Common Traps on Which Command Should the Administrator Use Practice Questions
- ·Separate verification commands from configuration commands.
- ·Read whether the question asks to identify, verify, fix, permit or deny.
- ·Small command keywords often change the correct answer.
Sample Questions
Practice all 15 →A company has a hub-spoke network topology in Azure. They have multiple spoke VNets connected to a hub VNet via peering. They need to ensure that all east-west traffic between spoke VNets goes through a network virtual appliance (NVA) in the hub for inspection. Additionally, all outbound internet traffic from spoke VMs must use a single public IP address. What should they configure?
Explanation: To route east-west traffic through the NVA, you need to configure user-defined routes (UDRs) in each spoke VNet that point the traffic destined for other spoke VNet address spaces to the NVA's IP address. You also must enable 'Allow forwarded traffic' on the VNet peering connection from the hub to the spokes so that the NVA can forward traffic. For outbound internet traffic, you can deploy Azure Firewall in the hub and configure a default route (0.0.0.0/0) in the spokes pointing to Azure Firewall (or the NVA if it also does NAT). Azure Firewall can provide a single public IP for all outbound traffic. Option D correctly describes these components. Option A uses NAT gateway which works for outbound but does not route east-west traffic through the NVA. Option B mentions Azure Firewall for outbound but lacks the specific route configuration for east-west. Option C assumes gateway transit, but NVA is not a VPN gateway.
A company backs up their Azure VMs using Azure Backup. They need to meet compliance that requires backups to be stored in a separate geographic region. Additionally, they want to be able to restore the entire VM to that secondary region in case of a regional disaster. What should they configure?
Explanation: Azure Backup with geo-redundant storage (GRS) for the Recovery Services vault stores backup data in a paired region. Cross-region restore (CRR) is a feature that allows restoring backups to that secondary region. Both must be enabled: GRS is required for CRR, and CRR must be explicitly enabled. Simply enabling GRS without CRR does not allow restoring to the secondary region.
A company needs to store large amounts of unstructured data (log files) for analytics. The data is accessed frequently for the first 30 days, then occasionally for the next 90 days, and rarely after that but must be retained for 7 years for compliance. The data must not be modified or deleted during the retention period, and administrative access must not be able to bypass this restriction. They want to minimize storage costs. Which combination of Azure Blob Storage features should they configure?
Explanation: To meet the requirements, you need to automatically transition blobs between access tiers based on age using a lifecycle management policy, and apply a time-based retention policy to protect blobs from deletion/modification. The time-based retention policy with the 'Locked' option prevents administrators from using elevated permissions to bypass the immutability, because once locked, the policy cannot be removed or shortened. Cool and Archive tiers minimize costs.
A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect identity risks, such as users with leaked credentials or sign-ins from anonymous IP addresses, and generate alerts. They also want to automatically trigger a password reset for high-risk users. Which Microsoft Entra ID feature should they configure?
Explanation: Microsoft Entra ID Identity Protection detects risk events like leaked credentials and anonymous IP addresses. It can be configured to automatically require password reset for high-risk users. Privileged Identity Management handles administrative roles. Conditional Access enforces policies using risk signals but does not detect risks directly. Access Reviews are for certifying access.
A company uses Microsoft Entra ID. They want to integrate their security operations with a third-party SIEM tool. They need to export all Microsoft Entra ID sign-in logs and audit logs to the SIEM for analysis. The solution should be automated and near real-time. Which Azure service should they configure?
Explanation: Azure Event Hubs can ingest Microsoft Entra ID diagnostic settings (sign-in and audit logs) and stream them to a SIEM in near real-time. Logic Apps can process events but is not designed for high-throughput log streaming. Azure Monitor stores logs but requires additional configuration to export. Azure Storage is for archival, not real-time streaming.
+10 more scenario questions available
Practice all Which Command Should the Administrator Use Practice QuestionsRelated Topics
Frequently asked questions
How do "Which Command Should the Administrator Use Practice Questions" appear on the real AZ-305?
Practise command-choice questions where the task is to identify the correct verification, configuration or troubleshooting command. These appear throughout the AZ-305 and require you to apply your knowledge, not just recall facts.
How many scenario questions are on the AZ-305 exam?
Cisco doesn't publish an exact breakdown, but scenario-based questions (especially exhibit and command-output formats) make up a significant portion of the AZ-305. Practicing each scenario type ensures you're ready for any format.
Are these AZ-305 scenario practice questions free?
Yes — all scenario practice on Courseiva is completely free. Sign up for a free account to track your progress and see which scenario types you've mastered.
Ready to practice this scenario type?
Launch a full Which Command Should the Administrator Use Practice Questions session with instant scoring and detailed explanations.
Start Scenario Practice →