This exam measures your ability to accomplish the following technical tasks: design identity, governance, and monitoring solutions; design data storage solutions; design business continuity solutions; and design infrastructure solutions.
This blog covers the Designing Microsoft Azure Infrastructure Solutions.
A candidate for this certification should have advanced experience and knowledge of IT operations, including networking, virtualization, identity, security, business continuity, disaster recovery, data platforms, and governance. A professional in this role should manage how decisions in each area affect an overall solution. In addition, they should have experience in Azure administration, Azure development, and DevOps processes.
- Design identity, governance, and monitoring solutions (25-30%)
- Design data storage solutions (25-30%)
- Design business continuity solutions (10-15%)
- Design infrastructure solutions (25-30%)
Below are the top 50 Questions and Answers for AZ303, AZ304 and AZ305 Certification Exam:
What is one reason to regularly review Azure role assignments?
A. ensure naming conventions are properly applied.
B. To reduce the risk associated with stale role assignments.
C. To eliminate extra distribution groups that are no longer used.
B. An access package is a bundle of all the resources with the access a user needs to work on a project or perform their task.
C. An access package is a used to create a transitive trust between B2B organizations.
How can Discovery and insights for privileged identity management help an organization?
A. Discovery and insights can find privileged role assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM).
B. Discovery and insights can find when guest’s access resources across Azure AD.
C. Discovery and insights can find security group assignments across Azure AD, and then provide recommendations on how to secure them using Azure AD governance features like Privileged Identity Management (PIM).
Whether to assign a role to a group instead of to individual users is a strategic decision. When planning, consider assigning a role to a group to manage role assignments when the desired outcome is to delegate assigning the role and what else?
A. You want to use Conditional Access policies.
B. Many Azure resources need to be managed.
C. Many users are assigned to a role.
Which roles can only be assigned using Privileged Identity Management?
A. Permanently active roles.
B. Eligible roles.
C. Transient roles.
What is the purpose of the audit logs?
A. Azure AD audit logs provide a comparison of budgeted Azure usage compared to actual.
B. Azure AD audit logs provide records of system activities for compliance reporting.
C. Azure AD audit logs allow customer to monitor activity when provisioning new services within Azure.
Can Azure export logging data to third-party SIEM tools?
A. Yes, Azure supports exporting log data to several common third-party SIEM tools.
B. No, Azure only supports the export to Azure Sentinel.
C. Yes, Splunk is the 3rd Party SIEM Azure can export to.
A Solutions Architect wants to configure email notifications to be sent from Azure AD Domain Services when issues are detected. In Azure, where this would be configured?
A. Azure Microsoft Portal > Azure Active Directory > Monitoring > Notifications > Add email recipient.
B. Azure Microsoft Portal > Azure AD Domain Services > Notification settings > Add email recipient.
C. Azure Microsoft Portal > Notification Hubs > Azure Active Directory > Add email recipient.
You are architecting a web application that constantly reads and writes important medical imaging data in blob storage.
To ensure the web application is resilient, you have been asked to configure Azure Storage as follows:
- Protect against a regional disaster.
- Leverage synchronous replication of storage data across multiple data centers.
How would you configure Azure Storage to meet these requirements?
GZRS provides asynchronous replication to a single physical location in the secondary region. Additionally, this includes synchronous replication across three availability zones within the primary region (ZRS).
Video for reference: Storage Account Replication
You need to ensure your virtual machine boot and data volumes are encrypted. Your virtual machine is already deployed using an Azure marketplace Windows OS image and managed disks. Which tasks should you complete to enable the required encryption?
Configure a Key Vault Access Policy: A Key Vault Access Policy will be required to allow Azure Disk Encryption for volume encryption.
Create an Azure Key Vault: Azure Disk Encryption leverages a Key Vault for the secure storage of cryptographic information.
Video for reference: Azure Disk Encryption
You have configured Azure multi-factor authentication (MFA) for your company. Some staff have reported they are receiving MFA verification requests, even when they didn’t initiate any authentication themselves. They believe this might be hackers.
Which feature would you enable to help protect against this type of security issue?
Fraud alert helps users to protect against MFA verification requests they did not initiate. It provides the ability to report fraudulent attempts, as well as the ability to automatically block users who report fraud.
Reference: Fraud Alert
You are configuring a new storage account using PowerShell. The storage account must support Queue storage. The PowerShell command you are using is as follows:
New-AzStorageAccount -name "tpcstore01" -ResourceGroupName "rg1" -location "auseast" -SkuName "standard_lrs"
Which two arguments could you use to complete the PowerShell command to meet the above requirements?
You need to ensure your virtual machine boot and data volumes are encrypted. Your virtual machine is already deployed using an Azure marketplace Linux OS image and managed disks.
Which two commands would you use to enable the required encryption?
Azure Disk Encryption leverages a Key Vault for the secure storage of cryptographic information.
Azure Disk Encryption leverages a VM extension to enable BitLocker (Windows) or DM-Crypt (Linux) to encrypt boot/OS/data volumes.
CompanyA is planning on making some significant changes to their governance solution. They have asked for your assistance with recommendations and questions. Here are the specific requirements.
– Consistency across subscriptions. It appears each subscription has different policies for the creation of virtual machines. The IT department would like to standardize the policies across the Azure subscriptions.
– Ensure critical storage is highly available. There are several critical applications that use storage. The IT department wants to ensure the storage is made highly available across regions.
– Identify R&D costs. The CTO wants to know how much a new project is costing. The costs are spread out across multiple departments.
– ISO compliance. CompanyA wants to certify that it complies with the ISO 27001 standard. The standard will require resources groups, policy assignments, and templates.
How can CompanyA to ensure policies are implemented across multiple subscriptions?
Create a management group and place all the relevant subscriptions in the new management group.
A management group could include all the subscriptions. Then a policy could be scoped to the management group and applied to all the subscriptions.
How can CompanyA ensure applications use geo-redundancy to create highly available storage applications?
Add an Azure policy that requires geo-redundant storage.
An Azure policy can enforce different rules over your resource configurations.
How can CompanyA report all the costs associated with a new product?
Add a resource tag to identify which resources are used for the new product.
Resource tagging provides extra information, or metadata, about your resources. You could then run a cost report on all resources with that tag.
Which governance tool should CompanyA use for the ISO 27001 requirements?
Azure blueprints will deploy all the artifacts for ISO 27001 compliance.
You are configuring an Azure Automation runbook using the Azure sandbox.
For your runbook to work, you need to install a PowerShell module. You would like to minimize the administrative overhead for maintaining and operating your runbook.
Which option should you choose to install an additional PowerShell module?
Navigate to Shared Resources > Modules, and configure the additional module.
Additional PowerShell modules can be added to the sandbox environment for use by your runbooks.
CompanyA is planning on making some significant changes to their identity and access management solution. They have asked for your assistance on some recommendations and questions. Here are the specific requirements.
– Device access to company applications. The CTO has agreed to allow some level of device access. Employees at the company’s retail stores will now be able to access certain company applications. This access, however, should be restricted to only approved devices.
– Company reorganization. A company-wide reorganization has affected many employees. These employees are now in new roles. The IT team needs to ensure users have the correct access based on their new jobs.
– External developer accounts. A new development project requires external software developers to access company data files. The IT team needs to create user accounts for approximately five developers.
– User sign-in attempts. A recent audit of user sign-ins attempts revealed anonymous IP addresses and unusual locations. The IT team wants to require multifactor authentication for these attempted sign-ins.
How can CompanyA ensure that employees at the company’s retail stores can access company applications only from approved tablet devices?
Conditional access: Conditional Access enables you to require users to access your applications only from approved, or managed, devices.
What should CompanyA do to ensure employees have the correct permissions for their job role?
Require an access review: An access review would give managers an opportunity to validate the employees access.
What should CompanyA do to give access to the partner developers?
Invite the developers as guest users to their directory: In Business-to-Business scenarios guest user accounts are created. You can then apply the appropriate permissions
What solution would be best for the user sign-in attempts requirement?
Create a sign-in risk policy: That’s correct. A sign-in risk policy can identify anonymous IP and atypical locations. Secondary multifactor authentication can then be required.
You are working as a network administrator, managing the following virtual networks:
Location: Australia East
Address space: 10.1.0.0/16
Location: Australia Southeast
Address space: 10.1.0.0/16
You have been asked to connect
VNET2, to allow private communication between resources in each virtual network. Do you need to modify either of the two virtual networks before virtual network peering is supported?
Yes: IP address ranges cannot overlap. One of the virtual networks must have their address space changed before VNet peering would be able to be configured.
You are architecting identity management for a hybrid environment, and you plan to use Azure AD Connect with password hash sync (PHS).
It is important that you design the solution to be highly available. How would you implement high availability for the synchronization service?
Configure an additional server with Azure AD Connect in staging mode.
Azure AD Connect can be configured in staging mode, which helps with high availability.
You are responsible for monitoring a major web application for your company. The application is implemented using Azure App Service Web Apps and Application Insights.
The chief marketing officer has asked you to provide information to help analyze user behavior based on a group of characteristics. To start with, it will be a simple query looking at all active users from Australia.
Which of the following would you use to provide this information?
Cohorts leverage analytics queries to analyze users, sessions, events, or operations that have something in common (e.g., location, event, etc.). Reference: App insights
You work for a company with multiple Active Directory domains: exampledomain1.com and test.lab.com. Your company would like to use Azure AD Connect to synchronize your on-premises Active Directory domain, exampledomain1.com, with Azure AD. You do not wish to synchronize test.lab.com.
Which tasks should you complete, requiring minimal administrative effort and causing the least disruption to the existing environment?
Run the Azure AD Connect wizard, and configure Domain and OU filtering.
You are architecting a mission-critical processing solution for your company. The solution will leverage virtual machines for the processing tier, and it is critical that high performance levels are maintained at all times.
You need to leverage a managed disk that guarantees up to 900 MB/s throughput and 2,000 IOPS — but also minimizes costs.
Which of the following would you use within your solution?
Premium SSD Managed Disks: Premium SSDs provide high performance and low latency, and include guaranteed capacity, IOPS, and throughput.
CompanyA wants to reduce storage costs by reducing duplicate content and, whenever applicable, migrating it to the cloud. The company would like a solution that centralizes maintenance while still providing nation-wide access for customers. Customers should be able to browse and purchase items online even in a case of a failure affecting an entire Azure region. Here are some specific requirements.
Warranty document retention. The company’s risk and legal teams requires warranty documents be kept for three years.
New photos and videos. The company would like each product to have a photo or video to demonstrate the product features.
External vendor development. A vendor will create and develop some of the online ecommerce features. The developer will need access to the HTML files, but only during the development phase.
Product catalog updates. The product catalog is updated every few months. Older versions of the catalog aren’t viewed frequently but must be available immediately if accessed.
What is the best way for CompanyA to protect their warranty information?
Time-based retention policy: With a time-based retention policy, users can set policies to store data for a specified interval. When a time-based retention policy is in place, objects can be created and read, but not modified or deleted.
What type of storage should CompanyA use for their photos and videos?
Blob storage: That’s correct. Blob storage is best for their photos.
What is the best way to provide the developer access to the ecommerce HTML files?
Shared access signatures: That’s correct. Shared access signatures provide secure delegated access. This functionality can be used to define permissions and how long access is allowed.
Which access tier should be used for the older versions of the product catalog?
Cool access tier: That’s correct. The cool access tier is for content that wouldn’t be viewed frequently but must be available immediately if accessed.
What tool would you use to identify underutilized and idle Azure resources in order to help reduce overall spend?
Azure Advisor: Advisor helps you optimize and reduce your overall Azure spend by identifying idle and underutilized resources. Reference
You work as a network administrator for a company. You manage several virtual machines within the following virtual network:
- Address space: 10.1.0.0/16
You need to configure DNS for a VM called
VM1, that is located in
SUBNET1. DNS should be set to 188.8.131.52. All other VMs must keep their existing settings.
What should you do?
Navigate to the network interface of
VM1, DNS Servers, and enable Custom DNS Servers and set to 184.108.40.206.
You are architecting a web application that constantly reads and writes important medical imaging data in blob storage. To ensure the web application is resilient, you have proposed the use of storage account failover. Management has asked you whether any data loss might occur for this solution, in the event of a failover. How would you respond?
There may be data loss, and the extent of data loss can be estimated using the Last Sync Time.
The Last Sync Time property provides an indication of how far the secondary is behind from the primary. This can be used to estimate the extent of data loss that may occur.
What storage service should you implement for an application that streams video content?
Azure Blobs: Azure blobs are used for storing large amounts of unstructured data, such as documents, images, and video files. This service is best used for streaming audio and video, particularly over HTTP/S.
What storage service should you implement for an application that needs to access data using SMB?
Azure Files: Azure files allow you to create and maintain highly available file shares that are accessible anywhere. They can be considered as a replacement to traditional file servers. They provide SMB access.
You are architecting a mission-critical solution for your company using virtual machines.
The solution must qualify for a Microsoft service level agreement (SLA) of 99.95%.
You deploy your solution to a single virtual machine in an availability set. The virtual machine uses premium storage. Does this meet the required SLA?
No: The virtual machine does use premium storage; however, this only provides a 99.9% SLA.
You are implementing Azure Backup using the Microsoft Azure Backup Server.
Which of the following would you use to allow the server to register with your recovery services vault?
Vault Credentials: Vault Credentials are used by the Microsoft Azure Backup Server software to register with the vault.
You are developing a solution on a server hosted on-premises. The solution needs to access data within Azure Key Vault.
Which two options would you use to ensure the application has access to Azure Key Vault?
Register the application in Azure AD and use a client secret.
To allow an on-premises application to authenticate with Azure AD, it can be registered in Azure AD and given a client secret (or client certificate). If this application was hosted on a supported Azure service, it could have been possible to use a managed identity instead.
Configure an access policy in Azure Key Vault.
To allow access to Key Vault, any identity (application, user, etc.) must be provided permissions using an Access Policy.
You have a Windows virtual machine within Azure, which must be backed up.
You have the following requirements:
– Back up the virtual machine three times per day
– Include system state backups
You configure a backup to a recovery services vault using the Microsoft Azure Recovery Services (MARS) agent.
Does this fulfill the requirements above?
Yes: The Microsoft Azure Recovery Services (MARS) agent can perform backups of files, folders, and system states up to three times a day.
You are planning a migration of machines to Azure from your on-premises Hyper-V host.
You would like to estimate how much it will cost to migrate your operating machines to Azure. Which of the following two items would you include in your migration solution?
The effort required to estimate pricing, and then ultimately go on to perform a migration, should be minimized.
Azure Migrate Project: All migrations (both assessment and migration) require an Azure Migrate Project for the storage of related metadata.
You are implementing Azure Blueprints to help improve standards and compliance for your Azure environment.
You would like to ensure that when an Azure Blueprint is used, a user is assigned ‘owner’ permissions to a specific resource group defined in the blueprint.
Does Azure Blueprints provide this functionality?
Yes: Azure Blueprints includes several different artifacts, one of which is ‘Role Assignment’. This allows a user to be assigned permissions as part of the blueprint definition.
You are planning a migration from on-premises to Azure.
Your on-premises environment is made up of the following:
– VMware hosted virtual machines
– Hyper-V hosted virtual machines
– Physical servers
Will the Azure Migrate: Server Migration tool provided by Microsoft support your environment for migrations to Azure?
Yes, for VMware, Hyper-V, and physical machines. The Azure Migrate: Server Migration tool support migrating VMware VMs, Hyper-V VMs, and physical servers.
For a new container image you are developing, you need to ensure a local HTML file, index.html, is included in the image. Which command would you include in the Dockerfile?
COPY ./index.html /usr/share/nginx/html
You have developed a financial management application for your company.
It is currently hosted as an Azure App Service Web App within Azure.
To improve security, you need to ensure that the web application is only accessible when users connect from your head-office IP address of 220.127.116.11.
Within the Azure Portal settings for your web app, which section would you use to configure this security?
Networking > Access Restrictions
Access Restrictions allows you to filter inbound connectivity to Azure App service, based on the IP address of the requesting user/service.
This meets the requirements of this scenario, as an Access Restriction could be configured for the Web App. To configure this, an ALLOW rule would be created for the web app (and the management interface, SCM, if needed). Adding the ALLOW rule for the IP address of 18.104.22.168 would automatically create a DENY ALL rule, which will prevent any other network location from accessing this resource.
You are responsible for improving the availability of a web application. The web application has the following characteristics:
– Hosted using Azure App Service.
– Leverages an Azure SQL back-end.
You need to configure Azure SQL Database to meet the following needs:
Must be able to continue operations in the event of a region failure.
Must support automatic failover in the event of failure.
You must recommend a solution that requires the least amount of effort to implement, and can manage in the event of a failover. Which configuration do you recommend?
Azure SQL auto-failover group: Using Azure SQL auto-failover groups provides protection at a geographic scale. By using the read-write listener, an application will seamlessly point to the primary, even in the event of a failover. Azure SQL auto-failover groups simplify the deployment and management of geo-replicated databases. It supports replication, and failover, for one or more databases on Azure SQL Database, or Azure SQL Managed Instances. A key benefit of auto-failover groups, is the built-in management of DNS for read, and read-write listeners.
You have been asked to implement high availability for an Azure SQL Managed Instance.
The solution is critical, and data loss must be minimized. If the data platform fails you must wait 1 hour before automatic failover occurs.
You must determine: (1) How to configure replication. (2) How to configure the 1 hour delay.
Enable replication using Auto-Failover Groups. Enable the 1 hour delay using the Grace Period.
Auto-Failover Groups are supported by Azure SQL Managed Instances, and the Grace Period is used to define how many hours to wait before an automatic read/write failover occurs.
You are helping to architect a social media application.
The solution must ensure that all users read data in the order it has been completely written.
You propose the use of Cosmos DB. What else do you include in your proposal to meet the requirements?
Cosmos DB Strong Consistency: Strong consistency ensures that reads are guaranteed to return the most recent committed write. This is useful when order matters.
You need to configure high availability for Azure SQL Databases.
You would like the service to include the following:
– Automatic failover policy.
– Ability to manually failover.
– DNS management for primary read/write access.
You configure Azure SQL Active Geo-Replication. Does this meet the requirements?
No: Active Geo-Replication does not include DNS automatically managed for primary read/write access. This is a feature of auto-failover groups. The inclusion of DNS for both the primary read/write endpoint, and the secondary read endpoint, reduces the management overhead for ensuring applications are pointing to the correct resources in the event of a disaster.