This AZ-305 mixed review opens with a shift worth noting: Microsoft Build 2026 made one thing clear — agentic AI is now the primary compute interface on Azure, not a bolt-on feature. Agent 365 spans Microsoft 365, Dynamics 365, and the Power Platform. Microsoft is also doubling its AI infrastructure capacity within two years. As a result, that shift is showing up on the AZ-305 exam too, so architecture questions now expect you to weave AI governance, cost management, and resilience into every design decision instead of treating them as separate topics.
This AZ-305 mixed review is the closing set in our week-long AZ-305 practice series (Questions 41–50). Instead of drilling one domain, it simulates the real exam by mixing scenarios from all four AZ-305 domains: identity and governance, data storage, business continuity, and infrastructure solutions. Work through all ten before checking your answers, just like you would on exam day.
Question 41 (AZ-305 Mixed Review): Management Group Hierarchy for a Multi-Subsidiary Company
Contoso Corp acquires two subsidiaries, each with its own Azure subscriptions. Corporate governance wants centralized policy enforcement for security baselines across all subscriptions, but each subsidiary needs autonomy over day-to-day resource deployment within its own environment. You need to design the management group structure.
A) Create one flat management group and place every subscription directly inside it
B) Create an intermediate root management group with child management groups aligned to workload archetypes (such as corp and online), and assign policies at the appropriate level in that hierarchy
C) Create a separate management group for every Azure region the subsidiaries operate in
D) Skip management groups entirely and assign Azure Policy directly to each subscription
👁 Reveal Answer
Correct Answer: B
Explanation: The Azure landing zone reference architecture recommends an intermediate root management group with workload archetype-aligned child groups, such as corp and online, so policy applies consistently without a complicated hierarchy. This lets corporate governance enforce security baselines at a high level while subsidiaries retain control within their own management group scope. Option A fails to separate policy scope from workload autonomy, creating governance conflicts. Option C is explicitly discouraged by Microsoft guidance — you should not create management groups solely to model Azure regions unless you have location-based regulatory requirements like data residency. Option D loses the scalability benefit of applying policy once at a management group level and forces you to maintain policy assignments per subscription, which doesn’t scale as the organization grows.
Question 42: Choosing Between Azure Policy and Azure Blueprints Concepts
Fabrikam’s platform team wants every new subscription to automatically receive a consistent set of resource groups, role assignments, and policy assignments as soon as it’s provisioned, instead of enforcing restrictions after resources already exist. Which governance approach best fits this requirement?
A) Apply an Azure Policy deny effect to block noncompliant resources after they’re created
B) Use Microsoft Cost Management budgets to alert on overspend
C) Use an artifact-based deployment approach (landing zone templates or equivalent orchestration) that provisions resource groups, RBAC, and policy assignments together at subscription creation time
D) Manually configure each subscription through the Azure portal and document the steps in a runbook
👁 Reveal Answer
Correct Answer: C
Explanation: The requirement is proactive, repeatable environment setup at provisioning time — bundling resource groups, RBAC, and policy assignments as a package that deploys consistently to every new subscription. That’s the scenario blueprint-style artifact orchestration (now expressed through landing zone deployment templates) is designed for, and it’s a recurring AZ-305 exam theme: recognizing when a design calls for consistent artifact deployment versus simple restriction enforcement. Option A only prevents noncompliant resources going forward; it doesn’t provision the baseline resource groups or RBAC the team wants. Option B addresses cost visibility, not environment consistency. Option D doesn’t scale, isn’t repeatable, and introduces human error — exactly what governance automation is meant to avoid.
Question 43: Centralizing Monitoring Data Across Subscriptions
Continuing this AZ-305 mixed review with a governance scenario, Woodgrove Bank runs 12 Azure subscriptions spread across three business units. Its security team needs a single place to run Kusto queries across activity logs, VM performance counters, and diagnostic data from all subscriptions, and it wants to minimize data egress costs.
A) Deploy a separate Log Analytics workspace per subscription and query each one individually
B) Deploy a centralized Log Analytics workspace in one region and configure diagnostic settings across all subscriptions to send data to it
C) Export logs to local disk on each VM and collect them manually on a schedule
D) Use Azure Storage account logging exclusively and skip Log Analytics
👁 Reveal Answer
Correct Answer: B
Explanation: A centralized Log Analytics workspace lets you run cross-subscription Kusto queries from a single pane, which is exactly what the security team needs, and diagnostic settings can route logs from resources in any subscription into one workspace as long as RBAC and network requirements are met. Option A defeats the purpose of centralized querying and multiplies management overhead. Option C is manual, error-prone, and not scalable — it also loses near-real-time visibility. Option D drops rich query and alerting capabilities that Log Analytics and Azure Monitor provide; storage account logs are useful for long-term retention, not interactive investigation.
Question 44: Redundancy for a Regulated Healthcare File Share
Litware Health, a healthcare ISV, stores SMB file shares containing patient records on Azure Files. Compliance requires the data to survive both a datacenter-level failure and a full regional outage, and reads must still be possible from a secondary location during an outage. For this scenario, the shares use standard HDD tier.
A) Locally redundant storage (LRS)
B) Zone-redundant storage (ZRS)
C) Geo-zone-redundant storage (GZRS)
D) No redundancy configuration is needed since Azure Files replicates automatically by default
👁 Reveal Answer
Correct Answer: C
Explanation: GZRS synchronously replicates data across three availability zones in the primary region using ZRS, then asynchronously replicates to a secondary region using LRS, giving you protection against both zone-level and full regional failures. It’s the only listed option that satisfies both requirements at once for HDD file shares. LRS (A) only protects against hardware faults within a single datacenter and offers no zone or regional protection. ZRS (B) protects against zone failures but not a full regional outage. Option D is incorrect because redundancy tier is a deliberate account-level choice you make at creation time; Azure doesn’t assume geo-redundancy by default, and GRS/GZRS is only available for HDD file shares, not SSD.
Question 45: Resolving Write Conflicts in a Multi-Region Cosmos DB Account
Northwind Traders’ global retail app uses Azure Cosmos DB for NoSQL with multi-region writes enabled across three regions to reduce write latency for local customers. However, product inventory counts occasionally get updated concurrently in two regions for the same item. As a result, the team wants conflicts resolved automatically using the most recent update, without writing custom merge logic.
A) Configure a custom conflict resolution policy with a registered merge stored procedure
B) Use the default Last-Write-Wins (LWW) conflict resolution policy based on the system timestamp
C) Disable multi-region writes and route all writes through a single region
D) Set the consistency level to Strong to prevent conflicts from occurring
👁 Reveal Answer
Correct Answer: B
Explanation: Last-Write-Wins is the default conflict resolution policy for Cosmos DB and automatically resolves insert and replace conflicts using a system-defined timestamp, with the highest value winning — exactly the “automatic, no custom code” behavior the scenario asks for. Option A requires writing and registering a merge stored procedure, which is more effort than the requirement calls for and is meant for application-specific reconciliation logic. Option C eliminates the low-latency benefit that motivated multi-region writes in the first place and doesn’t match the stated design goal. Option D is a trap: Strong consistency isn’t available for multi-region write accounts, since it requires synchronous cross-region replication that would defeat the low write-latency purpose of multi-master writes.
Question 46: Choosing the Right Azure SQL Database Business Continuity Option
Midway through this AZ-305 mixed review, Tailwind Traders’ e-commerce platform runs its order database on Azure SQL Database. The business requires downtime under 60 seconds and near-zero data loss if the primary region fails, so they want the failover to be automated instead of requiring manual restore steps.
A) Geo-restore from automated backups
B) Failover groups with active geo-replication
C) A nightly export to a BACPAC file stored in a secondary region
D) Zone-redundant configuration only, without any secondary region
👁 Reveal Answer
Correct Answer: B
Explanation: Failover groups with active geo-replication typically deliver RTO under 60 seconds and an RPO greater than or equal to zero depending on unreplicated changes, and failover can be automatic based on a customer-managed policy — matching every requirement in the scenario. Geo-restore (A) is far slower, with RTO measured in minutes to hours since it depends on Azure storage replication and backup size, so it misses the 60-second target. A manual BACPAC export (C) is not a supported HA/DR pattern for production databases and introduces significant manual effort and data loss risk. Zone-redundant configuration alone (D) protects against a datacenter failure within the same region but does nothing if the entire region goes down, so it doesn’t satisfy the regional failure requirement.
Question 47: Designing DR for Azure IaaS Virtual Machines
Fabrikam Manufacturing runs a fleet of Azure VMs supporting its ERP system in one region. Therefore, they need a disaster recovery solution that continuously replicates VM disks to a secondary region, supports non-disruptive recovery drills, and can be audited for compliance across the whole VM fleet.
A) Take manual VM snapshots weekly and store them in a secondary region storage account
B) Use Azure Site Recovery for Azure-to-Azure VM replication, and use Azure Policy to audit and enforce protection status
C) Configure Availability Zones only within the primary region
D) Rebuild VMs from an ARM template in the secondary region only after an outage occurs
👁 Reveal Answer
Correct Answer: B
Explanation: Azure Site Recovery is Microsoft’s purpose-built service for Azure-to-Azure VM DR, using real-time replication and recovery automation, and it supports running recovery drills (test failovers) without impacting production workloads. Azure Policy can audit and enforce that VMs remain protected by Site Recovery, satisfying the compliance requirement. Weekly snapshots (A) don’t provide continuous replication and would allow significant data loss between snapshots. Availability Zones alone (C) protect against datacenter failures but not a full regional outage, since all zones are still in the same region. Rebuilding from a template after the fact (D) means extended downtime while VMs are recreated and data is restored, which fails the continuous-replication requirement entirely.
Question 48: Selecting an Ingress Service for a Global Web Application
This AZ-305 mixed review now shifts to networking: Adventure Works, a SaaS company, is deploying a customer-facing web application to three Azure regions worldwide. They need global HTTP/HTTPS load balancing with a built-in CDN and WAF, automatic failover between regions, and low-latency connections for users everywhere.
A) Azure Load Balancer with a single backend pool spanning all three regions
B) Azure Traffic Manager only, using performance-based routing
C) Azure Front Door, using its global edge network with built-in WAF and CDN
D) Three independent Application Gateway deployments with no global routing layer
👁 Reveal Answer
Correct Answer: C
Explanation: Azure Front Door is the global Layer 7 service purpose-built for this scenario: it terminates connections at edge points of presence worldwide, includes built-in CDN and WAF, and provides automatic failover across regional origins over the Microsoft backbone. For most multiregion HTTP/HTTPS workloads, Microsoft’s own guidance recommends Front Door over combining Application Gateway with Traffic Manager. Azure Load Balancer (A) operates at Layer 4 within a region and can’t do global HTTP-aware routing or WAF inspection. Traffic Manager alone (B) is DNS-based and never touches application traffic, so it can’t provide CDN caching or WAF protection. Independent Application Gateway deployments without a global routing layer (D) leave users to connect to whichever regional gateway their DNS resolves to, with no automatic failover or latency-based routing.
Question 49: Balancing VM Scale Set Resiliency Against Latency
The architecture team is designing a Virtual Machine Scale Set using flexible orchestration for a latency-sensitive trading application. Specifically, they want the highest availability SLA Azure offers for VM-based compute, and they can tolerate the slightly higher inter-VM latency that comes with it.
A) Deploy the scale set as a regional (nonzonal) deployment with default fault domain spreading
B) Deploy the scale set spanning multiple Availability Zones with max spreading within each zone
C) Deploy VMs individually with no scale set and no availability configuration
D) Use an availability set instead of a scale set for the lowest possible latency and highest SLA
👁 Reveal Answer
Correct Answer: B
Explanation: A zone-spanning scale set with flexible orchestration delivers a 99.99% availability SLA, the highest Azure offers for VM compute, because instances are placed in physically separate datacenters with independent power, cooling, and networking. Max spreading further distributes instances across fault domains within each zone for additional isolation. Option A only achieves the lower 99.95% SLA tied to fault-domain spreading within a single region, without zone-level protection. Option C provides no redundancy at all and is a single point of failure. Option D is a trap: availability sets top out at 99.95% SLA and offer lower inter-VM latency than zones because VMs stay physically closer together, but they don’t reach the 99.99% zone-spanning SLA the scenario asks for.
Question 50 (AZ-305 Mixed Review): Locking Down PaaS Access Without Exposing a Public Endpoint
Wrapping up this AZ-305 mixed review, Woodgrove Financial hosts sensitive data in Azure SQL Database and wants to eliminate public internet exposure entirely. It also needs secure access from an on-premises network over ExpressRoute, and it must ensure a malicious insider on one workload can’t reach a different customer’s database instance through the same access path.
A) Configure a Virtual Network service endpoint for Microsoft.Sql on the application subnet
B) Configure a private endpoint for the specific SQL Database instance and disable public network access
C) Add the on-premises public IP address range to the SQL Database firewall allow list
D) Leave the public endpoint enabled and rely on SQL authentication alone
👁 Reveal Answer
Correct Answer: B
Explanation: A private endpoint maps to one specific SQL Database instance rather than the entire service, so it provides strong data-exfiltration protection by design, and because it’s reachable over a routable private IP address, it works over ExpressRoute from on-premises without any public exposure. Service endpoints (A) apply at the service level (all SQL servers), don’t provide the same instance-level exfiltration protection, and can’t be reached from on-premises networks at all. Firewall IP allow-listing (C) still requires a public endpoint to remain enabled, which contradicts the “eliminate public exposure” requirement, and doesn’t stop lateral access between tenants on the same public service surface. Leaving the public endpoint open (D) fails the core requirement outright, no matter how strong the authentication is, since the attack surface itself remains exposed to the internet.
Study Tips for This AZ-305 Mixed Review
Treat mixed-domain sets like this one as a dress rehearsal, not just another quiz. A few habits make the difference on exam day:
Time yourself realistically. AZ-305 gives you roughly 2–3 minutes per question on average once you account for longer scenario items. Practice reading a scenario once, identifying the constraint that matters most, and eliminating two wrong answers quickly.
Watch for the “why,” not the “what.” Microsoft has shifted AZ-305 toward testing why you’d choose one Azure service over another rather than just what each service does. Every question above hinges on a specific requirement — RTO, cost, latency, compliance — that rules out otherwise-valid answers.
Build a mental decision table for each domain. Storage redundancy (LRS/ZRS/GRS/GZRS), business continuity options (backup vs. geo-replication vs. Site Recovery), and ingress services (Load Balancer vs. Application Gateway vs. Front Door vs. Traffic Manager) all follow “if this requirement, then this service” logic that’s worth memorizing as a table.
Don’t skip the governance and monitoring domain. It carries 25–30% exam weight, roughly the same as the infrastructure domain, but candidates often under-study it in favor of compute and networking.
Revisit missed questions after 24 hours. Spaced repetition on the concepts you got wrong — not just the specific question — builds the pattern recognition the adaptive exam format rewards.
Keep Practicing This AZ-305 Mixed Review
That wraps up this AZ-305 mixed review for this practice cycle. If you want more targeted reps, go back through AZ-305 Questions 21–30: Data Storage and AZ-305 Questions 31–40: Business Continuity for deeper domain-specific drilling. If you’re also working toward a Power Platform credential, check out our PL-200 renewal practice questions. For the official exam blueprint, review Microsoft’s AZ-305 study guide before you book your test. Good luck — you’ve got this.