
EP1 - Weekend Exam Cram : AZ-305 | 2026 – Ace the exam with Practice Questions & Expert Tips #az305
Tech with Jaspal
Overview
This video provides a comprehensive review of Azure solutions architect expert (AZ-305) exam topics, presented through a series of practice questions. It covers a wide range of Azure services, including identity and access management with Microsoft Entra ID, security features like Conditional Access and dynamic data masking, monitoring with Azure Monitor and Log Analytics, storage solutions such as Azure Blob Storage and Azure Files, database services like Azure SQL Database and Azure Cosmos DB, and governance tools like Azure Policy and tags. The explanations focus on practical application and decision-making for real-world scenarios and exam preparation.
Save this permanently with flashcards, quizzes, and AI chat
Chapters
- Use an Entra ID app registration to enable single sign-on (SSO) for web applications, allowing users to authenticate once and access multiple applications seamlessly.
- Implement Entra ID Conditional Access policies to enforce access restrictions, such as requiring company-owned devices for accessing specific applications.
- Entra ID app registration facilitates SSO by leveraging existing Entra ID join for user devices.
- Conditional Access policies are crucial for device compliance and restricting access to company-owned hardware.
- A Log Analytics workspace is the central repository for collecting and analyzing data from multiple Azure resources, including virtual machine system logs.
- The Azure Monitor agent must be installed on virtual machines to collect and send system logs to the Log Analytics workspace.
- After data collection, queries and alerts can be configured within Log Analytics to monitor specific events, such as warning events.
- This setup enables centralized monitoring of system logs across a subscription containing numerous virtual machines.
- Dynamic Data Masking (DDM) is used to obscure sensitive data in query result sets, limiting exposure to unauthorized users while leaving the underlying data unchanged.
- Transparent Data Encryption (TDE) encrypts the entire database at rest, protecting against physical file access but not controlling data visibility for authenticated users.
- Data Discovery and Classification helps identify and categorize sensitive data but does not enforce access controls.
- Role-Based Access Control (RBAC) manages access at the control plane level, not the data plane level where DDM operates.
- When an application manages its own credentials and requires users to enter a username and password, password-based SSO is the appropriate method for integration with an identity provider.
- For new applications, OpenID Connect and OAuth are recommended for SSO.
- For existing cloud applications, SAML-based authentication is preferred if supported; otherwise, password-based authentication is an option.
- For on-premises applications, SAML is preferred, followed by IWA, header-based, and finally password-based authentication as a last resort.
- System-assigned managed identities provide Azure resources, like Azure Functions, with an automatically managed identity in Microsoft Entra ID.
- This eliminates the need for manual credential management, reducing administrative effort and improving security by avoiding hardcoded secrets.
- Managed identities integrate seamlessly with other Azure services, allowing secure access to resources like activity logs without complex configuration.
- System-assigned identities are tied to the lifecycle of the Azure resource; they are created when enabled and deleted when the resource is deleted.
- Azure Policy and tags are essential for organizing resources based on operational information like environment, owner, department, and cost center.
- Tags allow for grouping resources, which is crucial for generating compliance reports and cost analysis.
- Azure policies can enforce tagging rules, ensuring that all resources are categorized correctly.
- This approach simplifies resource identification and reporting across a large number of resources.
- Azure Import/Export jobs are suitable for transferring large amounts of data (e.g., 500GB) to Azure Blob Storage by shipping physical hard drives.
- Azure Data Factory is a data integration service that can orchestrate data workflows, including copying files from on-premises servers to Azure Blob Storage.
- Both services provide efficient methods for moving data from on-premises environments to Azure.
- The choice between them often depends on the data volume, network bandwidth, and desired level of orchestration.
- Shared Access Signatures (SAS) provide limited, time-bound access to Azure storage resources like blobs.
- SAS tokens can be configured with specific permissions (read, write, delete) and an expiration date/time, ensuring access is automatically revoked.
- SAS can be generated at the storage account, container, or blob level, allowing for granular control.
- Additional restrictions can include allowed IP addresses and protocols (HTTPS only).
- Entra ID Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access to Azure resources and Entra ID roles.
- It allows for temporary elevation of privileges, requiring justification and offering features like role reviews and alerts for administrator assignments.
- PIM is suitable for temporary administrator access, reviewing role memberships, and auditing administrative activities.
- Managed Identities are used by Azure services to authenticate to other Azure resources securely.
- General-purpose v2 storage accounts and Azure Data Lake Storage Gen2 accounts support storing data for multiple users.
- Both account types can encrypt data using customer-managed keys from Azure Key Vault, providing control over encryption.
- Block blob storage within a general-purpose v2 account allows for encryption at the blob level, enabling separate keys for different users' data.
- Azure Data Lake Storage Gen2 offers a hierarchical namespace, which can be advantageous for data organization and analytics workloads.
- Azure Policy can enforce tagging rules to ensure all resources are identifiable by operational information such as environment, owner, department, and cost center.
- Tags are key-value pairs that allow for grouping and categorizing Azure resources.
- This organized approach is essential for generating accurate reports on resource usage, compliance, and costs.
- Enforcing tagging via policy is a fundamental aspect of Azure governance.
- Entra ID Access Reviews enable automated, periodic evaluation of group membership to ensure users still require access.
- Reviews can be configured to repeat automatically (e.g., every 3 months).
- Members can be prompted to self-report their need for continued access.
- Users who do not respond or indicate they no longer need access can be automatically removed from the group.
- A single Log Analytics workspace can ingest data from multiple Azure monitoring services, including Azure Monitor, Network Insights, Application Insights, Microsoft Sentinel, and VM Insights.
- Consolidating data into one workspace simplifies management, querying, and analysis.
- This approach is cost-effective and reduces the complexity of managing multiple monitoring data sources.
- The minimum number of workspaces required is one, provided all services are managed by a single team.
- Azure SQL Database, specifically the Hyperscale service tier, supports multiple read-only replicas.
- The Hyperscale tier is designed for large databases (up to 100TB) and offers automatic load balancing of read-only requests across replicas.
- This minimizes administrative effort compared to managing replicas manually.
- Premium and Business Critical tiers have limitations on accessible read-only replicas.
- To allow users from a different Entra ID tenant to authenticate to a single-tenant web app, configure the 'Supported account types' setting in the application registration.
- This setting should be changed to 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)' or similar.
- The sign-in endpoint may also need to be updated to accommodate multi-tenant authentication.
- This configuration enables users from external organizations to access your application.
- API keys should be stored as secrets in Azure Key Vault for secure management.
- Managed identities should be used for Azure virtual machines to access Azure Key Vault securely, eliminating the need to manage credentials in code.
- This approach minimizes administrative effort and enhances security by avoiding hardcoded secrets.
- Key Vault provides a centralized and secure location for managing sensitive information like API keys.
- Entra ID Identity Governance, including features like access reviews and role assignments, is ideal for managing access in dynamic team environments.
- Access reviews allow project managers to regularly verify and approve user access to project-specific applications.
- Automated prompts for project managers every 30 days ensure timely reviews.
- Role assignments ensure users only have access to the apps relevant to their current project.
- Azure Policy definitions use effects like 'DeployIfNotExists' to trigger remediation tasks when a resource is non-compliant.
- The policy definition must include the managed identity required for the remediation task to execute the associated ARM template.
- The scope of the policy assignment and RBAC roles are configured during the policy assignment process, not within the definition itself.
- This allows for automated enforcement of configurations, such as enabling Transparent Data Encryption (TDE).
- Block blob storage is optimized for high throughput and low latency, making it suitable for frequently used data.
- Azure Blob storage supports object-level immutability policies, allowing data to be protected from modification for a specified period (e.g., one year).
- The Blob service within a storage account is the appropriate service for this scenario.
- This combination meets requirements for maximizing throughput, preventing data modification, and minimizing latency.
- Azure Cosmos DB with the SQL API is suitable for ingesting and querying large volumes of data with low latency and high throughput, supporting 50,000 records per second.
- Azure Time Series Insights is specifically designed for storing, querying, and visualizing time-series data from IoT devices in near real-time.
- Both services can handle high injection rates and provide powerful querying capabilities for IoT data.
- Azure Table Storage is not optimized for real-time querying, and Azure Event Grid is for event routing, not data storage and querying.
- Azure SQL Managed Instance supports server-side distributed transactions across databases hosted on the same instance.
- This is crucial for applications requiring transactional consistency across multiple databases.
- Managed instances minimize administrative effort compared to self-managed SQL Server on VMs.
- Azure SQL Database supports client-side transactions but not server-side distributed transactions across different servers.
- Azure SQL Database is a fully managed service optimized for Online Transaction Processing (OLTP) workloads.
- It offers built-in scalability, geo-redundant backups, and supports database sizes up to 100TB with the Hyperscale service tier.
- SQL Server on Azure VMs is not a managed service and requires significant administrative effort.
- Azure Synapse Analytics is designed for OLAP workloads (data warehousing), not OLTP.
- Azure Logic Apps can orchestrate workflows, including scheduling tasks, sending notifications, and processing responses.
- Azure Functions can host and execute code, such as a PowerShell script for identifying and deleting duplicate files.
- This combination provides a serverless solution for automating the process of identifying, approving, and deleting duplicate files.
- Logic Apps can trigger Functions, and handle email notifications and approvals.
- Azure Cosmos DB with the SQL API supports SQL-like commands for querying data.
- It offers multi-master configurations, allowing writes in multiple regions for high availability and low latency.
- Cosmos DB provides automatic data distribution and configurable read replicas for low-latency global reads.
- This combination meets requirements for SQL support, multi-master writes, and low-latency reads.
- Azure Files provides a cloud-based SMB file share accessible from any location.
- Azure File Sync centralizes file shares in Azure and synchronizes them with on-premises VMs.
- This solution ensures users can access shared files quickly, even if the primary on-premises file server is inaccessible.
- Caching frequently accessed files locally via File Sync further improves performance.
- Azure Monitor Data Collection Endpoints (DCE) are used to forward logs from various sources, including VMs, to a Log Analytics workspace.
- Data Collection Rules (DCR) work with DCE to transform log data before ingestion.
- Kusto Query Language (KQL) is used within Log Analytics to query, transform, and analyze the collected log data.
- This setup enables JSON-formatted logs to be forwarded, transformed, and stored in custom tables.
- Azure Cache for Redis stores frequently accessed data in memory, significantly reducing latency for read operations.
- It offloads read requests from the backend database, improving performance during periods of high utilization.
- Azure CDN is for static content, Azure Data Factory for data integration, and Azure Synapse Analytics for OLAP, none of which are suitable for caching transactional data.
- This solution directly addresses the requirement to minimize delays in data retrieval.