Back to Microsoft Azure Solutions Architect Expert AZ-305 questions

Scenario-based practice

Hard Difficulty Questions

Practise Microsoft Azure Solutions Architect Expert AZ-305 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
AZ-305
exam code
Microsoft
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related AZ-305 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Review the full routing breakdown →

A company has multiple Azure virtual networks (VNets) in different regions and an on-premises data center connected via ExpressRoute. They need to implement a hub-and-spoke topology where a hub VNet hosts shared network virtual appliances (NVAs) for traffic inspection. All traffic between spokes and between spokes and on-premises must be routed through the hub. The company wants to minimize the administrative overhead of configuring and maintaining routing. Which Azure solution should they implement?

Question 2hardmulti select
Full question →

A company is designing hub-and-spoke networking. Spoke VNets must use a central Azure Firewall for outbound internet traffic. Which two configurations are required?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A company has multiple Azure subscriptions and wants to enforce that all administrators must use multi-factor authentication (MFA) when accessing the Azure portal. They also want to monitor and report on any policy changes that affect this enforcement. Which combination of Azure services should they use?

Question 4hardmultiple choice
Review the full routing breakdown →

A company has multiple Azure virtual networks (VNets) spread across three Azure regions (West US, East US, and West Europe). They also have an on-premises network connected to East US via ExpressRoute. They need to connect all VNets to each other and to the on-premises network. They require centralized management of routing and the ability to enforce security policies such as forcing all internet-bound traffic from any VNet to pass through a central firewall in East US. Which Azure solution should they implement?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A company runs large-scale analytics workloads using Apache Hadoop and Spark. They need a cloud storage solution that is fully compatible with the Hadoop Distributed File System (HDFS) and provides unlimited storage with high throughput for parallel processing. They also want to take advantage of tiered storage to reduce costs for older data. Which Azure data service should they use?

Question 6hardmultiple choice
Full question →

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to implement a solution that automatically detects identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. They want to generate reports summarizing risk events and integrate the risk data with their existing Security Information and Event Management (SIEM) system via API. Which Microsoft Entra ID feature should they use?

Question 7hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier web application on Azure. The web tier must be accessible from the internet. The application tier and database tier must be isolated within the virtual network and not directly accessible from the internet. The solution must provide SSL termination, URL-based routing, and Web Application Firewall (WAF) capabilities. Which Azure service should they use to expose the web tier?

Question 8hardmultiple choice
Full question →

A company ingests millions of IoT events per second from sensors around the world. Each event is a JSON message with timestamp, device ID, and readings. They need to support real-time analytics dashboards and also store all raw data for long-term historical analysis. They want to minimize operational overhead. Which Azure data storage solution should they recommend?

Question 9hardmultiple choice
Full question →

A company is building a petabyte-scale data lake for analytics. They need a storage solution that supports a hierarchical namespace, POSIX-like permissions (ACLs), and is optimized for big data analytics workloads using Apache Spark and Hive. The data must be accessible over the Azure Blob Storage API. Which Azure data service should they use?

Question 10hardmultiple choice
Full question →

A company runs a mission-critical SQL Server database on an Azure virtual machine using SQL Server Standard Edition. They need a disaster recovery solution that replicates the database to a secondary Azure region with a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 1 hour. The solution must support non-disruptive disaster recovery drills. The company cannot modify the SQL Server configuration or use Always On features due to licensing constraints. Which Azure service should they use?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical multi-tier application on Azure VMs. The application includes a database tier that requires recovery across multiple VMs at the same point in time. The company uses Azure Site Recovery (ASR) for disaster recovery to a secondary region. The recovery point objective (RPO) is 15 minutes and the recovery time objective (RTO) is 1 hour. The database VMs have a high data change rate, and the company wants to minimize replication costs. Which combination of ASR configurations should they implement?

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical application on Azure SQL Database in the West US region. They need a disaster recovery solution with an RPO of 5 seconds and an RTO of 1 hour. They also need to be able to perform patching and maintenance on the primary without downtime. Which configuration should they implement?

Question 13hardmultiple choice
Full question →

A globally distributed application requires multi-region writes to a NoSQL database and must tolerate regional write outages. Which Azure service capability should be selected?

Question 14hardmultiple choice
Full question →

A SaaS application must allow external partner users to sign in with their own organization credentials while the company controls application access. What should be used?

Question 15hardmultiple choice
Full question →

A company stores terabytes of archival data that must be retained for 10 years per regulatory requirements. The data is accessed infrequently (once or twice per year) and retrieval latency of up to 5 hours is acceptable. The company wants the lowest storage cost. They also need to ensure data is encrypted at rest and immutability to prevent deletion or modification during the retention period. Which Azure storage solution should they choose?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

You are designing an identity governance solution for a multinational company. The company uses Microsoft Entra ID and has a requirement to automatically remove user access to critical SaaS applications when the user leaves the organization or changes roles. You need to ensure that the access removal is audited and can be reversed within 30 days if needed. What should you implement?

Question 17hardmultiple choice
Full question →

Your organization has a hybrid identity infrastructure with Microsoft Entra ID and on-premises Active Directory. You plan to implement Microsoft Entra ID Protection to detect and respond to identity risks. You need to ensure that risky sign-ins from anonymous IP addresses are automatically blocked, while still allowing legitimate users to self-remediate. What should you configure?

Question 18hardmultiple choice
Full question →

Your company has multiple Azure subscriptions managed by a management group. You need to enforce that all resources are deployed in the West US region only. Additionally, you must allow a specific resource group in the production subscription to be deployed in East US. What should you configure?

Question 19hardmultiple choice
Full question →

Refer to the exhibit. You are analyzing a deployment of a Custom Script Extension on an Azure VM. The extension fails to run. What is the most likely cause?

Exhibit

{
  "properties": {
    "targetResourceId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/prod-rg/providers/Microsoft.Compute/virtualMachines/vm-prod-01",
    "configuration": {
      "protectedSettings": {
        "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File configure.ps1"
      }
    },
    "extensionType": "CustomScriptExtension",
    "publisher": "Microsoft.Compute",
    "typeHandlerVersion": "1.10"
  }
}
Question 20hardmulti select
Full question →

Which THREE conditions should be met to implement a successful Azure landing zone for a new enterprise subscription? (Choose three.)

These AZ-305 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style AZ-305 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.