Practice AZ-305 Design identity, governance, and monitoring solutions questions with full explanations on every answer.
Start practicing
Design identity, governance, and monitoring solutions — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A large enterprise wants to enforce zero-trust conditional access policies that use real-time user risk, sign-in risk, and device compliance. Which combination of Microsoft Entra ID features should they use?
2A company needs to monitor sign-in logs from multiple Microsoft Entra ID tenants and analyze user sign-in patterns across those tenants. Which Azure solution should they use?
3A multinational company uses Microsoft Entra ID for identity. They need to grant external partners access to specific SharePoint Online sites. The access must be time-limited and require approval from a resource owner. Which Microsoft Entra ID feature should they use?
4A company has multiple Azure subscriptions and wants to enforce that all administrators must use multi-factor authentication (MFA) when accessing the Azure portal. They also want to monitor and report on any policy changes that affect this enforcement. Which combination of Azure services should they use?
5A company uses Microsoft Entra ID for identity management. They need to automate the process of granting access to resources for employees and external partners, and require periodic access reviews to ensure compliance. Which Microsoft Entra ID feature should they use?
6A company has Microsoft Entra ID Premium P2 licenses and wants to ensure that privileged roles (e.g., Global Administrator) are only activated when needed and with approval. They also need to regularly review who has access to these roles. Which combination of features should they use?
7A company wants to collect metrics and logs from all Azure resources in their subscription, including custom metrics from their applications, and create dashboards and alerts. Which Azure service should they use as the primary monitoring platform?
8A large enterprise has multiple Azure subscriptions and on-premises servers. They need to collect performance metrics (CPU, memory) from all servers, create custom dashboards to visualize health across workloads, and set up alerts for critical thresholds. They also need to retain log data for one year. Which combination of Azure services should they use?
9A company uses Microsoft Entra ID B2B to collaborate with external vendors. They want to enforce that external users must use multi-factor authentication (MFA) and access company resources only from compliant devices (e.g., managed by Intune). They also want to require a session timeout of 1 hour. Which combination of Microsoft Entra ID features should they use?
10A company requires all users to use multi-factor authentication (MFA) when accessing cloud applications. However, they want to exempt users from MFA when they connect from the company's headquarters, which has a trusted IP range. They want to enforce this policy centrally. Which Microsoft Entra ID feature should they use?
11A company wants to configure policies that detect risky sign-ins (e.g., from anonymous IPs or unfamiliar locations) and automatically require multi-factor authentication (MFA) when such risk is detected. Which Microsoft Entra ID feature should they use to create these policies?
12A company uses Microsoft Entra ID and wants to automate the lifecycle management of user accounts in their SaaS applications, such as Salesforce and ServiceNow. The solution should automatically create, update, and deactivate accounts when users join, move, or leave the organization. Which Microsoft Entra ID feature should they use?
13A company uses Microsoft Entra ID and wants to allow users to sign in using their existing personal Microsoft accounts, Google, and Facebook identities. They also need custom sign-up and sign-in flows with collection of specific user attributes. Which Microsoft Entra ID feature should they use?
14A company uses Microsoft Entra ID and wants to enforce that all users must use multi-factor authentication (MFA) when accessing sensitive applications. However, they want to exclude users when connecting from the corporate office IP range and only allow access from devices that are compliant with Intune policies. Which Microsoft Entra ID feature should they use to create this policy?
15A multinational company uses Microsoft Entra ID. The company has regional IT teams that need to manage users and groups within their respective regions. Each region has a distinct set of users in specific organizational units. The company wants to assign the User Administrator role to regional IT staff, but limit their scope to only the users in their region. Which Microsoft Entra ID feature should they use?
16A large enterprise has a management group hierarchy with 50 subscriptions. They need to enforce that every resource group must have a 'CostCenter' tag and that any new resource group without that tag is automatically denied creation. Additionally, they need to ensure that only the Finance team can modify tags on any resource. They also want to generate monthly compliance reports showing which resources are non-compliant. Which combination of Azure services should they use?
17A company uses Microsoft Entra ID Privileged Identity Management (PIM) to control access to administrator roles. They want to implement a monitoring solution that sends an email to the security team whenever a user activates the Global Administrator role outside of standard business hours (9 AM–5 PM). They also need to track all activation history for quarterly audits. Which solution should they implement?
18A company uses Microsoft Entra ID B2B collaboration for external partners. They want to enforce that external users must use multi-factor authentication (MFA) and access company resources only from devices that are compliant with Intune policies. Additionally, they need to require a session timeout of 1 hour. Which combination of Microsoft Entra ID features should they use?
19A company uses Microsoft Entra ID and wants to automate the process of granting access to internal applications and Microsoft 365 groups. Employees request access through a portal, and managers must approve the requests. The access should be automatically removed after a defined period, and managers must perform quarterly access reviews to confirm continued need. Which Microsoft Entra ID feature should they use?
20A company wants to monitor sign-in failures for their Microsoft Entra ID-integrated applications. They need a dashboard in Azure Monitor showing sign-in failures by application and user location. Which data source should they stream to a Log Analytics workspace?
21A company is migrating on-premises Windows applications that require LDAP, NTLM, or Kerberos authentication to Azure VMs. They want to provide domain services for these applications without deploying and managing domain controllers. Which Azure service should they use?
22A company wants to allow remote users to access an internal web application hosted on-premises without opening inbound firewall ports. They need seamless single sign-on (SSO) using Microsoft Entra ID credentials. Which Azure service should they use?
23A company uses Microsoft Entra ID. They want to enforce that all users must use multi-factor authentication (MFA) when accessing sensitive applications from outside the corporate network, but allow access without MFA when coming from the corporate office IP range. Which Microsoft Entra ID feature should they use to create this policy?
24A company uses Microsoft Entra ID (Microsoft Entra ID). They need to allow external business partners to request access to a specific application. The access must be time-limited and require approval from the partner's manager. Additionally, access must automatically expire after the defined period. Which Microsoft Entra ID feature should they use?
25A company wants to monitor sign-in activity for their Microsoft Entra ID-integrated applications. They need to detect risky sign-ins, such as sign-ins from anonymous IP addresses or unfamiliar locations, and automatically block or require multi-factor authentication. They also need a dashboard showing risk events and the ability to investigate and remediate. Which Microsoft Entra ID feature should they use?
26A company uses Microsoft Entra ID (Microsoft Entra ID). They have a SaaS application that supports SCIM (System for Cross-domain Identity Management). The company wants to automatically create, update, and deactivate user accounts in the SaaS application whenever changes occur in Microsoft Entra ID. They do not want to use custom scripts. Which Microsoft Entra ID feature should they configure?
27A company uses Microsoft Entra ID. They want to grant a user temporary access to the Global Administrator role for a specific task. The access must require approval from a manager and automatically expire after 4 hours. Which Microsoft Entra ID feature should they use?
28A company uses Microsoft Entra ID. They want to automatically detect sign-ins from anonymous IP addresses, sign-ins from unfamiliar locations, and other risky activities. When such a risk is detected, they want to block the sign-in or require multi-factor authentication. They also need a dashboard to review risk events. Which Microsoft Entra ID feature should they use?
29A company is building a customer-facing web application. They want to allow users to sign in using their existing social accounts (Microsoft, Google, Facebook) or create a local account. The solution must be fully managed and support custom branding. Which Azure service should they use?
30A company uses Microsoft Entra ID. They want to block all access to corporate applications from devices that are not managed by their organization. They require that only devices enrolled in Microsoft Intune and compliant with company policies can access company resources. Which Microsoft Entra ID feature should they use?
31A company uses Microsoft Entra ID. They want to require users to use multi-factor authentication when accessing the Azure portal from any device. They do not want to require MFA for other applications. Which Microsoft Entra ID feature should they configure?
32A company uses Microsoft Entra ID. They want to allow external business partners to request access to a specific internal application. The access must be time-limited and require approval from a manager within the partner's organization. Additionally, access should automatically expire after the defined period. Which Microsoft Entra ID feature should they use?
33A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect sign-in attempts from anonymous IP addresses and sign-ins from unfamiliar locations. When such a risk is detected, they want to block the sign-in or require multi-factor authentication (MFA) in real time. Additionally, they need a dashboard that provides a summary of risk events and allows investigation. Which Microsoft Entra ID feature should they use?
34A company uses Microsoft Entra ID (Microsoft Entra ID) and Microsoft Intune. They want to block all access to internal corporate applications from devices that are not enrolled in Intune and do not meet the company's compliance policies. The solution must apply to all cloud app access seamlessly. Which Microsoft Entra ID feature should they configure?
35A company wants to automatically detect sign-in attempts from anonymous IP addresses and sign-ins from unfamiliar locations. When such a risk is detected, they want to require multi-factor authentication (MFA) or block the sign-in in real time. Additionally, they need a dashboard that shows risk events and allows generating weekly risk reports. Which Microsoft Entra ID feature should they use?
36A company uses Microsoft Entra ID (Microsoft Entra ID). They have many guest users with access to internal SharePoint sites and applications. They need to review guest user access every 90 days and automatically remove access if the guest does not respond to the review request. The solution must be fully automated without custom scripting. Which Microsoft Entra ID feature should they use?
37A company uses Microsoft Entra ID (Microsoft Entra ID) and Microsoft Intune. They want to block access to all corporate cloud applications (e.g., Office 365, Azure portal) from devices that are not enrolled in Intune or do not meet the company's compliance policies. The solution must work seamlessly for all cloud apps without requiring per-app configuration. Which Microsoft Entra ID feature should they configure?
38A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant external partners access to an internal application for a limited time (30 days). The access request must be approved by a manager from the partner's organization, and after 30 days the access must automatically expire. They also want to send email reminders 7 days before expiration. Which Microsoft Entra ID feature should they use?
39A company uses Microsoft Entra ID (Microsoft Entra ID). They want to require multi-factor authentication (MFA) for all users accessing the Azure portal, but do not want MFA to be required for other applications like Office 365. Which Microsoft Entra ID feature should they configure?
40A company uses Microsoft Entra ID (Microsoft Entra ID). They need to implement a solution that automatically detects identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. They want to generate reports summarizing risk events and integrate the risk data with their existing Security Information and Event Management (SIEM) system via API. Which Microsoft Entra ID feature should they use?
41A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect and respond to high-risk sign-in events, such as sign-ins from malware-linked IP addresses or leaked credentials. When such risks are detected, they want to require multi-factor authentication (MFA) or block the sign-in. They also need a dashboard to review risk events and generate reports. Which Microsoft Entra ID feature should they configure?
42A company uses Microsoft Entra ID. They need to grant external partners access to an internal application for a limited time (30 days). The access must be approved by a manager from the partner's organization. After the period ends, access should automatically be removed. The company also wants to send email reminders 7 days before expiration. Which Microsoft Entra ID feature should they use?
43A company uses Microsoft Entra ID (Microsoft Entra ID). External partners need temporary access to an internal application. The process must be self-service: partners request access, the request goes through an approval workflow managed by a manager from the partner's organization, and access automatically expires after 30 days. The company also wants to send reminder emails 7 days before expiration. Which Microsoft Entra ID feature should they use?
44A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to automatically detect sign-in risks such as sign-ins from unfamiliar locations, anonymous IP addresses, or leaked credentials. Based on the risk level, they want to apply different controls: for low-risk sign-ins, show a message but allow access; for medium-risk sign-ins, require multi-factor authentication (MFA); for high-risk sign-ins, block the sign-in. They also need to receive a weekly summary report of risk events. Which Microsoft Entra ID feature should they configure?
45A company uses Microsoft Entra ID (Microsoft Entra ID). They want to enable users to reset their own passwords without contacting the help desk. They also want to enforce multi-factor authentication (MFA) during the password reset process. Which Microsoft Entra ID feature should they enable?
46A company uses Microsoft Entra ID (Microsoft Entra ID). They want to provide external business partners with access to an internal application. The access must be time-limited to 60 days, approved by a manager within the partner company, and automatically expire. The company also needs to generate reports of who has access. Which Microsoft Entra ID feature should they implement?
47A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. They want to generate reports summarizing risk events and integrate the risk data with their existing Security Information and Event Management (SIEM) system via an API. Which Microsoft Entra ID feature should they configure?
48A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant specific IT administrators just-in-time (JIT) access to Azure virtual machines for troubleshooting. The access must be time-bound, require approval from a senior manager, and be automatically revoked after the granted time period. The company also needs an audit log of all access requests and assignments. Which Azure service or feature should they use?
49A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to enforce that only devices compliant with security policies (e.g., BitLocker enabled, antivirus running) can access corporate cloud applications (Microsoft 365 and custom SaaS apps). They also need a dashboard to monitor device compliance status. Which Microsoft Entra ID feature(s) should they configure?
50A company uses Microsoft Entra ID. They want to allow users to sign in to partner applications using their Microsoft Entra ID credentials. The partner applications support SAML 2.0 and OpenID Connect. They also need to customize the appearance of the sign-in pages. Which Microsoft Entra ID feature should they configure?
51A company uses Microsoft Entra ID. They want to integrate their security operations with a third-party SIEM tool. They need to export all Microsoft Entra ID sign-in logs and audit logs to the SIEM for analysis. The solution should be automated and near real-time. Which Azure service should they configure?
52A company uses Microsoft Entra ID. They need to automatically block sign-ins from users whose accounts have been identified as high-risk for compromise. They also want users to be prompted to reset their password when the risk is detected. Which Microsoft Entra ID feature should they use?
53A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically review and remove guest accounts that have not signed in for 90 days. They also need to generate reports for auditors. Which Microsoft Entra ID feature should they use?
54A company uses Microsoft Entra ID (Microsoft Entra ID). They want to integrate their on-premises Active Directory with Microsoft Entra ID to enable single sign-on (SSO) for cloud applications. Users should be able to use the same password for on-premises resources and cloud applications. The company has a large on-premises user base and wants to avoid additional infrastructure for federation. Which Microsoft Entra ID feature should they implement?
55A company uses Microsoft Entra ID (Microsoft Entra ID). They want to allow external business partners to access an internal web application using their own organizational identities. The solution must support self-service sign-up and enforce multi-factor authentication for partner users. Which Microsoft Entra ID feature should they configure?
56A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect identity risks, such as users with leaked credentials or sign-ins from anonymous IP addresses, and generate alerts. They also want to automatically trigger a password reset for high-risk users. Which Microsoft Entra ID feature should they configure?
57A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant temporary administrative roles to users for specific tasks. The process must require approval from a designated approver, and the access must automatically expire after a defined period. The company also needs audit logs of all role assignments and activations. Which Microsoft Entra ID feature should they implement?
58A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They want to enforce that users accessing sensitive cloud applications from outside the corporate network must use multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure?
59A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automatically remove guest users who have not signed in for 60 days. Additionally, they must generate a report of all guest access for auditors. Which Microsoft Entra ID feature should they implement?
60A company uses Microsoft Entra ID (Microsoft Entra ID). They want to allow users to sign in to multiple SaaS applications using their Microsoft Entra ID credentials without being prompted again for each application. Which Microsoft Entra ID feature should they enable?
61A company uses Microsoft Entra ID Premium P2. They need to automatically detect users with high-risk sign-ins (e.g., from anonymous IP addresses or leaked credentials) and require them to reset their password. Which Microsoft Entra ID feature should they configure?
62A company uses Microsoft Entra ID (Microsoft Entra ID). They need to ensure that users who access sensitive cloud applications from untrusted networks (e.g., public Wi-Fi) are prompted for multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure?
63A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automatically detect sign-ins from users with leaked credentials and prompt those users to reset their password during the next sign-in. Which Microsoft Entra ID feature should they enable?
64A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They want to automatically block sign-ins from malicious IP addresses and require users to perform multi-factor authentication (MFA) when signing in from untrusted locations. Which Microsoft Entra ID feature should they use?
65A company uses Microsoft Entra ID (Microsoft Entra ID). They need to generate periodic reports of user sign-ins and audit activities for compliance. They want to store the logs for 1 year. Which Azure service should they use?
66A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automate the process of granting users access to a specific application only during business hours and revoking it automatically. The access should be based on a request-approval workflow. Which Microsoft Entra ID feature should they use?
67A company uses Microsoft Entra ID. They need to monitor sign-in logs for anomalous activity (e.g., sign-ins from unfamiliar locations) and automatically take action such as requiring MFA or blocking sign-in. Which Microsoft Entra ID feature should they configure?
68A company uses Microsoft Entra ID (Microsoft Entra ID). They need to enforce that all users accessing the company's internal application from mobile devices must be compliant with device management policies (e.g., require a PIN and encryption). The application does not support modern authentication. Which Microsoft Entra ID feature should they use?
69A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They need to automatically detect users whose credentials have been leaked and require them to reset their password at their next sign-in. Additionally, they want to block sign-ins from anonymous IP addresses (e.g., Tor network). Which combination of Microsoft Entra ID features should they enable to meet both requirements?
70A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They need to automatically block sign-ins from anonymous IP addresses (e.g., Tor) and force users from risky sign-ins to reset their password. They want to minimize administrative effort and use built-in features. Which Microsoft Entra ID feature should they enable?
71An enterprise wants just-in-time elevation for Azure administrators and periodic validation that privileged users still require access. Which two Microsoft Entra features should you recommend? (Choose 2.)
72A company must prevent non-compliant devices from accessing Exchange Online and SharePoint Online. Which design should you recommend?
73A company plans to migrate on-premises applications to Azure. They require users to authenticate using their existing on-premises Active Directory credentials without syncing password hashes to the cloud. Which Microsoft Entra ID authentication method should they use?
74A multinational company uses Microsoft Entra ID and several Azure subscriptions. Security administrators need to review privileged role assignments every month and require justification for continued access. Which design should be recommended?
75A company wants workload deployments to access Azure resources without storing client secrets in CI/CD variables. The pipeline runs from GitHub Actions. Which identity design should be used?
76A SaaS application must allow external partner users to sign in with their own organization credentials while the company controls application access. What should be used?
77An organization wants to enforce MFA only when sign-in risk is medium or high. Which Microsoft Entra capability should be used?
78Drag and drop the steps to implement Azure Site Recovery for a Hyper-V VM into the correct order.
79Drag and drop the steps to implement Azure AD Privileged Identity Management (PIM) for a role into the correct order.
80Drag and drop the steps to configure Azure Load Balancer for high availability of web servers into the correct order.
81Match each Azure service to its primary function.
82Match each Azure compute service to its characteristic.
83Match each Azure migration tool to its use case.
84You are designing a monitoring solution for a global e-commerce application hosted on Azure. The application experiences intermittent performance degradation that is difficult to reproduce. You need to ensure that you can capture detailed diagnostic data when the degradation occurs, without permanently storing large amounts of data. Which Azure feature should you use?
85Your company has a Microsoft Entra ID tenant with 10,000 users. You plan to grant external partners access to a specific SharePoint Online site using Microsoft Entra B2B collaboration. You need to ensure that partners can authenticate using their own corporate credentials. What should you configure?
86You are designing an identity governance solution for a multinational company. The company uses Microsoft Entra ID and has a requirement to automatically remove user access to critical SaaS applications when the user leaves the organization or changes roles. You need to ensure that the access removal is audited and can be reversed within 30 days if needed. What should you implement?
87Refer to the exhibit. You create this Azure Policy definition in a management group that contains all subscriptions. After assigning the policy, you notice that no audit events are generated when a new custom RBAC role is created. What is the most likely reason?
88Your organization is moving to a cloud-only identity model using Microsoft Entra ID. You need to ensure that users can reset their own passwords without help desk intervention. The solution must support multi-factor authentication and notify administrators of password resets. What should you implement?
89Refer to the exhibit. You deploy this Azure Monitor scheduled query rule to alert when CPU usage exceeds 90% for sustained periods. However, alerts are not firing even when the condition is met. What is the most likely cause?
90Your company uses Microsoft Entra ID to manage identities for 5,000 employees. You plan to implement Microsoft Entra ID Governance to automate the user provisioning lifecycle for a third-party SaaS application. The application supports SCIM 2.0. You need to ensure that user accounts are automatically created, updated, and disabled in the application based on changes in Entra ID. What should you do?
91You are designing a monitoring solution for Azure SQL Database. The requirement is to track query performance metrics such as CPU usage, data IO, and wait statistics over time. You need to identify performance bottlenecks and provide historical data for analysis. Which Azure service should you use?
92Your organization has a hybrid identity infrastructure with Microsoft Entra ID and on-premises Active Directory. You plan to implement Microsoft Entra ID Protection to detect and respond to identity risks. You need to ensure that risky sign-ins from anonymous IP addresses are automatically blocked, while still allowing legitimate users to self-remediate. What should you configure?
93You are designing a governance strategy for Azure resources. Your organization has multiple departments, each with its own set of Azure subscriptions. You need to enforce consistent policies across all subscriptions, such as allowed resource locations and required tags, while allowing departments to manage their own resources within those constraints. Which Azure service should you use?
94Which TWO are benefits of using Microsoft Entra ID Governance? (Choose two.)
95Which THREE should you consider when designing a monitoring solution for a critical application that requires high availability and low latency? (Choose three.)
96Which TWO are valid methods to authenticate to Azure from a PowerShell script that runs unattended? (Choose two.)
97Refer to the exhibit. You deploy this Azure Network Watcher connection monitor to test TCP connectivity on port 443 between two VMs. The test consistently shows 'Unreachable' status. Both VMs are running and have correct NSG rules allowing inbound port 443 from the source VM's IP. What is the most likely cause?
98Your company plans to use Microsoft Sentinel as a SIEM solution. You need to ensure that security events from all Azure subscriptions are collected in a single workspace. What should you configure?
99A company uses Microsoft Entra ID for identity management. They want to ensure that users accessing sensitive data from unmanaged devices are prompted for multifactor authentication (MFA) and must accept a terms-of-use. Which policy should be configured?
100Your organization is designing a monitoring solution for a critical application running on Azure VMs. You need to collect performance metrics and logs from the VMs and send them to a centralized Log Analytics workspace. You also need to visualize the data in near real-time. Which combination of services should you use?
101A multinational company uses Microsoft Entra ID with a custom domain. They need to implement a governance strategy for Microsoft 365 groups, ensuring that group expiration policies are enforced and that group owners receive renewal notifications. What should you configure?
102Your company uses Azure Policy to enforce tagging standards. You need to ensure that any new resource group automatically inherits the 'CostCenter' tag from its subscription. Which Azure Policy effect should you use?
103You are designing a monitoring solution for a hybrid environment with on-premises servers and Azure VMs. You need to collect security events and performance data centrally, and create custom alerts. The solution must use the same agent for both environments. Which agent should you deploy?
104Your organization uses Microsoft Entra ID with P2 licensing. You need to implement a strategy to automatically detect and remediate risky sign-ins without requiring user interaction for low-risk events. What should you configure?
105Your company is deploying a new application on Azure Kubernetes Service (AKS). You need to monitor the health and performance of the cluster, including container logs, metrics, and request rates. Which Azure service should you enable?
106A company uses Microsoft Entra ID to manage identities for employees and partners. They need to allow partners to self-service reset their passwords using a mobile app notification. Which feature should you enable?
107Your company has multiple Azure subscriptions managed by a management group. You need to enforce that all resources are deployed in the West US region only. Additionally, you must allow a specific resource group in the production subscription to be deployed in East US. What should you configure?
108Which TWO actions should you take to design a monitoring solution for a multi-tier application running on Azure VMs? (Select TWO.)
109Which THREE capabilities are provided by Microsoft Entra ID Identity Governance? (Select THREE.)
110Which TWO are valid methods to authenticate users in a Microsoft Entra ID hybrid identity solution? (Select TWO.)
111Refer to the exhibit. You have an Azure Policy definition as shown. The policy is assigned at the subscription scope. What is the result when a user tries to create a VM with SKU Standard_D8s_v3?
112Refer to the exhibit. You run the KQL query in Azure Monitor Log Analytics. Which user accounts should you investigate first?
113Refer to the exhibit. You are creating a role assignment in Azure. The role definition ID is for the Contributor role. What is the effect of this assignment?
114Your organization uses Microsoft Entra ID. You need to enforce multifactor authentication (MFA) for all guest users accessing a specific SharePoint Online site. What is the most efficient way to achieve this?
115You are designing a monitoring solution for a critical application that runs on Azure Virtual Machines. The application generates custom performance counters. You need to alert when the custom counter exceeds a threshold and trigger an Azure Automation runbook to remediate. Which two Azure services should you combine? (Select TWO.)
116Your company has a Azure subscription with multiple resource groups. You need to ensure that all resources are tagged with a 'CostCenter' tag. What should you use?
117Refer to the exhibit. You are analyzing a deployment of a Custom Script Extension on an Azure VM. The extension fails to run. What is the most likely cause?
118You have an Azure subscription that contains 100 virtual machines. You need to monitor the virtual machines for security vulnerabilities and receive recommendations. What should you use?
119Your organization uses Microsoft Entra ID. You need to allow external users to sign in using their own identity providers (e.g., Google, Facebook) to access a custom application. What should you configure?
120Refer to the exhibit. You are reviewing a Bicep template for a storage account. You need to ensure that the storage account is only accessible via HTTPS and uses TLS 1.2. Which property validates this requirement?
121You need to design a solution to monitor the performance of an Azure SQL Database. You want to create a dashboard that shows the top 10 queries by CPU usage over the last hour. What should you use?
122Your organization has multiple Azure subscriptions. You need to create a central view of policy compliance across all subscriptions. What should you use?
123You have an Azure subscription that contains a virtual network named VNet1. You need to monitor all network security group (NSG) flow logs. Which three components must you enable? (Select THREE.)
124You need to ensure that only authorized users can access the Azure portal. What should you use?
125Refer to the exhibit. You are deploying NSG flow logs. After deployment, you notice that no logs are being written to the storage account. What is the most likely cause?
126Your organization has a hybrid identity with Microsoft Entra ID and on-premises Active Directory. You need to allow users to reset their own passwords from the cloud. What should you configure?
127You need to monitor Azure resources and send alerts when the CPU usage of a virtual machine exceeds 90% for 5 minutes. Which two Azure services should you use? (Select TWO.)
128You need to assign permissions to an Azure resource group so that a user can create and manage virtual machines but cannot delete the resource group. What should you use?
129Your company uses Microsoft Entra ID for identity management. You need to ensure that users can access corporate resources without passwords while maintaining a high level of security. Which feature should you implement?
130You are designing a governance strategy for Azure resources. The company has multiple departments, each requiring separate cost tracking and policy enforcement. You need to organize resources to align with the departments while minimizing management overhead. What should you use?
131Your Azure environment includes multiple subscriptions that are managed by different teams. You need to ensure that all resources are compliant with your company's security policies, and any non-compliant resources must be automatically remediated or reported. Which solution should you implement?
132You need to monitor the performance and health of your Azure virtual machines, including custom metrics and logs. You also need to set up alerts based on specific thresholds. Which Azure service should you use?
133Your organization uses Microsoft Entra ID and requires that all external users accessing resources must be approved by a designated reviewer. You need to automate the review process for external identities. What should you implement?
134You are designing a monitoring solution for a critical application running on Azure Kubernetes Service (AKS). The application generates custom metrics that need to be queried in real-time for dashboards. You also need to retain logs for one year for compliance. Which combination of services should you use?
135Your company plans to use Microsoft Sentinel for security information and event management (SIEM). You need to ingest security logs from multiple Azure resources and on-premises servers. Which data connector should you use for Windows servers on-premises?
136You are designing an identity solution for a large enterprise that uses Microsoft Entra ID. The company has a partner organization that needs access to a specific application. The partner uses their own identity provider (IdP). You need to enable seamless access without duplicating user accounts. What should you configure?
137Your Azure subscription contains multiple virtual machines (VMs) that run a line-of-business application. You need to configure alerts when the CPU usage exceeds 90% for more than 5 minutes. Additionally, the alert must automatically trigger a runbook to scale out the application. Which Azure service should you use to create this alert?
138Which TWO of the following are true about Microsoft Entra ID Governance features?
139Which TWO of the following are valid Azure Policy effects that can be used to enforce compliance?
140Which THREE of the following are required to collect Windows security events into Microsoft Sentinel?
141Refer to the exhibit. You apply this Azure Policy to a subscription. What happens when a user tries to create a virtual machine?
142Refer to the exhibit. You create this Conditional Access policy in Microsoft Entra ID. What is the result?
143Refer to the exhibit. You run this Kusto query in Azure Monitor Logs. What does it return?
144Your company is designing a governance strategy for Azure resources. The security team requires that all resource groups in the production subscription must have a specific tag (Environment=Production) applied automatically. Any resource group created without this tag must be reported within 24 hours. Which Azure policy should you implement?
145You are designing a monitoring solution for a critical application hosted on Azure Virtual Machines. The application is latency-sensitive and you need to be alerted when CPU usage exceeds 90% for more than 5 minutes. Which Azure Monitor feature should you use?
146Your company uses Microsoft Entra ID (formerly Azure AD) and requires that all external guest users must be automatically reviewed for access every 90 days. The review should be performed by the guest user's manager in the partner organization. However, the partner organization does not use Microsoft Entra ID. Which solution should you implement?
147Your organization is implementing a zero-trust security model. You need to ensure that all access to corporate resources from mobile devices is conditional based on device compliance, user risk, and location. Which Microsoft Entra ID feature should you use?
148You are designing a governance strategy for a multi-subscription Azure environment. Your compliance team requires that any resource group created in the production subscription must have a specific naming convention: it must start with 'prod-' and be followed by a three-letter department code and a two-digit number. Any resource group not following this convention should be automatically prevented from creation. Which Azure policy definition should you use?
149Your company has multiple Azure subscriptions. You need to ensure that all security-related logs from Azure resources are centralized in a single Log Analytics workspace for analysis. Which Azure service should you use to collect and route these logs?
150Your organization uses Microsoft Entra ID and has a hybrid identity deployment with Active Directory Domain Services (AD DS) on-premises. You need to synchronize user identities to Microsoft Entra ID, but you must ensure that password hashes are never stored in the cloud. Which synchronization method should you use?
151Your company has an Azure subscription with 100 virtual machines. You need to monitor the performance of these VMs and be alerted when the average CPU usage across a set of VMs exceeds 80% for 10 minutes. The set of VMs is defined by a tag (Environment=Production). Which Azure Monitor solution should you implement?
152Your organization uses Microsoft Purview to govern data across Azure and on-premises sources. You need to ensure that sensitive data, such as credit card numbers, is automatically detected and classified in Azure Blob Storage. Which Purview feature should you configure?
153Your company has an Azure subscription that contains 100 virtual machines (VMs). You are designing a monitoring solution that must meet the following requirements: - Alert when any VM's CPU usage exceeds 90% for 15 minutes. - Alert when any VM's available memory drops below 1 GB. - Provide a centralized dashboard showing real-time performance metrics for all VMs. Which TWO Azure services should you include in the solution? (Choose two.)
154Your organization is designing a governance solution for multiple Azure subscriptions. You need to enforce that all resources are created in specific Azure regions (East US and West Europe only). Additionally, any resource group must have a cost center tag. Which THREE Azure components should you use? (Choose three.)
155Your company uses Microsoft Entra ID for identity management. You need to implement a solution that automatically blocks sign-ins from risky users and requires multi-factor authentication (MFA) when a sign-in risk is detected. Which TWO services should you use? (Choose two.)
156Refer to the exhibit. You are an Azure administrator reviewing a custom Azure Policy definition. What does this policy do?
157Refer to the exhibit. You are deploying a Log Analytics workspace using an ARM template with the parameters shown. Your compliance team requires that all log data be retained for at least 2 years. Which parameter value should you modify?
158Refer to the exhibit. You are deploying an ARM template that assigns a policy to audit virtual machines not using managed disks. After deployment, you need to verify that the policy assignment is working. Which Azure CLI command should you run?
159Your company is deploying Microsoft Entra ID Governance and needs to ensure that guest users' access to internal applications expires after 90 days. Which feature should you configure?
160Your organization uses Microsoft Sentinel for security monitoring. You need to ensure that all sign-in logs from Microsoft Entra ID are ingested into a Log Analytics workspace in real time. Which diagnostic setting should you configure?
161Refer to the exhibit. You are a security administrator reviewing a custom Azure Policy assignment. The policy definition with ID 'abc123' is an initiative containing two policies: one that audits storage accounts with blob public access enabled and one that deploys a diagnostic setting for network security groups. The scope includes a production resource group. However, the compliance state shows 'Non-compliant' for several resources. What is the most likely reason for the non-compliance?
162Your company is implementing a monitoring solution for Azure virtual machines. You need to collect performance counters and log events from the VMs and send them to a centralized Log Analytics workspace. Which agent should you install on the VMs?
163Your organization uses Azure Policy to enforce tagging standards. You need to ensure that any resource created without the required 'CostCenter' tag is automatically remediated by adding the tag with a default value. Which policy effect should you use?
164Refer to the exhibit. A user reports they cannot access a secret in the vault 'vault-prod'. The user has a Contributor role at the subscription scope and a Key Vault Secrets User role at the specific vault scope. What is the most likely reason for the failure?
165Your company uses Azure Resource Manager templates for infrastructure deployment. You need to ensure that all deployments are validated against organizational policies before resources are provisioned. Which Azure service should you use?
166Your organization is implementing a hybrid identity solution with Microsoft Entra ID. Users in an on-premises Active Directory domain need to access cloud applications. You need to ensure that password changes on-premises are synchronized to Entra ID within 30 seconds. Which configuration should you use?
167Refer to the exhibit. You are reviewing an ARM template for deploying a storage account. The template is missing the storage account name parameter definition. What will happen when you attempt to deploy this template?
168Your organization uses Azure Monitor to collect metrics from Azure resources. You need to create a custom metric alert that triggers when the average CPU usage of a specific virtual machine exceeds 80% for 10 minutes. Which TWO components are required? (Choose two.)
169Your company is designing a governance strategy for Azure. You need to ensure that all resource groups in a subscription are created with a specific naming convention and mandatory tags. Which THREE services or features should you use together? (Choose three.)
170Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to collect logs from on-premises firewalls and send them to Sentinel. Which TWO connectors can you use? (Choose two.)
171Your company uses Microsoft Entra ID. You need to implement a privileged identity management (PIM) strategy to secure administrative roles. Which TWO capabilities does PIM provide? (Choose two.)
172Your organization uses Azure Monitor Logs to analyze application performance. You need to create a custom log query that calculates the 95th percentile of response times for a web app over the last 24 hours. Which THREE KQL functions should you use? (Choose three.)
173Your company has multiple Azure subscriptions and needs a single pane of glass to monitor the health and performance of all resources across subscriptions. Which Azure service should you use?
174Your company is migrating on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate using their existing on-premises passwords and that password changes are synchronized immediately. The solution must minimize latency and avoid storing password hashes in the cloud. What should you implement?
175You are reviewing a Conditional Access policy for a Microsoft Entra ID tenant. The exhibit shows the policy configuration. Users report that they are prompted for MFA every hour even when using approved Microsoft applications. The security team wants to reduce MFA prompts but maintain security. What should you modify?
176Your organization uses Microsoft Azure and has a subscription with multiple resource groups. You need to ensure that only users in the Finance department can access storage accounts in the 'Finance' resource group. The solution must use role-based access control (RBAC). What should you assign?
177Your company uses Microsoft Sentinel for security monitoring. You need to design a solution that automatically responds to incidents involving high-severity alerts. The response should include creating an incident in Microsoft Teams and sending an email to the security team. What should you use?
178You are reviewing a custom RBAC role in Azure. The exhibit shows the role definition. A user with this role reports they cannot read diagnostic settings for a storage account in the Production resource group. What is the most likely cause?
179Your organization plans to use Azure Policy to enforce tagging on all resources. The tags must include 'CostCenter' and 'Environment'. Resources that do not have these tags should be automatically remediated. What should you use?
180Your company uses Microsoft Intune for device management. You need to ensure that only devices that are compliant with security policies can access corporate resources. The solution must also support legacy authentication protocols. What should you implement?
181You are troubleshooting access for a user named John Doe. The exhibit shows the output of Get-AzRoleAssignment. John reports he cannot create virtual machines in the Prod resource group. Other users with the same role can create VMs. What is the most likely cause?
182Your organization uses Microsoft Purview for data governance. You need to classify sensitive data in Azure SQL Database and automatically apply sensitivity labels. What should you configure?
183Which TWO actions should you take to implement a least-privilege identity strategy for Azure resources?
184Which THREE components are required to monitor and audit Azure resource changes using Azure Monitor?
185Which TWO Microsoft Entra ID features should you use to protect against credential attacks?
186Which THREE Azure services or features should you use to design a comprehensive monitoring solution for a hybrid infrastructure spanning on-premises and Azure?
187Which TWO Azure Policy effects can be used to prevent the creation of non-compliant resources?
188Which THREE methods can you use to authenticate users to Azure resources using Microsoft Entra ID?
189Your company is migrating on-premises applications to Azure. You need to ensure that users can sign in using their existing on-premises Active Directory credentials without duplicating accounts. Which identity solution should you recommend?
190You are designing a governance strategy for a new Azure subscription. The security team requires that all resources must have a 'CostCenter' tag and an 'Environment' tag. Which Azure policy effect should you use to automatically apply the tags to new resources?
191Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a lifecycle workflow that automatically disables user accounts when employees leave the organization, and then deletes them after 30 days. What should you use?
192You need to configure a monitoring solution for Azure virtual machines that collects performance counters, event logs, and enables alerting based on CPU usage exceeding 90%. Which Azure service should you use?
193Your company uses Microsoft Entra ID and has a custom application that requires users to have specific roles assigned. You need to ensure that role assignments are reviewed quarterly and automatically remove assignments that are not approved. Which feature should you use?
194Refer to the exhibit. You assign this Azure Policy to a management group. A user creates a new virtual machine without any tags. What will happen?
195You need to monitor the sign-in activities of users in Microsoft Entra ID and detect risky sign-ins, such as those from anonymous IP addresses. Which service should you use?
196Your company has multiple Azure subscriptions. You need to create a single query that aggregates resource utilization metrics across all subscriptions and visualizes them in a dashboard. Which combination of Azure services should you use?
197Your organization uses Microsoft Entra ID and requires that all external users invited via B2B collaboration must authenticate using multi-factor authentication (MFA). You need to enforce this for all guest users. What should you configure?
198Which TWO actions should you take to ensure that only authorized users can access sensitive data stored in Azure Blob Storage? (Choose two.)
199Which THREE conditions should be met to implement a successful Azure landing zone for a new enterprise subscription? (Choose three.)
200Which TWO features of Microsoft Entra ID help protect against credential compromise? (Choose two.)
201Refer to the exhibit. You run this PowerShell script in an Azure subscription. The script executes successfully. What is the outcome?
202Refer to the exhibit. You deploy this ARM template to create an Azure Monitor Workbook. The template deploys successfully. What will the workbook display?
203Refer to the exhibit. You assign this Azure Policy to a resource group. A user attempts to create a new Azure SQL Server without specifying an administrator login. What will happen?
204Your company has a Microsoft Entra ID tenant with 50,000 users. You need to design a solution to ensure that users can reset their own passwords without help desk intervention, while preventing password reuse for the last 10 passwords. Which feature should you enable?
205You are designing a monitoring solution for a critical application hosted on Azure Virtual Machines. The application experiences intermittent high CPU usage that lasts for 10 minutes. You need to be notified within 5 minutes of the start of each occurrence. The solution must minimize false alerts. What should you use?
206Your company uses Microsoft Entra ID for identity management. You need to ensure that only devices compliant with your company's security policies can access corporate resources. Which solution should you implement?
207You are designing a governance strategy for an Azure environment that includes multiple subscriptions. The security team requires that all storage accounts must have HTTPS traffic only. Any non-compliant storage account must be automatically remediated. What is the most efficient solution?
208Your organization uses Microsoft Entra ID and Azure Key Vault. You need to ensure that a custom application can securely access secrets in Key Vault without storing credentials in code. The application runs on an Azure Virtual Machine. What should you use?
209Refer to the exhibit. You are reviewing an Azure Resource Manager deployment configuration. The deployment is failing with a conflict error. What is the most likely cause?
210Your company uses Microsoft Sentinel for security monitoring. You need to design a solution to analyze sign-in logs and detect patterns of anomalous access from different geographical locations within a short time frame. Which feature should you use?
211Your organization plans to deploy Microsoft Entra ID Governance. You need to ensure that access to critical applications is reviewed quarterly by the application owners. Which Microsoft Entra ID feature should you use?
212You are designing a monitoring solution for an Azure function app that processes messages from Azure Service Bus. The function app is critical and must be highly available. You need to monitor for poison messages and trigger an alert when the dead-letter queue count exceeds 100. What should you use?
213Which TWO actions should you take to implement a least-privilege identity strategy for Azure resources?
214Which THREE Azure Monitor capabilities can be used to detect and diagnose performance issues in a multi-tier application?
215Which TWO features of Microsoft Entra ID can be used to secure hybrid identities?
216Refer to the exhibit. You are reviewing the output of an Azure Key Vault secret listing command. The application team reports that a secret is not accessible. What is the most likely reason?
217Refer to the exhibit. You are reviewing an Azure Policy definition. Which virtual machines will be denied?
218Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. The query returns no results. Which is the most likely cause?
219You are designing a governance solution for a Microsoft Azure environment that contains multiple subscriptions. You need to ensure that all resources are compliant with corporate security policies. The solution must automatically remediate non-compliant resources. What should you include in the design?
220Refer to the exhibit. You are implementing an Azure Policy to control VM SKU deployment. You assign this policy to a subscription. A developer attempts to deploy a virtual machine with SKU Standard_DS2_v2. What is the outcome?
221Your company requires that all administrative actions in Azure subscriptions be logged and retained for seven years. Which service should you use to collect and store these logs?
222You are designing a monitoring solution for a critical application running on Azure virtual machines. The application must maintain an SLA of 99.99% uptime. You need to be notified within five minutes if any VM becomes unavailable. What should you configure?
223You are designing an identity solution for a multinational company that uses Microsoft Entra ID. The company has a requirement that all users must authenticate using biometrics or FIDO2 security keys. Which Entra ID feature should you configure?
224Which TWO actions can be performed using Microsoft Entra ID Governance? (Choose two.)
225Which THREE components are required to implement a complete monitoring solution with Azure Monitor? (Choose three.)
226Which TWO Microsoft Entra ID editions include Conditional Access? (Choose two.)
227Which THREE Azure services can be used to monitor the performance of a web application? (Choose three.)
228Which TWO features are part of Microsoft Entra ID Governance? (Choose two.)
229Which THREE are valid Azure RBAC role types? (Choose three.)
230Your organization uses Microsoft Sentinel for security monitoring. You need to create a rule that triggers an incident when a user from a specific IP address performs more than 10 failed sign-ins within an hour. Which rule type should you use?
231You are designing a monitoring solution for a hybrid environment with on-premises servers and Azure VMs. You need to collect performance data from all servers and visualize it in a single dashboard. Which Azure service should you use?
232You are a solutions architect for a financial services company. The company uses Microsoft Entra ID and has the following requirements: 1. All Azure administrators must use Privileged Identity Management (PIM) to activate their roles for a maximum of 4 hours. 2. Activation must require Azure Multi-Factor Authentication (MFA) and a ticket number. 3. Approvers must be notified via email when a role is activated. 4. All activation requests must be audited. You configure PIM for Entra ID roles. Which additional configuration is needed to meet all requirements?
233Your organization has multiple Azure subscriptions managed through Azure Management Groups. You need to enforce a policy that requires all resources to have a 'CostCenter' tag. If a resource is created without the tag, the deployment should be denied. Additionally, you need to ensure that existing non-compliant resources are automatically remediated. Which combination of actions should you take?
234Your company is migrating on-premises applications to Azure. The identity team wants to synchronize on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID. You need to recommend a solution that ensures users can authenticate with their corporate credentials and that password changes are synchronized immediately. What should you recommend?
235A company uses Azure Policy to enforce tagging on resources. The security team reports that some resources are missing the required 'CostCenter' tag. You need to ensure that any resource created without the required tag is automatically remediated by adding the tag with a default value. What should you configure in Azure Policy?
236You are tasked with ensuring that all VMs in the subscription have Azure Hybrid Benefit enabled for Windows Server. You create the Azure Policy shown in the exhibit. However, after assignment, the compliance report shows that some D-series VMs are still non-compliant. What is the most likely cause?
237Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that all Azure subscriptions are covered by a single continuous export configuration that sends security alerts to a Log Analytics workspace. What should you do?
238Your company is designing a monitoring solution for a critical line-of-business application running on multiple Azure VMs. The application emits custom performance counters. You need to ingest these counters into Azure Monitor Metrics and create a metric alert when the average value exceeds a threshold over 5 minutes. The solution must minimize latency between counter emission and alert firing. What should you use?
239You need to provide a team of developers with access to create and manage Azure resources in a specific resource group. The developers should not be able to modify access policies for other users. Which built-in role should you assign?
240Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to ensure that an alert is generated when an Azure VM is created with an open inbound SSH port (22) from the internet. The solution should use existing Azure resources and minimize administrative overhead. What should you use?
241You are investigating a security incident where an unauthorized user may have modified a production VM. You run the KQL query shown in the exhibit in Microsoft Sentinel, but it returns no results. The VMs are present and have been modified recently. What is the most likely reason for no results?
242Your company uses Azure Policy to enforce compliance. You need to ensure that all storage accounts use HTTPS only. The policy should automatically remediate non-compliant storage accounts by enabling HTTPS-only. What policy effect should you use?
243Your company is planning to use Azure Monitor Workbooks to create custom dashboards for IT operations. You need to select the data sources that can be used in a workbook. Which TWO data sources are supported? (Choose two.)
244Your organization has multiple Azure subscriptions and uses Azure Blueprints to enforce governance. You need to design a blueprint that includes role assignments, policy assignments, and resource groups. Which THREE components can be included in an Azure Blueprint? (Choose three.)
245Your company uses Microsoft Entra ID. You need to implement a governance strategy for guest users. Which TWO actions should you take? (Choose two.)
246You are a cloud architect for a multinational corporation. The company has a single Azure tenant with a management group hierarchy: Root MG -> Corp MG -> (Finance, HR, IT, Marketing) child management groups. Each child management group contains multiple subscriptions. The IT governance team wants to enforce a policy that all Azure resources must have a 'CostCenter' tag. However, the Finance department has legacy resources that cannot be modified and must be exempt from this policy. You need to design a solution that meets the following requirements: (1) The policy should be applied to all subscriptions in the Corp MG except those in the Finance MG. (2) The policy should audit non-compliant resources but not deny them. (3) The solution must use Azure Policy and minimize administrative overhead. What should you do?
247Your organization uses Azure Monitor to monitor a fleet of 500 VMs running Windows Server. You need to collect security event logs (Event ID 4625 for failed logons) from all VMs and send them to a Log Analytics workspace. The solution must support centralized configuration and be scalable. You also want to filter out high-volume noise events to reduce costs. What should you do?
248Your company is implementing a new Azure subscription for a project that requires strict separation of duties. The security team requires that all resource creation must be approved by a central IT team. Additionally, any resource that does not comply with company tagging standards should be automatically reported. You need to design a solution that meets these requirements using Azure Policy and Azure Role-Based Access Control (RBAC). What should you do?
249Your company plans to deploy a new application to Azure. The application will be used by external partners. You need to design an identity solution that allows partners to authenticate using their own corporate credentials while ensuring that the application can enforce conditional access policies based on partner device compliance. What should you include in the design?
250Refer to the exhibit. You are an Azure administrator for a company that enforces a policy that no virtual networks or network security groups can be created. However, a developer reports that they successfully created a virtual network. What is the most likely reason the policy did not block the creation?
251Your company uses Microsoft Entra ID for identity management. You need to design a monitoring solution for sign-in logs to detect suspicious activity. Which TWO Azure services should you include in the design?
252Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to design a solution to monitor changes to privileged groups in both directories and ensure that any unauthorized changes trigger an automated response. Which THREE services should you include in the design?
253You are designing a governance strategy for Azure resources. You need to enforce compliance with corporate standards and ensure that resource provisioning is audited. Which TWO Azure features should you include?
254You are designing an identity lifecycle management solution for a multinational company. Employees frequently change departments, and you need to automate the assignment and removal of application access based on their current department. Which THREE Microsoft Entra features should you use?
255Your company has a Microsoft Entra ID tenant with 10,000 users. You need to design a monitoring solution to detect when users are assigned to high-privilege roles (e.g., Global Administrator) and ensure that any such assignment triggers an automated investigation. Additionally, you need to monitor sign-in failures for guest users and automatically block accounts after 5 failed attempts within 10 minutes. You have the following requirements: 1) Use a cloud-native solution that minimizes administrative overhead. 2) Integrate with Microsoft Sentinel for incident response. 3) Use built-in features where possible. What should you do?
256Your organization has a complex Azure environment with multiple subscriptions. You need to design a governance strategy that ensures: 1) All resources must have specific tags (CostCenter, Environment, Owner). 2) Any resource without required tags must be reported to the compliance team weekly. 3) Virtual machines must not be deployed in certain regions due to data sovereignty. 4) The solution must be automated and use native Azure services. You already have an Azure Log Analytics workspace and a central automation account. What should you include in the design?
257You are designing identity governance for a company that uses Microsoft Entra ID. The company wants to grant external partners access to an internal application for 90 days. After 90 days, access must be automatically removed. Additionally, the application requires that users have multi-factor authentication (MFA) and a compliant device. You need to design a solution that meets these requirements with minimal administrative effort. What should you do?
258Your company operates in a highly regulated industry and must retain all sign-in logs for 7 years. The logs must be immutable and cannot be modified or deleted by administrators. You need to design a monitoring solution that stores sign-in logs in a cost-effective manner while meeting compliance requirements. The solution should also allow for real-time analysis of sign-in activity. What should you include in the design?
259Your company plans to deploy a new SaaS application that will be used by employees and external users. The application requires single sign-on (SSO) and must support conditional access policies that enforce MFA for external users. Additionally, the application must be able to read user profile attributes from Microsoft Entra ID. You need to design an identity solution that meets these requirements. What should you include in the design?
260Your company has a large Azure environment with thousands of resources. You need to design a solution to track resource ownership and ensure that resources are cleaned up when projects end. You want to use a tag-based approach where each resource has an 'Owner' and 'Project' tag. Additionally, you need to generate a weekly report of resources that are not tagged or have been orphaned (no recent activity). What should you include in the design?
261Your company uses Microsoft Sentinel for security monitoring. You need to design a solution to detect when a user account is created in Microsoft Entra ID with Global Administrator privileges. When detected, an incident must be created in Sentinel and the account should be disabled temporarily until reviewed. You want to use built-in capabilities where possible. What should you do?
262Your company has multiple Azure subscriptions managed by different teams. You need to design a governance solution that ensures: 1) All subscriptions must have a consistent set of policies (e.g., allowed locations, allowed VM SKUs). 2) Compliance reports must be generated daily for each subscription. 3) Non-compliant resources must be automatically remediated where possible (e.g., add tags). 4) The solution must use a single management group hierarchy. What should you include in the design?
263Your company uses Microsoft Entra ID and has recently deployed Microsoft Sentinel. You need to design a monitoring solution to detect brute-force attacks against user accounts. The solution should use built-in analytics rules where possible and must trigger an automated response to temporarily disable the affected account. What should you include in the design?
264You are designing a monitoring solution for a multi-region application deployed on Azure Virtual Machines and Azure SQL Database. The solution must provide a unified view of metrics and logs from all resources, detect anomalies using machine learning, and send alerts to the operations team. Which TWO capabilities should you include in the design?
265Your company has a hybrid identity environment with 10,000 on-premises users synchronized to Microsoft Entra ID using Microsoft Entra Connect. You plan to implement a modern access control strategy for all cloud applications. The requirements are: enforce multifactor authentication (MFA) for all users when accessing sensitive applications, allow users to self-remediate risky sign-ins via a mobile app, and minimize infrastructure complexity. You need to design the identity and governance solution. What should you do?
266Your organization has 500 users in Microsoft Entra ID. You need to ensure that users can only access Microsoft 365 apps from compliant devices (compliant with Intune policies). Users are already enrolled in Intune. The compliance policies are defined. You need to configure the access control mechanism. What should you do?
267Your company runs a mission-critical application on Azure Virtual Machines in a single region. You need to design a monitoring solution that provides proactive alerts for performance degradation and allows the operations team to analyze historical trends. The solution must minimize cost and operational overhead. You have an existing Log Analytics workspace. What should you include in the design?
268Your organization is deploying a critical application in Azure that must maintain an uptime SLA of 99.99%. The application runs on Azure Virtual Machines in a single region. You need to design a monitoring solution that alerts the operations team within 5 minutes of any VM unavailability. The solution must minimize false positives and avoid alert fatigue. What should you include in the design?
269Your company has a Microsoft Entra ID tenant with 10,000 users. You are designing an identity governance solution to automate user access reviews for critical applications. The compliance team requires that access reviews be conducted quarterly and that any reviewer who does not respond within 7 days have their decisions auto-approved. You need to implement the solution using Microsoft Entra ID Governance. What should you do?
270You are designing a monitoring solution for a cloud-native application that uses Azure Functions, Azure Storage, and Azure Cosmos DB. The solution must provide centralized log collection and analysis, enable proactive alerting on application errors, and support long-term log retention for compliance (7 years). What should you include in the design?
271You are designing an identity solution for a multinational company that has a Microsoft Entra ID tenant. The company plans to acquire a smaller company that currently uses an on-premises Active Directory (AD) forest. The acquired company's users need to access Microsoft 365 applications and Azure resources. The solution must minimize identity management overhead. Which TWO actions should you include in the design? (Choose two.)
272You are reviewing a JSON policy for Microsoft Entra Privileged Identity Management (PIM) that governs activation of a privileged role for an Azure App Service. You notice that the policy has the configuration shown in the exhibit. You need to ensure that only members of the 'group-app-admins@contoso.com' group can activate the role and that activations are limited to 8 hours with approval required. However, users report that they cannot activate the role even though they are members of the group. What is the most likely cause?
273You are a solutions architect for a large healthcare organization that uses Microsoft 365 and Azure. The organization has a Microsoft Entra ID tenant with 15,000 users. The security team requires that all users use multi-factor authentication (MFA) when accessing cloud applications. Currently, only 60% of users have registered for MFA. The organization wants to enforce MFA registration for all users within 30 days. The solution must minimize user disruption and allow users to register their MFA methods during their normal work hours. The organization uses Microsoft Intune for mobile device management and has a conditional access policy that requires MFA for all cloud apps. You need to design a solution to enforce MFA registration. What should you do?
The Design identity, governance, and monitoring solutions domain covers the key concepts tested in this area of the AZ-305 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all AZ-305 domains — no account required.
The Courseiva AZ-305 question bank contains 273 questions in the Design identity, governance, and monitoring solutions domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Design identity, governance, and monitoring solutions domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included