Microsoft - AZ-305: Designing Microsoft Azure Infrastructure Solutions
Sample Questions
Question: 425
Measured Skill: Design identity, governance, and monitoring solutions (25-30%)
Your on-premises network contains an Active Directory Domain Services (AD DS) forest. The forest contains a top-level domain, three child domains, and an on-premises server named Server1.
You have a Microsoft Entra tenant. Server1 uses Microsoft Entra Connect Sync to replicate all the user objects from the three child domains to the tenant.
New contractors and employees are onboarded manually by using the Workday cloud-based human resources (HR) application.
You plan to automatically provision accounts for new users in one of the on-premises child domains and the Microsoft Entra tenant. The provisioning logic for the employees will be distinct from the provisioning logic for the contractors.
You need to identify the following:
- The minimum number of apps to register in the Microsoft Entra tenant.
- The minimum number of Microsoft Entra Connect provisioning agents to deploy.
The solution must minimize implementation effort.
What should you identify?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | The minimum number of apps to register in the Microsoft Entra tenant: 1
The minimum number of Microsoft Entra Connect provisioning agents to deploy: 1 |
| B | The minimum number of apps to register in the Microsoft Entra tenant: 1
The minimum number of Microsoft Entra Connect provisioning agents to deploy: 2 |
| C | The minimum number of apps to register in the Microsoft Entra tenant: 2
The minimum number of Microsoft Entra Connect provisioning agents to deploy: 1 |
| D | The minimum number of apps to register in the Microsoft Entra tenant: 2
The minimum number of Microsoft Entra Connect provisioning agents to deploy: 3 |
| E | The minimum number of apps to register in the Microsoft Entra tenant: 3
The minimum number of Microsoft Entra Connect provisioning agents to deploy: 2 |
| F | The minimum number of apps to register in the Microsoft Entra tenant: 3
The minimum number of Microsoft Entra Connect provisioning agents to deploy: 3 |
Correct answer: AExplanation:
The Microsoft Entra user provisioning service integrates with the Workday Human Resources API in order to provision user accounts. The Workday user provisioning workflows supported by the Microsoft Entra user provisioning service enable automation of the following human resources and identity lifecycle management scenarios:
Hiring new employees - When a new employee is added to Workday, a user account is automatically created in Active Directory, Microsoft Entra ID, and optionally Microsoft 365 and other SaaS applications supported by Microsoft Entra ID, with write-back of IT-managed contact information to Workday.
Employee attribute and profile updates - When an employee record is updated in Workday (such as their name, title, or manager), their user account is automatically updated in Active Directory, Microsoft Entra ID, and optionally Microsoft 365 and other SaaS applications supported by Microsoft Entra ID.
Employee terminations - When an employee is terminated in Workday, their user account is automatically disabled in Active Directory, Microsoft Entra ID, and optionally Microsoft 365 and other SaaS applications supported by Microsoft Entra ID.
Employee rehires - When an employee is rehired in Workday, their old account can be automatically reactivated or re-provisioned (depending on your preference) to Active Directory, Microsoft Entra ID, and optionally Microsoft 365 and other SaaS applications supported by Microsoft Entra ID.
We need one app registration for Workday to Microsoft Entra provisioning. Within that app, we can define multiple provisioning flows (e.g., one for employees, one for contractors) using attribute-based scoping filters. This allows distinct logic without needing separate apps.
We need one Microsoft Entra Connect provisioning agent installed on Server1 or another domain-joined server. This single agent can handle provisioning to multiple child domains in the same forest. A Microsoft Entra Connect provisioning agent supports scoped provisioning rules, so we can target specific domains and organizational units (OUs) based on the user type.
References:
What is identity provisioning?
Configure Workday for automatic user provisioning with Microsoft Entra ID
Topologies for Microsoft Entra Connect
Question: 426
Measured Skill: Design infrastructure solutions (25-30%)
You have five datacenters across North America and Europe.
You have an Azure subscription.
You need to recommend a solution to provide connectivity between the datacenters and Azure. The solution must meet the following requirements:
- Ensure that apps hosted in a datacenter can access the resources hosted in Azure and the other datacenters.
- Ensure that apps hosted in Azure can access the resources hosted in the datacenters.
- Support the central management of network routes.
- Support the central management of firewall rules.
- Minimize administrative effort.
What should you include in the recommendation?| A | ExpressRoute |
| B | Azure VPN Gateway |
| C | Azure Front Door |
| D | Azure Virtual WAN |
Correct answer: DExplanation:
Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. Some of the main features include:
- Branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE).
- Site-to-site VPN connectivity.
- Remote user VPN connectivity (point-to-site).
- Private connectivity (ExpressRoute).
- Intra-cloud connectivity (transitive connectivity for virtual networks).
- VPN ExpressRoute inter-connectivity.
- Routing, Azure Firewall, and encryption for private connectivity.
You don't have to have all of these use cases to start using Virtual WAN. You can get started with just one use case, and then adjust your network as it evolves.
The Virtual WAN architecture is a hub and spoke architecture with scale and performance built in for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute circuits, and virtual networks. It enables a global transit network architecture, where the cloud hosted network 'hub' enables transitive connectivity between endpoints that might be distributed across different types of 'spokes'.
Azure regions serve as hubs that you can choose to connect to. All hubs are connected in full mesh in a Standard Virtual WAN making it easy for the user to use the Microsoft backbone for any-to-any (any spoke) connectivity.
Reference: What is Azure Virtual WAN?
Question: 427
Measured Skill: Design infrastructure solutions (25-30%)
You have an Azure subscription that contains a third-party ecommerce app named App1.
You need to share the REST interface of App1 with external partners. The solution must meet the following requirements:
- Ensure that the partners can connect to the interface from remote networks.
- Ensure that specific rate limits can be applied to each partner.
- Use a minimum of TLS 1.2.
What should you do?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Share the interface by using: Azure API Management
Apply rate limits by using Backend policies. |
| B | Share the interface by using: Azure API Management
Apply rate limits by using Inbound policies. |
| C | Share the interface by using: Azure Firewall
Apply rate limits by using Outbound policies. |
| D | Share the interface by using: Azure Firewall
Apply rate limits by using Inbound policies. |
| E | Share the interface by using: Microsoft Defender for APIs
Apply rate limits by using Backend policies. |
| F | Share the interface by using: Microsoft Defender for APIs
Apply rate limits by using Outbound policies. |
Correct answer: BExplanation:
Azure API Management is a powerful and versatile cloud service that helps organizations publish APIs to external, partner, and internal developers. It provides tools for securing, managing, and scaling API calls. One of its features is controlling rate limiting, which is useful for maintaining the health and reliability of your APIs.
Azure API Management uses policies to enforce rate limiting. You can define these policies at different scopes: global, product, or API-specific. This flexibility allows you to tailor rate limiting according to your API's requirements and usage patterns.
Before you start implementing rate limiting, decide on the rate limits. The limits you set depend on your API's capacity and the traffic that you expect. Common limits are set as the number of calls per second, minute, or hour. For instance, you might allow 1,000 calls per minute per user.
To define rate limits on your API in Azure API Management, use the rate-limit or rate-limit-by-key policies. The rate-limit policy sets a limit across all users. The rate-limit-by-key policy allows limits per identified key (like a subscription or a user ID).
Here's an example of a policy that limits the calls to 1,000 per minute.
<policies>
<inbound>
<base />
<rate-limit calls="1000" renewal-period="60" />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
References:
What is Azure API Management?
How to implement rate limiting in Azure API Management
Question: 428
Measured Skill: Design infrastructure solutions (25-30%)
You have an Azure subscription. The subscription contains virtual machines that run Windows Server.
You are designing a disaster recovery solution that will immediately deploy a new virtual machine when an existing virtual machine fails. The solution must meet the following requirements:
- New virtual machines must be deployed with all the required configurations in place.
- Virtual machine deployments must use an infrastructure as code (IaC) methodology.
- New virtual machines must be created by using standard Microsoft disk images.
- New virtual machines must be authorized by virtual machine administrators.
- Virtual machine deployments must be managed by using CI/CD pipelines.
You need to recommend which service to use to manage the virtual machine deployment process and which artifact to use to create each virtual machine.
What should you recommend?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Service: Azure Site Recovery
Artifact: An Azure Resource Manager (ARM) template |
| B | Service: Azure DevOps Services
Artifact: A generalized virtual machine image |
| C | Service: Azure Compute Gallery
Artifact: A Desired State Configuration (DSC) file |
| D | Service: Azure DevOps Services
Artifact: An Azure Resource Manager (ARM) template |
| E | Service: Azure VM IMage Builder
Artifact: A generalized virtual machine image |
| F | Service: Azure Site Recovery
Artifact: A specialized virtual machine image |
Correct answer: DExplanation:
Azure DevOps Services provides a complete CI/CD pipeline platform that supports Infrastructure as Code (IaC), automated VM deployments, and approval workflows.
Azure Resource Manager (ARM) templates allow to create and update any Azure resource declaratively. Use one of many sample templates or build one from scratch using native tooling in Visual Studio or Visual Studio Code. ARM templates support deep integration with other Azure services, such as Azure Policy to remediate non-compliant resources and Azure DevOps for CI/CD.
References:
Azure DevOps
Azure Resource Manager templates
Question: 429
Measured Skill: Design identity, governance, and monitoring solutions (25-30%)
You have a Microsoft Entra tenant that uses Microsoft Entra Connect Sync to sync with an on- premises Active Directory Domain Services (AD DS) domain. The domain contains several member servers.
You have a custom human resources (HR) application named App1 that stores employee records.
You are designing a solution to automate the management of user accounts. The solution must meet the following requirements:
- When employees are added to App1, the user accounts of the employees must be provisioned to the AD DS domain and the Microsoft Entra tenant automatically.
- New employee records must be read from a CSV file that is exported from App1 daily.
You need to recommend a Microsoft Entra Identity Governance provisioning method and a target endpoint for creating new user accounts.
What should you recommend?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Identity Governance provisioning method: API-driven inbound provisioning
Target endpoint: The Microsoft Entra tenant |
| B | Identity Governance provisioning method: API-driven inbound provisioning
Target endpoint: The Microsoft Entra Connect provisioning agent |
| C | Identity Governance provisioning method: Application provisioning
Target endpoint: An AD DS domain controller |
| D | Identity Governance provisioning method: Application provisioning
Target endpoint: An SCIM endpoint |
| E | Identity Governance provisioning method: The Extensible Connectivity (ECMA) connector
Target endpoint: An SCIM endpoint |
| F | Identity Governance provisioning method: The Extensible Connectivity (ECMA) connector
Target endpoint: The Microsoft Entra Connect provisioning agent |
Correct answer: BExplanation:
HR-driven provisioning is the process of creating digital identities based on a human resources system. The HR systems become the source of authority for these newly created digital identities and are often the starting point for numerous provisioning processes. For example, if a new employee joins your company, they're created in the human resource system. The creation triggers the provisioning of a user account into Active Directory, and then Microsoft Entra Connect provisions this account to Microsoft Entra ID.
With API-driven inbound provisioning, the Microsoft Entra provisioning service now supports integration with any system of record. Customers and partners can use any automation tool of their choice to retrieve workforce data from the system of record and ingest it into Microsoft Entra ID.
Flat files, CSV files and SQL staging tables are commonly used in enterprise integration scenarios. Employee, contractor, and vendor information are periodically exported into one of these formats and an automation tool is used to sync this data with enterprise identity directories. With API-driven inbound provisioning, IT teams can use any automation tool of their choice (example: PowerShell scripts or Azure Logic Apps) to modernize and simplify this integration.
References:
What is identity provisioning?
What is HR-driven provisioning?
API-driven inbound provisioning concepts