analyze deployment activities in your Azure subscription. Azure Log Analytics, part of Azure Monitor, is the optimal choice for this task.

Azure Log Analytics collects, analyzes, and stores logs generated by your Azure resources, allowing you to monitor, diagnose, and report on deployment activities effectively. By ingesting Azure Activity Logs, which record details about every deployment, including the who, what, when, and where, you can use Kusto Query Language (KQL) to query and filter deployment activities within a specified timeframe, such as monthly.

This service also enables you to visualize the data in Power BI, automate the process with scheduled queries, and set up alerts for specific events. Thus, Log Analytics offers a comprehensive, low-effort solution for maintaining regular deployment reports and ensures data accuracy while reducing manual intervention.

Other options are less suitable:

  • Azure Arc (Option B) is designed for managing hybrid and multi-cloud environments, not for tracking deployments in an Azure subscription.

  • Azure Analysis Services (Option C) is an analytics tool primarily used for data modeling and complex analysis, rather than monitoring or tracking Azure deployments.

  • Application Insights (Option D) is tailored for application performance monitoring and is not designed for tracking infrastructure-level changes such as ARM deployments.

Thus, Azure Log Analytics is the most effective and efficient service for automating and generating monthly reports for ARM deployments in Azure.

Question No 5:

Your organization is divided into two divisions: East and West, each with its own Azure Subscription and Azure AD Tenant. Currently, users from the East division’s Azure AD tenant (Contoso.com) can authenticate and access an Azure App Service web application (App1). Now, there’s a requirement for users from the West division’s Azure AD tenant (Fabrikam.com) to access App1. 

Which solution should you recommend to enable secure access for users from the Fabrikam.com tenant?

A. Configure the Azure AD provisioning service
B. Configure Azure AD Privileged Identity Management (PIM) for Fabrikam.com users
C. Use Azure AD entitlement management to govern external users
D. Configure Azure AD Identity Protection

Correct Answer: C. Use Azure AD entitlement management to govern external users

Explanation:

To enable secure access for users from the Fabrikam.com tenant to App1 (hosted in the Contoso.com tenant), the ideal solution is to use Azure AD Entitlement Management. This feature is part of Azure AD Identity Governance and is specifically designed for managing external (B2B) user access.

By leveraging entitlement management, you can create access packages that govern who can access specific resources, like App1, from another tenant. These access packages can be configured to automatically invite external users, enforce access reviews, and apply expiration policies to ensure that access is granted only for the appropriate time frame. Furthermore, entitlement management ensures that external access is governed securely, providing a streamlined and automated process for managing users from Fabrikam.com.

Other options are less effective:

  • Azure AD provisioning service (Option A) is used for syncing users to SaaS applications, not for managing B2B access to a single-tenant app.

  • Azure AD Privileged Identity Management (PIM) (Option B) is used to manage privileged roles and would not be applicable for granting access to an app for external users.

  • Azure AD Identity Protection (Option D) focuses on detecting risky sign-ins and enforcing security policies, but it doesn’t help with cross-tenant authentication or managing external user access.

Thus, Azure AD entitlement management is the most appropriate choice for enabling external users from the Fabrikam.com tenant to securely access App1 in the Contoso.com tenant.

Question No 6:

You are developing a serverless application using Azure Functions, and as part of your solution, the function needs secure access to Azure resources that store activity logs (e.g., Azure Monitor, Event Hubs, or Log Analytics). You want to minimize administrative overhead and ensure the solution is secure, scalable, and does not require manual credential management. 

Which authentication method would you recommend for your Azure Function to access these resources securely?

A. Create an enterprise application in Azure Active Directory (Azure AD)
B. Use system-assigned managed identities
C. Generate and use shared access signatures (SAS)
D. Register an application in Azure Active Directory (Azure AD)

Correct Answer: B. Use system-assigned managed identities

Explanation:

For securely accessing Azure resources such as Azure Monitor, Event Hubs, or Log Analytics without the need for manual credential management, the best authentication solution is to use system-assigned managed identities.

A system-assigned managed identity is an identity automatically created and managed by Azure, linked directly to your Azure Function. This identity is automatically granted access to resources based on role-based access control (RBAC) permissions, eliminating the need for storing credentials or manually rotating secrets.

The main benefits of using managed identities include:

  • No secret management: Azure handles identity creation, rotation, and management.

  • Security and scalability: Managed identities align with the principle of least privilege, ensuring that only the necessary permissions are granted.

  • Automation: Azure automatically manages the lifecycle of the identity, reducing administrative overhead.

Other options are less suitable:

  • Enterprise applications (Option A) and application registrations (Option D) require manual configuration of credentials, which adds complexity and management overhead.

  • Shared Access Signatures (SAS) (Option C) are not ideal for large-scale or high-security access scenarios. They are harder to manage and pose risks if mishandled.

Therefore, system-assigned managed identities provide the simplest, most secure, and scalable authentication method, ensuring minimal administrative effort while maintaining security best practices.

Question No 7:

Your organization has two divisions as described below:

Division

Azure Subscription

Azure AD Tenant

East

Sub1

Contoso.com

West

Sub2

Fabrikam.com

The East division manages an Azure App Service, App1, hosted in Sub1. The service is configured for single-tenant authentication using Azure Active Directory (Azure AD), which currently allows only Contoso.com users to authenticate. Now, the West division (tenant Fabrikam.com) requires access to App1.

Goal: Recommend a secure and suitable method to allow users from the Fabrikam.com tenant to authenticate and access App1, while still maintaining Azure AD-based authentication.

What should you recommend?

A. Configure Azure AD join
B. Use Azure AD entitlement management to govern external users
C. Enable Azure AD pass-through authentication and update the sign-in endpoint
D. Configure assignments for the fabrikam.com users by using Azure AD Privileged Identity Management (PIM)

Correct Answer: B. Use Azure AD entitlement management to govern external users

Explanation:

The App1 is a single-tenant application configured in the Contoso.com Azure AD tenant. By default, such a setup only allows authentication from users within the Contoso.com tenant. To grant users from the Fabrikam.com tenant access, cross-tenant authentication must be enabled.

The best solution is to use Azure AD entitlement management, a component of Azure AD Identity Governance. This allows administrators to securely manage external user access by creating access packages, which include access to resources such as applications. With B2B collaboration, users from Fabrikam.com can be invited as guest users to the Contoso.com tenant. Once invited, they will be able to authenticate to App1, as though they belong to the Contoso.com directory.

This method maintains the security of the app, avoids reconfiguring App1 as a multi-tenant application, and limits exposure to unauthorized access.

Why the other options are not suitable:

A: Azure AD Join is used for device registration, not application access.
 C: Azure AD pass-through authentication is intended for authenticating users within a single directory.
 D: Azure AD Privileged Identity Management (PIM) manages privileged roles but does not address cross-tenant authentication.

Thus, B is the best option for granting external access securely while retaining a single-tenant configuration.

Question No 8:

Your organization has two divisions, East and West, each operating under separate Azure subscriptions and Azure AD tenants:

Division

Azure Subscription

Azure AD Tenant

East

Sub1

Contoso.com

West

Sub2

Fabrikam.com

In the East division (Sub1), there is an Azure App Service named App1. The app is configured to use Azure AD single-tenant authentication for users from the Contoso.com directory. Only users from Contoso.com are currently able to sign in to App1. Now, the company wants to allow users from the Fabrikam.com tenant to authenticate and access App1 as well.

What would you recommend to allow users from the Fabrikam.com tenant to access App1?

A. Configure Azure AD join
B. Configure Azure AD Identity Protection
C. Use Azure AD entitlement management to govern external users
D. Configure assignments for the Fabrikam.com users using Azure AD Privileged Identity Management (PIM)

Correct Answer: C. Use Azure AD entitlement management to govern external users

Explanation:

Currently, App1 uses single-tenant Azure AD authentication via Contoso.com, restricting access to users only within that tenant. To enable users from the Fabrikam.com tenant to access App1, cross-tenant authentication must be enabled.

The recommended solution is to use Azure AD entitlement management, which forms part of Azure AD Identity Governance. Entitlement management allows administrators to define access packages, which control which resources users can access. In this case, users from Fabrikam.com can be invited as guest users to the Contoso.com tenant. Once they accept the invitation, they will be able to authenticate to App1 using their Fabrikam.com credentials.

This method preserves the single-tenant configuration of App1 while providing access to trusted external users securely. It is an efficient, manageable, and scalable solution for cross-tenant collaboration.

Why the other options are not appropriate:

A: Azure AD Join pertains to device registration and not application access for users across tenants.
 B: Azure AD Identity Protection focuses on risk-based conditional access, not user onboarding from other tenants.
 D: Azure AD Privileged Identity Management (PIM) is used for managing privileged access roles, not for cross-tenant authentication.

Therefore, C is the correct and most secure method for this scenario.

Question No 9:

You are tasked with tracking infrastructure changes within your Azure environment. Your goal is to generate a monthly report that details all Azure Resource Manager (ARM) resource deployments in your subscription. The report should include who deployed the resources, the deployment time, and any relevant metadata.

Which Azure service should you use to achieve this?

A. Azure Activity Log
B. Azure Arc
C. Azure Analysis Services
D. Azure Monitor metrics

Correct Answer: A. Azure Activity Log

Explanation:

To track resource deployment events and generate reports, the Azure Activity Log is the most appropriate service. The Activity Log provides a detailed record of all management operations on resources in your subscription, including create, update, and delete operations. It logs each activity, including:

  • The time of the operation

  • The user or service that initiated the action

  • The resource type and name

  • The operation's success or failure status

  • Additional metadata about the operation

You can export Activity Log data to various destinations, such as a Log Analytics workspace, Event Hub, or Storage Account, and use Kusto Query Language (KQL) to filter logs for deployment-related events. You can also automate report generation to get monthly summaries of deployments.

Why the other options are not suitable:

B: Azure Arc extends Azure management to non-Azure resources but is not used for tracking deployment activities.
 C: Azure Analysis Services is for building analytical data models, not for tracking resource management activities.
 D: Azure Monitor metrics captures performance-related data, not deployment or management events.

Thus, the Azure Activity Log is the correct service to track and report on all ARM resource deployments.

Question No 10:

You are designing an Azure solution for a company that needs to deploy multiple virtual machines (VMs) across different regions to ensure high availability and disaster recovery. You want to use an Azure service that automatically replicates VMs to another region without requiring you to manage replication settings manually. 

Which of the following services should you use?

A) Azure Site Recovery
B) Azure Backup
C) Azure Traffic Manager
D) Azure Load Balancer

Correct Answer: A) Azure Site Recovery

Explanation:

In this scenario, the requirement is to deploy virtual machines (VMs) across multiple Azure regions for high availability and disaster recovery. Let's break down the options to understand which service would best meet the needs of this scenario:

A) Azure Site Recovery

Azure Site Recovery is the ideal choice in this scenario. It is a disaster recovery solution that allows you to replicate workloads, including virtual machines (VMs), from one Azure region to another. This service provides automated replication, failover, and failback capabilities, ensuring that if one region experiences an outage, you can failover to a secondary region with minimal manual intervention. The service is designed for high availability and disaster recovery, which makes it the best solution for replicating VMs across different regions as requested in the question. Additionally, Azure Site Recovery works seamlessly with Azure VMs, offering continuous replication to ensure minimal downtime in case of a failure.

B) Azure Backup

Azure Backup is a service used to back up data and applications, including virtual machines, but it is not designed for disaster recovery across regions. While Azure Backup provides reliable backup and restoration of VMs, it does not support automated replication of VMs from one region to another for disaster recovery purposes. This makes it unsuitable for the use case in the question, as you need high availability with region-level disaster recovery, not just backup.

C) Azure Traffic Manager

Azure Traffic Manager is a global traffic distribution service that enables you to route traffic to different Azure endpoints, such as VMs, based on factors like performance, priority, or geographic location. However, Traffic Manager does not handle replication of VMs across regions or provide disaster recovery features. It is more focused on routing traffic to healthy endpoints. While Traffic Manager can help in distributing traffic across multiple regions, it does not provide the replication or failover capabilities required to ensure high availability and disaster recovery.

D) Azure Load Balancer

Azure Load Balancer distributes incoming network traffic across multiple Azure resources, such as virtual machines, to ensure high availability and scalability within a region. While Azure Load Balancer is great for balancing traffic within a region, it does not provide the ability to replicate virtual machines across regions for disaster recovery. It operates within a single region and does not meet the requirement of replicating VMs across different regions.

The correct answer is A) Azure Site Recovery because it provides a disaster recovery solution that automatically replicates virtual machines across different Azure regions. It ensures high availability and business continuity by allowing failover and failback with minimal manual intervention, which is exactly what is needed in the scenario described in the question.