With Microsoft rolling out passkey registration campaigns across Entra ID tenants this month, identity governance is more relevant than ever for Azure architects. This is the second set (Questions 11–20) in our AZ-305 practice series, targeting Domain 1: Design identity, governance, and monitoring solutions. Sharpen your skills on Conditional Access, managed identities, Azure Policy, and monitoring architectures.
Question 11: Hybrid Identity Synchronization
A financial services company operates Active Directory on-premises with 12,000 user accounts. They plan to migrate workloads to Azure over the next 18 months. Users need single sign-on (SSO) to both on-premises and cloud applications during the transition. The security team requires that password hashes never leave the on-premises environment.
A) Deploy Microsoft Entra Connect with password hash synchronization (PHS)
B) Deploy Microsoft Entra Connect with pass-through authentication (PTA)
C) Deploy Active Directory Federation Services (AD FS) with Microsoft Entra Connect
D) Use Microsoft Entra cloud-only accounts and manually sync attributes
👁 Reveal Answer
Correct Answer: B
Explanation: Pass-through authentication validates user credentials directly against on-premises Active Directory without storing password hashes in the cloud. This satisfies the security requirement. Option A (PHS) synchronizes password hashes to Microsoft Entra ID, which violates the stated requirement. Option C (AD FS) would also work but introduces unnecessary infrastructure complexity with federation servers. Option D provides no SSO experience and creates a management burden with manual syncing.
Question 12: Conditional Access for Zero Trust
A healthcare organization is adopting a Zero Trust security model. They want to enforce multi-factor authentication for all users accessing Azure portal and require compliant devices for accessing patient record applications. Administrators accessing privileged roles should always authenticate with phishing-resistant methods. Which combination of Conditional Access policies should the architect recommend?
A) One policy requiring MFA for all cloud apps, applied to all users
B) Separate policies: one requiring MFA for Azure management, one requiring device compliance for the patient records app, and one requiring authentication strength of phishing-resistant MFA for administrator roles
C) A single policy requiring phishing-resistant MFA and device compliance for all users on all apps
D) Enable security defaults in Microsoft Entra ID and configure per-user MFA for administrators
👁 Reveal Answer
Correct Answer: B
Explanation: Zero Trust architecture calls for granular, context-aware policies. Separate Conditional Access policies allow each requirement to target the correct scope — MFA for Azure management, device compliance for sensitive health apps, and authentication strength for privileged roles. Option A applies a blanket MFA requirement without addressing device compliance or phishing-resistant authentication for admins. Option C is overly restrictive and would block legitimate users on non-compliant devices from non-sensitive apps. Option D uses legacy per-user MFA, which cannot be combined with security defaults and lacks the granularity of Conditional Access.
Question 13: Managed Identity Selection
A development team deploys an Azure Function that reads secrets from Azure Key Vault and writes data to Azure SQL Database. The same function code is deployed across three environments: development, staging, and production. Each environment connects to its own Key Vault and SQL database. The team wants to minimize credential management overhead.
A) Create a single user-assigned managed identity and assign it to all three Function App instances
B) Use system-assigned managed identities on each Function App instance
C) Store service principal credentials in each environment’s Key Vault
D) Create one user-assigned managed identity per environment and assign each to its respective Function App
👁 Reveal Answer
Correct Answer: D
Explanation: A user-assigned managed identity per environment allows fine-grained role assignments — each identity gets access only to its own Key Vault and SQL database, maintaining environment isolation. Option A shares a single identity across all environments, which means production secrets would be accessible from the development environment. Option B would work but ties the identity lifecycle to the Function App; redeploying the app deletes and recreates the identity, requiring you to reassign all role assignments. Option C introduces credential management overhead, which managed identities are designed to eliminate.
Question 14: Azure Policy for Governance at Scale
A large enterprise has 40 Azure subscriptions organized under four management groups by business unit. The compliance team requires that all storage accounts across the organization use private endpoints and disable public network access. Some legacy workloads in one subscription need a temporary exemption. What should the architect recommend?
A) Assign an Azure Policy with the Deny effect at the root management group, and create a policy exemption for the legacy subscription
B) Assign an Azure Policy with the Audit effect at each subscription level
C) Use Azure Blueprints to deploy a custom role that prevents users from enabling public access
D) Assign an Azure Policy with the Deny effect at the root management group with no exemptions, and migrate legacy workloads first
👁 Reveal Answer
Correct Answer: A
Explanation: Assigning a Deny policy at the root management group enforces the rule across all subscriptions while maintaining a single point of governance. Policy exemptions allow temporary exceptions for specific scopes without weakening the overall policy. Option B only audits non-compliant resources without preventing them — it does not enforce compliance. Option C uses custom roles, which control management-plane actions but cannot enforce data-plane or resource configuration requirements like private endpoints. Option D ignores the stated requirement for a temporary exemption for legacy workloads.
Question 15: Monitoring Architecture Design
A retail company runs a microservices application on Azure Kubernetes Service (AKS). The operations team needs end-to-end transaction tracing across services, alerts when API response times exceed 500ms, and long-term log retention for compliance. Which monitoring architecture should the architect design?
A) Deploy Application Insights with distributed tracing for each microservice, configure Azure Monitor alerts on response time metrics, and route logs to a Log Analytics workspace with a 730-day retention policy
B) Use Azure Monitor metrics only, with action groups for alerting and Azure Blob Storage for log archival
C) Deploy a third-party APM tool and send logs directly to Azure Blob Storage
D) Use Container Insights for AKS monitoring and configure diagnostic settings to send logs to an Event Hub
👁 Reveal Answer
Correct Answer: A
Explanation: Application Insights provides distributed tracing with correlation IDs across microservices, satisfying the end-to-end tracing requirement. Azure Monitor alerts can trigger on response time metrics. A Log Analytics workspace supports retention up to 730 days (and archival to 4,383 days), meeting compliance needs. Option B lacks distributed tracing capabilities — metrics alone cannot trace a request across services. Option C introduces vendor lock-in and Blob Storage does not support efficient log querying. Option D provides container-level metrics but lacks application-level distributed tracing and Event Hub is for streaming, not long-term retention with querying.
Question 16: External Identity Design
A consulting firm builds a client-facing portal hosted on Azure App Service. External clients — who use various identity providers including Google, corporate Entra ID tenants, and personal Microsoft accounts — need to register and access project dashboards. The firm wants to customize the sign-up experience with company branding and collect additional profile attributes during registration.
A) Use Microsoft Entra External ID (B2B) with guest invitations for each client
B) Use Microsoft Entra External ID with customer identity and access management (CIAM) capabilities and configure custom user flows
C) Create guest accounts in the firm’s Entra ID tenant and assign them to the application
D) Build a custom authentication system using Azure SQL Database to store user credentials
👁 Reveal Answer
Correct Answer: B
Explanation: Microsoft Entra External ID with CIAM capabilities (formerly Azure AD B2C) is designed for consumer and client-facing applications. It supports multiple identity providers, self-service sign-up, custom branding, and collecting custom attributes during registration through user flows. Option A (B2B) is designed for partner collaboration within the organization’s tenant, not public-facing self-service registration. Option C requires manual guest account creation, which does not scale. Option D builds a custom identity system, which introduces security risks and maintenance burden that managed identity services eliminate.
Question 17: Privileged Identity Management
An enterprise security team wants to reduce standing administrative access across their Azure environment. They require that Global Administrator and Subscription Owner roles are activated only when needed, with approval workflows and time-limited access windows. All privileged role activations must be auditable. What should the architect recommend?
A) Use Microsoft Entra Privileged Identity Management (PIM) with eligible role assignments, requiring approval and setting a maximum activation duration
B) Create custom Entra ID roles with fewer permissions and assign them permanently
C) Use Conditional Access policies to block administrative access outside business hours
D) Assign administrative roles using Azure RBAC at the resource group level instead of subscription level
👁 Reveal Answer
Correct Answer: A
Explanation: Privileged Identity Management enables just-in-time role activation with approval workflows, time-bound access, and full audit trails. Eligible assignments mean users have no standing access — they must activate the role each time. Option B reduces permissions but maintains permanent assignments, which contradicts the goal of eliminating standing access. Option C controls when access happens but does not implement just-in-time activation or approval workflows. Option D changes the scope of permanent assignments but does not address the requirement for just-in-time access or approval workflows.
Question 18: Log Analytics Workspace Design
A multinational corporation operates Azure resources across three regions: East US, West Europe, and Southeast Asia. Each region has its own compliance requirements for data residency. The central security team needs a unified view of security alerts, while regional teams need access only to their own logs. Which Log Analytics workspace design should the architect recommend?
A) A single centralized Log Analytics workspace in East US for all regions
B) One Log Analytics workspace per region with Microsoft Sentinel using cross-workspace queries for the central security view
C) One Log Analytics workspace per subscription with no cross-workspace integration
D) Use Azure Monitor metrics exclusively without Log Analytics workspaces
👁 Reveal Answer
Correct Answer: B
Explanation: Regional workspaces satisfy data residency requirements by keeping logs in their respective regions. Microsoft Sentinel’s cross-workspace query capability lets the central security team correlate alerts across all workspaces without moving data. Resource-context RBAC on each workspace restricts regional teams to their own logs. Option A violates data residency requirements by centralizing all logs in one region. Option C satisfies data residency but provides no unified security view. Option D ignores the log analysis and querying requirements entirely — metrics alone cannot replace log-based security analysis.
Question 19: Access Reviews and Entitlement Management
A government agency grants external contractors access to Azure DevOps projects and SharePoint sites through access packages. Contracts typically last six months. The agency requires quarterly reviews of contractor access, automatic removal when access is no longer approved, and a self-service request process for new contractors. Which combination of Entra ID Governance features should the architect design?
A) Entitlement management with access packages that include an expiration policy, connected to recurring access reviews with auto-removal of denied access
B) Manual guest invitations with calendar reminders for quarterly reviews
C) Dynamic security groups based on contractor department attributes
D) Conditional Access policies that block contractor access after six months
👁 Reveal Answer
Correct Answer: A
Explanation: Entitlement management provides self-service access request portals where contractors request access packages. Access packages bundle resources (Azure DevOps, SharePoint) with policies including expiration dates and approval workflows. Recurring access reviews automatically prompt reviewers quarterly, and denied access is removed automatically. Option B relies on manual processes that do not scale and risk missed reviews. Option C controls group membership but does not provide access request workflows, expiration, or structured reviews. Option D cannot enforce time-based expiration — Conditional Access evaluates conditions at sign-in, not tenure duration.
Question 20: Azure Key Vault Design for Secrets Management
An architect is designing a secrets management strategy for a company with production and development environments. Production secrets must have soft-delete and purge protection enabled. Access to production secrets should be limited to specific applications using managed identities, and no human user should have permission to read secret values in production. Development teams need flexibility to manage their own secrets.
A) Use a single Key Vault with access policies separating production and development secrets by naming convention
B) Deploy separate Key Vaults for production and development. Configure the production vault with RBAC, soft-delete, and purge protection. Assign the Key Vault Secrets User role to application managed identities only. Use access policies on the development vault for developer flexibility.
C) Store production secrets in Azure App Configuration and development secrets in Key Vault
D) Use a single Key Vault with purge protection and grant all developers the Key Vault Administrator role
👁 Reveal Answer
Correct Answer: B
Explanation: Separate Key Vaults provide environment isolation — a fundamental security boundary. The production vault uses RBAC for fine-grained control, assigning the Key Vault Secrets User role only to managed identities so no human can read secret values. Soft-delete and purge protection prevent accidental or malicious deletion. The development vault allows more permissive access. Option A mixes environments in one vault, making it impossible to apply different protection levels. Option C is incorrect because Azure App Configuration is not designed for secrets storage — it lacks encryption-at-rest with HSM-backed keys. Option D grants excessive privileges to all developers in a shared vault, violating least-privilege principles.
Study Tips for AZ-305 Identity, Governance, and Monitoring
1. Master the identity decision tree. Know when to recommend PHS vs. PTA vs. federation based on security requirements, infrastructure constraints, and feature needs like password protection or smart lockout.
2. Think in policies, not permissions. AZ-305 frequently tests whether you can pick the right Azure Policy effect (Deny, Audit, DeployIfNotExists) for a given governance scenario. Understand how policy scope inheritance and exemptions work across management groups.
3. Match monitoring tools to requirements. Application Insights handles distributed tracing. Azure Monitor handles metrics and alerts. Log Analytics handles log queries and retention. Microsoft Defender for Cloud handles security posture. Know which tool answers which question type.
4. Understand managed identity trade-offs. System-assigned identities are simpler but tied to resource lifecycle. User-assigned identities survive redeployments and can be shared — but sharing across environments breaks isolation.
5. Study Entra ID Governance features together. Access reviews, entitlement management, and PIM often appear in the same scenario. Know how they complement each other in a Zero Trust governance model.
Continue Your AZ-305 Practice
This set covered the core identity, governance, and monitoring concepts you will encounter on the AZ-305 exam. If you have not already, work through AZ-305 Questions 1–10: Cost Optimization to strengthen your design skills across multiple domains. Tomorrow, we continue with Domain 2: Design data storage solutions — covering Cosmos DB partitioning strategies, storage redundancy options, and data lifecycle management. For the official exam outline and learning paths, visit the Microsoft AZ-305 exam page.