AZ-305 · topic practice

IAM Policy practice questions

Practise Microsoft Azure Solutions Architect Expert AZ-305 IAM Policy practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: IAM Policy

What the exam tests

What to know about IAM Policy

IAM Policy questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common IAM Policy exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

IAM Policy questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A company has multiple Azure subscriptions and wants to enforce that all administrators must use multi-factor authentication (MFA) when accessing the Azure portal. They also want to monitor and report on any policy changes that affect this enforcement. Which combination of Azure services should they use?

Question 2easymultiple choice
Read the full IAM Policy explanation →

A company needs to store and retrieve large binary files (e.g., images and videos) for a web application. The data must be accessible via HTTPS URLs and support both public read access for anonymous users and private access for administrators. The solution must be highly durable and cost-effective for storing terabytes of data. Which Azure storage solution should they recommend?

Question 3mediummultiple choice
Read the full IAM Policy explanation →

A company must prevent non-compliant devices from accessing Exchange Online and SharePoint Online. Which design should you recommend?

Question 4mediummultiple choice
Read the full IAM Policy explanation →

A company is migrating on-premises Windows applications that require LDAP, NTLM, or Kerberos authentication to Azure VMs. They want to provide domain services for these applications without deploying and managing domain controllers. Which Azure service should they use?

Question 5easymultiple choice
Read the full wireless explanation →

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to ensure that users who access sensitive cloud applications from untrusted networks (e.g., public Wi-Fi) are prompted for multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure?

Question 6easymultiple choice
Read the full IAM Policy explanation →

A company uses Microsoft Entra ID. They want to automatically detect sign-ins from anonymous IP addresses, sign-ins from unfamiliar locations, and other risky activities. When such a risk is detected, they want to block the sign-in or require multi-factor authentication. They also need a dashboard to review risk events. Which Microsoft Entra ID feature should they use?

Question 7easymultiple choice
Read the full IAM Policy explanation →

A company wants to back up their Azure VMs (running Windows and Linux) to a Recovery Services vault. The backup data must be encrypted at rest using customer-managed keys. They also need to retain monthly backups for 5 years for compliance. Which configuration should they use?

Question 8hardmultiple choice
Read the full IAM Policy explanation →

A company stores terabytes of archival data that must be retained for 10 years per regulatory requirements. The data is accessed infrequently (once or twice per year) and retrieval latency of up to 5 hours is acceptable. The company wants the lowest storage cost. They also need to ensure data is encrypted at rest and immutability to prevent deletion or modification during the retention period. Which Azure storage solution should they choose?

Question 9mediummultiple choice
Read the full IAM Policy explanation →

Refer to the exhibit. You create this Azure Policy definition in a management group that contains all subscriptions. After assigning the policy, you notice that no audit events are generated when a new custom RBAC role is created. What is the most likely reason?

Exhibit

Refer to the exhibit.
{
  "type": "Microsoft.Authorization/policyDefinitions",
  "properties": {
    "displayName": "Audit usage of custom RBAC roles",
    "policyType": "Custom",
    "mode": "All",
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Authorization/roleDefinitions"
      },
      "then": {
        "effect": "Audit",
        "details": {
          "roleDefinitionIds": ["/providers/Microsoft.Authorization/roleDefinitions/*"]
        }
      }
    }
  }
}
Question 10hardmultiple choice
Read the full IAM Policy explanation →

Your organization has a hybrid identity infrastructure with Microsoft Entra ID and on-premises Active Directory. You plan to implement Microsoft Entra ID Protection to detect and respond to identity risks. You need to ensure that risky sign-ins from anonymous IP addresses are automatically blocked, while still allowing legitimate users to self-remediate. What should you configure?

Question 11easymultiple choice
Read the full IAM Policy explanation →

A company uses Microsoft Entra ID for identity management. They want to ensure that users accessing sensitive data from unmanaged devices are prompted for multifactor authentication (MFA) and must accept a terms-of-use. Which policy should be configured?

Question 12hardmultiple choice
Read the full IAM Policy explanation →

Your company has multiple Azure subscriptions managed by a management group. You need to enforce that all resources are deployed in the West US region only. Additionally, you must allow a specific resource group in the production subscription to be deployed in East US. What should you configure?

Question 13mediummultiple choice
Read the full IAM Policy explanation →

Your organization uses Azure Monitor to monitor a fleet of 500 VMs running Windows Server. You need to collect security event logs (Event ID 4625 for failed logons) from all VMs and send them to a Log Analytics workspace. The solution must support centralized configuration and be scalable. You also want to filter out high-volume noise events to reduce costs. What should you do?

Question 14hardmulti select
Read the full IAM Policy explanation →

Which THREE conditions should be met to implement a successful Azure landing zone for a new enterprise subscription? (Choose three.)

Question 15mediummultiple choice
Read the full IAM Policy explanation →

Your organization has multiple Azure subscriptions. You need to create a central view of policy compliance across all subscriptions. What should you use?

Question 16hardmultiple choice
Read the full IAM Policy explanation →

You are designing a governance strategy for an Azure environment that includes multiple subscriptions. The security team requires that all storage accounts must have HTTPS traffic only. Any non-compliant storage account must be automatically remediated. What is the most efficient solution?

Question 17hardmultiple choice
Read the full IAM Policy explanation →

Your Azure environment includes multiple subscriptions that are managed by different teams. You need to ensure that all resources are compliant with your company's security policies, and any non-compliant resources must be automatically remediated or reported. Which solution should you implement?

Question 18hardmultiple choice
Read the full IAM Policy explanation →

Refer to the exhibit. You are implementing an Azure Policy to control VM SKU deployment. You assign this policy to a subscription. A developer attempts to deploy a virtual machine with SKU Standard_DS2_v2. What is the outcome?

Exhibit

{
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "Microsoft.Compute/virtualMachines/sku.name",
          "notEquals": "Standard_D2s_v3"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}
Question 19mediummultiple choice
Read the full IAM Policy explanation →

Your organization uses Azure Policy to enforce tagging standards. You need to ensure that any resource created without the required 'CostCenter' tag is automatically remediated by adding the tag with a default value. Which policy effect should you use?

Question 20hardmultiple choice
Read the full IAM Policy explanation →

You are designing a governance strategy for a multi-subscription Azure environment. Your compliance team requires that any resource group created in the production subscription must have a specific naming convention: it must start with 'prod-' and be followed by a three-letter department code and a two-digit number. Any resource group not following this convention should be automatically prevented from creation. Which Azure policy definition should you use?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused IAM Policy sessions

Start a IAM Policy only practice session

Every question in these sessions is drawn from the IAM Policy domain — nothing else.

Related practice questions

Related AZ-305 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-305 exam test about IAM Policy?
IAM Policy questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just IAM Policy questions in a focused session?
Yes — the session launcher on this page draws every question from the IAM Policy domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-305 topics?
Use the topic links above to move to related areas, or go back to the AZ-305 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-305 exam covers. They are not copied from any real exam or dump site.