Reinforce AZ-305 concepts with active-recall study cards covering all 4 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For AZ-305 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the AZ-305 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your AZ-305 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real AZ-305 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass AZ-305.
Sample cards from the AZ-305 flashcard bank. Read the question, think of the answer, then read the explanation below.
A large enterprise wants to enforce zero-trust conditional access policies that use real-time user risk, sign-in risk, and device compliance. Which combination of Microsoft Entra ID features should they use?
Microsoft Entra ID Identity Protection and Conditional Access
Microsoft Entra ID Identity Protection provides real-time risk detection for users and sign-ins, while Conditional Access policies can enforce access controls based on those risk signals and device compliance. Together, they enable zero-trust conditional access by blocking or requiring MFA when user or sign-in risk is high, and ensuring only compliant devices can access resources.
A multinational company stores large amounts of unstructured data (documents, images) that must be read with low latency from multiple global regions. Data is written primarily in one region but read globally. Cost optimization is a key requirement. Which Azure storage replication option should they use?
Azure Blob Storage with read-access geo-redundant storage (RA-GRS)
B is correct because RA-GRS provides geo-redundant storage with read access to the secondary region, enabling low-latency reads from multiple global regions while maintaining cost efficiency. The data is written primarily in one region, but RA-GRS allows read requests to be served from the secondary region without additional compute costs, meeting the global read requirement.
A financial services company runs a critical SQL Server database on Azure Virtual Machines. They require a disaster recovery solution with an RPO of less than 15 seconds and an RTO of less than 1 hour. Which technology should they implement?
SQL Server Always On Availability Groups
SQL Server Always On Availability Groups provide synchronous data replication at the database level, enabling an RPO of less than 15 seconds by committing transactions on both primary and secondary replicas simultaneously. With automatic failover and a secondary replica in a different Azure region, the RTO can be under 1 hour, meeting the critical requirements for a SQL Server workload on Azure VMs.
A company is designing a hub-spoke network topology in Azure. The hub contains a third-party network virtual appliance (NVA) for inspection. Spokes need to communicate with each other, and all inter-spoke traffic must be routed through the NVA in the hub. Which configuration should they use?
Create user-defined routes (UDRs) in each spoke subnet that force traffic to go through the hub NVA
Option C is correct because user-defined routes (UDRs) allow you to explicitly override Azure's default system routes. By adding a route in each spoke subnet with the hub NVA's private IP as the next hop for inter-spoke traffic (e.g., 10.1.0.0/16 -> 10.0.0.4), all traffic between spokes is forced through the NVA for inspection. This ensures the hub-spoke topology meets the requirement without relying on Azure Firewall or Internet routing.
A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?
Use Azure Virtual WAN with a secured virtual hub.
Azure Virtual WAN with a secured virtual hub is the correct choice because it provides a managed hub-and-spoke topology with built-in routing, eliminating the need for manual user-defined routes (UDRs) and route tables. The secured virtual hub includes Azure Firewall for traffic inspection, and all inter-spoke and on-premises traffic is automatically routed through the hub via the Virtual WAN routing engine, which uses the Border Gateway Protocol (BGP) to propagate routes dynamically. This minimizes administrative overhead by centralizing routing and security management.
You are designing a monitoring solution for a critical application hosted on Azure Virtual Machines. The application experiences intermittent high CPU usage that lasts for 10 minutes. You need to be notified within 5 minutes of the start of each occurrence. The solution must minimize false alerts. What should you use?
Azure Monitor metric alert with a dynamic threshold and 5-minute frequency, alert on 2 consecutive breaches
Option C is correct because Azure Monitor metric alerts with dynamic thresholds adapt to normal CPU patterns, minimizing false alerts. The '5-minute frequency' refers to the aggregation granularity (the metric is averaged over 5-minute windows), while the evaluation frequency is every 1 minute. Requiring 2 consecutive breaches means the alert fires if two successive 1-minute data points exceed the dynamic threshold. Since the CPU spike lasts 10 minutes, the first breach occurs within 1 minute of the start, and the second breach occurs 1 minute later, triggering the alert within 2 minutes of the start. This satisfies the 5-minute notification requirement while minimizing false alerts through adaptive thresholds.
Your company runs a critical application on Azure App Service. You need to design a disaster recovery solution that ensures the application is available in another region within 5 minutes of a regional failure. The application uses Azure SQL Database as its backend. The solution must minimize data loss and cost. What should you recommend?
Deploy App Service in two regions with Azure Traffic Manager. Use Azure SQL Database failover groups with active geo-replication.
Option A is correct because it combines multi-region App Service deployment with Azure Traffic Manager for DNS-based traffic routing, enabling failover within minutes. Azure SQL Database failover groups with active geo-replication provide automatic, synchronous or asynchronous data replication to a secondary region, with an RPO of seconds and an RTO typically under 5 minutes during automatic failover. This meets the 5-minute availability target while minimizing data loss and cost through a managed, pay-per-use model.
A company has virtual machines in Azure that need to be grouped across multiple fault domains and update domains to ensure high availability. They plan to deploy three VMs running the same application tier. Which Azure feature should they use to provide redundancy within a single region?
Availability Set
An Availability Set distributes VMs across multiple fault domains (shared hardware, power, and networking) and update domains (planned maintenance) within a single Azure datacenter. This ensures that at least one VM remains available during both hardware failures and Azure patching cycles. For three VMs running the same application tier, an Availability Set provides the required redundancy without the complexity of zone-level isolation.
A company plans to migrate on-premises applications to Azure. They require users to authenticate using their existing on-premises Active Directory credentials without syncing password hashes to the cloud. Which Microsoft Entra ID authentication method should they use?
Microsoft Entra ID Pass-through Authentication
Pass-through Authentication (PTA) validates user passwords directly against on-premises Active Directory without storing password hashes in the cloud. A lightweight agent on-premises forwards authentication requests to the local domain controller, meeting the requirement to avoid password hash synchronization.
A multinational corporation is designing a hub-spoke network topology in Azure to connect multiple on-premises sites and Azure regions. The hub contains Azure Firewall and Azure Bastion. Spokes are in different regions and need to communicate with each other through the hub. The solution must minimize latency and cost. What should you configure?
Use VNet peering to hub and UDRs to force traffic through Azure Firewall
Option C is correct because VNet peering to the hub combined with user-defined routes (UDRs) that force spoke-to-spoke traffic through Azure Firewall allows traffic inspection while minimizing cost and latency by keeping traffic within Azure's backbone. Option A is incorrect because ExpressRoute Global Reach connects on-premises sites directly, bypassing the hub firewall and not addressing spoke-to-spoke communication. Option B is incorrect because Azure Virtual WAN with secured hub introduces additional complexity and cost, and is not necessary for this scenario. Option D is incorrect because direct VNet peering between spokes bypasses the hub firewall, violating security requirements.
A company has multiple Azure subscriptions and wants to enforce that all administrators must use multi-factor authentication (MFA) when accessing the Azure portal. They also want to monitor and report on any policy changes that affect this enforcement. Which combination of Azure services should they use?
Microsoft Entra ID Conditional Access policy to require MFA for Azure management and Azure Monitor with Log Analytics for monitoring.
Option B is correct because Microsoft Entra ID Conditional Access policies can enforce MFA specifically for Azure management (including the Azure portal), and Azure Monitor with Log Analytics provides the monitoring and reporting of policy changes via the Azure Activity Log. This combination directly addresses both requirements: enforcing MFA for administrators and auditing changes to the Conditional Access policy itself.
A company has two on-premises data centers and an Azure subscription. They need to connect each data center to Azure with a private, high-bandwidth, and reliable connection. They also want a low-cost backup connection for each data center in case the primary connection fails. Which combination of connectivity options should they recommend?
A
Azure ExpressRoute provides a private, high-bandwidth, and reliable connection from on-premises data centers to Azure, bypassing the public internet. To meet the low-cost backup requirement, Azure VPN Gateway (Site-to-Site VPN) offers a secure, encrypted connection over the internet as a failover path, which is significantly cheaper than a second ExpressRoute circuit. This combination ensures primary connectivity via ExpressRoute and cost-effective redundancy via VPN.
A company has multiple Azure virtual networks (VNets) spread across three Azure regions (West US, East US, and West Europe). They also have an on-premises network connected to East US via ExpressRoute. They need to connect all VNets to each other and to the on-premises network. They require centralized management of routing and the ability to enforce security policies such as forcing all internet-bound traffic from any VNet to pass through a central firewall in East US. Which Azure solution should they implement?
Azure Virtual WAN with a secured hub in East US.
Azure Virtual WAN with a secured hub in East US provides a centralized hub-and-spoke architecture that connects all VNets and the on-premises network via ExpressRoute. The secured hub includes Azure Firewall, enabling forced tunneling of all internet-bound traffic from any VNet through the central firewall in East US, while Virtual WAN automatically manages routing between all spokes and the on-premises network.
A company runs a critical application on an Azure virtual machine in the West US region. They want to enable disaster recovery to East US with the ability to perform non-disruptive DR drills. They need an RPO of a few minutes. Which Azure service should they use?
Azure Site Recovery
Azure Site Recovery (ASR) is the correct service because it provides continuous replication of Azure VMs from a primary region (West US) to a secondary region (East US) with a Recovery Point Objective (RPO) of a few minutes. It also supports non-disruptive disaster recovery drills by allowing you to perform test failovers in an isolated network without impacting the production workload.
A company is building a new application that requires a fully managed relational database. The application has varying workloads across different databases. The company wants to pool resources to optimize cost and allow each database to scale as needed. They also need automated backups with point-in-time restore and geo-replication for disaster recovery. Which Azure data service should they use?
Azure SQL Database
Azure SQL Database is a fully managed relational database service that supports elastic pools, which allow you to pool resources across multiple databases to optimize cost and enable each database to scale independently based on demand. It also provides automated backups with point-in-time restore (PITR) and active geo-replication for disaster recovery, meeting all the stated requirements.
A company has multiple virtual networks in different Azure regions. They need to connect all VNets together securely over the Microsoft backbone. They also need to connect to an on-premises data center via ExpressRoute. The solution should support transitive routing between all connected networks. Which Azure service should they use?
Azure Virtual WAN
Azure Virtual WAN is the correct choice because it provides a hub-and-spoke architecture that supports transitive routing between all connected networks (multiple VNets across regions and on-premises via ExpressRoute) over the Microsoft backbone. It natively integrates ExpressRoute and VPN gateways into a single managed service, enabling seamless connectivity and routing between any spoke VNet, branch, or on-premises site without requiring manual peering or gateway transit configuration.
A company plans to deploy a web application on Azure virtual machines. They want to protect against a datacenter failure within a region. The VMs must be distributed across multiple physically separate locations with independent power, cooling, and networking. Which deployment option should they use?
Availability Zones
Availability Zones are physically separate datacenters within an Azure region, each with independent power, cooling, and networking. By deploying VMs across multiple zones, the application is protected against a single datacenter failure, meeting the requirement for fault isolation at the datacenter level.
A company wants to cache frequently accessed session state and product data for their e-commerce website. They need the cache to be highly available with a 99.9% SLA and provide fast read and write access. The solution must be fully managed. Which Azure Cache tier should they choose?
Azure Redis Cache Standard tier
The Standard tier of Azure Redis Cache provides a 99.9% SLA through built-in replication with two nodes (primary and replica) in the same region, ensuring high availability. It is fully managed, supports fast read/write access for session state and product data, and meets the requirement without the additional cost or complexity of the Premium tier.
A company wants to deploy a web application on Azure virtual machines (VMs). The application experiences variable traffic patterns, so the company needs to automatically add or remove VM instances based on CPU utilization. They also want the application to remain highly available even if an Azure datacenter fails. Which combination of Azure services should they use?
Virtual Machine Scale Sets configured with autoscale rules based on CPU and distributed across availability zones
Virtual Machine Scale Sets (VMSS) with autoscale rules based on CPU utilization automatically add or remove VM instances to match variable traffic patterns. Distributing the VMSS across availability zones ensures the application remains highly available even if an entire Azure datacenter fails, because availability zones are physically separate datacenters within a region.
A company wants to run a containerized application on Azure without managing virtual machines. They need automatic scaling, load balancing, and rolling updates. Which Azure compute service should they choose?
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS) is the correct choice because it provides a fully managed Kubernetes orchestration platform that handles containerized applications with automatic scaling (via Horizontal Pod Autoscaler), built-in load balancing (via Azure Load Balancer integration), and rolling updates (via Kubernetes deployment strategies). This meets the requirement of running containers without managing VMs, as AKS abstracts the underlying node management.
A company uses Microsoft Entra ID. They want to integrate their security operations with a third-party SIEM tool. They need to export all Microsoft Entra ID sign-in logs and audit logs to the SIEM for analysis. The solution should be automated and near real-time. Which Azure service should they configure?
Azure Event Hubs
Azure Event Hubs is the correct service because it provides a high-throughput, low-latency data ingestion platform that can receive streaming diagnostic data from Microsoft Entra ID. By configuring diagnostic settings in Entra ID to stream sign-in and audit logs to an Event Hubs namespace, you enable near real-time export to a third-party SIEM tool via the Event Hubs-compatible endpoint, typically using the AMQP or HTTPS protocol.
Refer to the exhibit. You are assigned an Azure policy that restricts resource group locations to eastus, westus, and centralus. A user attempts to create a resource group in 'eastus2' and receives a denial. The user argues that there are existing resources in 'eastus2' and that the policy should allow it. What is the best course of action to allow the resource group creation while maintaining compliance?
Instruct the user to create the resource group in an allowed location and then deploy resources to 'eastus2'
Option A is correct because Azure Policy evaluates resource group location at creation time, not the location of individual resources within it. A resource group is a logical container that can hold resources in any region, regardless of the resource group's own location. By creating the resource group in an allowed location (eastus, westus, or centralus), the user satisfies the policy constraint while still being able to deploy resources to 'eastus2' within that resource group.
The AZ-305 flashcard bank covers all 4 official blueprint domains published by Microsoft. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Design identity, governance, and monitoring solutions
Design data storage solutions
Design business continuity solutions
Design infrastructure solutions
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that AZ-305 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.AZ-305 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective AZ-305 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free AZ-305 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 999+ original AZ-305 flashcards across all 4 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Microsoft exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official AZ-305 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included