NoteTube

EP1 - Weekend Exam Cram : AZ-305 | 2026 – Ace the exam with Practice Questions & Expert Tips #az305
1:57:36

EP1 - Weekend Exam Cram : AZ-305 | 2026 – Ace the exam with Practice Questions & Expert Tips #az305

Tech with Jaspal

28 chapters

Overview

This video provides a comprehensive review of Azure solutions architect expert (AZ-305) exam topics, presented through a series of practice questions. It covers a wide range of Azure services, including identity and access management with Microsoft Entra ID, security features like Conditional Access and dynamic data masking, monitoring with Azure Monitor and Log Analytics, storage solutions such as Azure Blob Storage and Azure Files, database services like Azure SQL Database and Azure Cosmos DB, and governance tools like Azure Policy and tags. The explanations focus on practical application and decision-making for real-world scenarios and exam preparation.

How was this?

Save this permanently with flashcards, quizzes, and AI chat

Chapters

  • Use an Entra ID app registration to enable single sign-on (SSO) for web applications, allowing users to authenticate once and access multiple applications seamlessly.
  • Implement Entra ID Conditional Access policies to enforce access restrictions, such as requiring company-owned devices for accessing specific applications.
  • Entra ID app registration facilitates SSO by leveraging existing Entra ID join for user devices.
  • Conditional Access policies are crucial for device compliance and restricting access to company-owned hardware.
Understanding how to configure secure and seamless access to web applications is fundamental for protecting company data and ensuring a good user experience.
Recommending an Entra ID app registration for SSO and Conditional Access policies to restrict access to company-owned devices for a web app named 'app one'.
  • A Log Analytics workspace is the central repository for collecting and analyzing data from multiple Azure resources, including virtual machine system logs.
  • The Azure Monitor agent must be installed on virtual machines to collect and send system logs to the Log Analytics workspace.
  • After data collection, queries and alerts can be configured within Log Analytics to monitor specific events, such as warning events.
  • This setup enables centralized monitoring of system logs across a subscription containing numerous virtual machines.
Effective monitoring is critical for identifying and resolving issues proactively, ensuring the health and performance of your Azure infrastructure.
To centrally monitor warning events in system logs of 300 Windows Server 2022 virtual machines, create a Log Analytics workspace and install the Azure Monitor agent on each VM.
  • Dynamic Data Masking (DDM) is used to obscure sensitive data in query result sets, limiting exposure to unauthorized users while leaving the underlying data unchanged.
  • Transparent Data Encryption (TDE) encrypts the entire database at rest, protecting against physical file access but not controlling data visibility for authenticated users.
  • Data Discovery and Classification helps identify and categorize sensitive data but does not enforce access controls.
  • Role-Based Access Control (RBAC) manages access at the control plane level, not the data plane level where DDM operates.
Protecting Personally Identifiable Information (PII) is a critical security and compliance requirement, and understanding the right tools is essential.
To ensure only privileged users can view PII in an Azure SQL database, implement dynamic data masking.
  • When an application manages its own credentials and requires users to enter a username and password, password-based SSO is the appropriate method for integration with an identity provider.
  • For new applications, OpenID Connect and OAuth are recommended for SSO.
  • For existing cloud applications, SAML-based authentication is preferred if supported; otherwise, password-based authentication is an option.
  • For on-premises applications, SAML is preferred, followed by IWA, header-based, and finally password-based authentication as a last resort.
Choosing the correct SSO method ensures secure and efficient access to applications, balancing user experience with security requirements.
For an application with 6,000 users that manages its own credentials and doesn't support identity providers, use password-based SSO for upgrading to single sign-on.
  • System-assigned managed identities provide Azure resources, like Azure Functions, with an automatically managed identity in Microsoft Entra ID.
  • This eliminates the need for manual credential management, reducing administrative effort and improving security by avoiding hardcoded secrets.
  • Managed identities integrate seamlessly with other Azure services, allowing secure access to resources like activity logs without complex configuration.
  • System-assigned identities are tied to the lifecycle of the Azure resource; they are created when enabled and deleted when the resource is deleted.
Using managed identities is the most secure and administratively efficient way for Azure services to authenticate to other Azure resources.
To recommend an authentication solution for Azure Functions reading activity logs that minimizes administrative effort, use system-assigned managed identities.
  • Azure Policy and tags are essential for organizing resources based on operational information like environment, owner, department, and cost center.
  • Tags allow for grouping resources, which is crucial for generating compliance reports and cost analysis.
  • Azure policies can enforce tagging rules, ensuring that all resources are categorized correctly.
  • This approach simplifies resource identification and reporting across a large number of resources.
Effective resource organization through tagging and policy is fundamental for governance, compliance, and accurate reporting in Azure.
To generate compliance reports for a subscription with 1,000 resources and group them by department, use Azure Policy and tags.
  • Azure Import/Export jobs are suitable for transferring large amounts of data (e.g., 500GB) to Azure Blob Storage by shipping physical hard drives.
  • Azure Data Factory is a data integration service that can orchestrate data workflows, including copying files from on-premises servers to Azure Blob Storage.
  • Both services provide efficient methods for moving data from on-premises environments to Azure.
  • The choice between them often depends on the data volume, network bandwidth, and desired level of orchestration.
Understanding different data transfer methods is key to efficiently migrating or backing up data to Azure, especially for large datasets.
To store 500GB of company files from an on-premises server to an Azure blob storage account, use either an Azure Import/Export job or Azure Data Factory.
  • Shared Access Signatures (SAS) provide limited, time-bound access to Azure storage resources like blobs.
  • SAS tokens can be configured with specific permissions (read, write, delete) and an expiration date/time, ensuring access is automatically revoked.
  • SAS can be generated at the storage account, container, or blob level, allowing for granular control.
  • Additional restrictions can include allowed IP addresses and protocols (HTTPS only).
SAS tokens are a secure way to grant temporary access to storage resources without sharing account keys, essential for controlled data sharing.
To enable access to blobs in a container only during the month of April, create a Shared Access Signature (SAS) token that expires at the end of April.
  • Entra ID Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access to Azure resources and Entra ID roles.
  • It allows for temporary elevation of privileges, requiring justification and offering features like role reviews and alerts for administrator assignments.
  • PIM is suitable for temporary administrator access, reviewing role memberships, and auditing administrative activities.
  • Managed Identities are used by Azure services to authenticate to other Azure resources securely.
Entra ID PIM is crucial for enforcing the principle of least privilege and enhancing security by managing and monitoring privileged access.
For the Quality Assurance department requiring temporary administrator access to create web apps, use Entra ID Privileged Identity Management (PIM). For the Development department needing applications to access Key Vault, use Azure Managed Identity. For the Security department reviewing administrative roles, use Entra ID PIM.
  • General-purpose v2 storage accounts and Azure Data Lake Storage Gen2 accounts support storing data for multiple users.
  • Both account types can encrypt data using customer-managed keys from Azure Key Vault, providing control over encryption.
  • Block blob storage within a general-purpose v2 account allows for encryption at the blob level, enabling separate keys for different users' data.
  • Azure Data Lake Storage Gen2 offers a hierarchical namespace, which can be advantageous for data organization and analytics workloads.
Understanding storage account capabilities for encryption is vital for meeting data security and compliance requirements.
To store data for multiple users, encrypt each user's data with a separate key, and encrypt all data with customer-managed keys, deploy blobs in a general-purpose v2 storage account or blobs in an Azure Data Lake Storage Gen2 account.
  • Azure Policy can enforce tagging rules to ensure all resources are identifiable by operational information such as environment, owner, department, and cost center.
  • Tags are key-value pairs that allow for grouping and categorizing Azure resources.
  • This organized approach is essential for generating accurate reports on resource usage, compliance, and costs.
  • Enforcing tagging via policy is a fundamental aspect of Azure governance.
Consistent tagging is a cornerstone of effective Azure governance, enabling better resource management, cost control, and compliance reporting.
To ensure all Azure resources are easily identifiable by environment, owner, department, and cost center for reporting, implement an Azure policy that enforces tagging rules.
  • Entra ID Access Reviews enable automated, periodic evaluation of group membership to ensure users still require access.
  • Reviews can be configured to repeat automatically (e.g., every 3 months).
  • Members can be prompted to self-report their need for continued access.
  • Users who do not respond or indicate they no longer need access can be automatically removed from the group.
Access reviews are critical for maintaining security hygiene by ensuring that only necessary users have access to resources, especially in dynamic environments.
To automatically evaluate the membership of a security group every 3 months, allow members to report their need for access, and automatically remove those who don't respond or opt-out, create an access review.
  • A single Log Analytics workspace can ingest data from multiple Azure monitoring services, including Azure Monitor, Network Insights, Application Insights, Microsoft Sentinel, and VM Insights.
  • Consolidating data into one workspace simplifies management, querying, and analysis.
  • This approach is cost-effective and reduces the complexity of managing multiple monitoring data sources.
  • The minimum number of workspaces required is one, provided all services are managed by a single team.
Centralizing monitoring data in a single Log Analytics workspace streamlines security operations and troubleshooting by providing a unified view of your environment.
For a monitoring solution including Azure Monitor, Network Insights, Application Insights, Microsoft Sentinel, and VM Insights managed by a single team, the minimum number of Azure Monitor Log Analytics workspaces required is one.
  • Azure SQL Database, specifically the Hyperscale service tier, supports multiple read-only replicas.
  • The Hyperscale tier is designed for large databases (up to 100TB) and offers automatic load balancing of read-only requests across replicas.
  • This minimizes administrative effort compared to managing replicas manually.
  • Premium and Business Critical tiers have limitations on accessible read-only replicas.
Utilizing the Hyperscale tier of Azure SQL Database is crucial for applications requiring high availability, scalability, and efficient handling of read-heavy workloads.
To support multiple read-only replicas, automatically load balance read-only requests, and minimize administrative effort for 50 Azure SQL databases, use Azure SQL Database in the Hyperscale service tier.
  • To allow users from a different Entra ID tenant to authenticate to a single-tenant web app, configure the 'Supported account types' setting in the application registration.
  • This setting should be changed to 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)' or similar.
  • The sign-in endpoint may also need to be updated to accommodate multi-tenant authentication.
  • This configuration enables users from external organizations to access your application.
Configuring multi-tenant authentication is essential for enabling collaboration and access for users from different organizations to your applications.
To enable users from the 'techwithjaspal.com' domain to authenticate to 'app one' which uses Entra ID for single-tenant authentication, configure the supported account types in the application registration and update the sign-in endpoint.
  • API keys should be stored as secrets in Azure Key Vault for secure management.
  • Managed identities should be used for Azure virtual machines to access Azure Key Vault securely, eliminating the need to manage credentials in code.
  • This approach minimizes administrative effort and enhances security by avoiding hardcoded secrets.
  • Key Vault provides a centralized and secure location for managing sensitive information like API keys.
Securely managing secrets like API keys is paramount for application security, and Azure Key Vault with managed identities offers a robust solution.
To store and access a third-party email service API key for an application hosted on Ubuntu VMs, use Azure Key Vault to store the API key as a secret and use managed identities for the virtual machines to access Key Vault.
  • Entra ID Identity Governance, including features like access reviews and role assignments, is ideal for managing access in dynamic team environments.
  • Access reviews allow project managers to regularly verify and approve user access to project-specific applications.
  • Automated prompts for project managers every 30 days ensure timely reviews.
  • Role assignments ensure users only have access to the apps relevant to their current project.
Entra ID Identity Governance provides the necessary tools to manage user access effectively in environments where team assignments and project needs change frequently.
To manage access for 10 web apps integrated with Entra ID where users frequently move between projects, use Entra ID Identity Governance, including access reviews for project managers to verify and remove users.
  • Azure Policy definitions use effects like 'DeployIfNotExists' to trigger remediation tasks when a resource is non-compliant.
  • The policy definition must include the managed identity required for the remediation task to execute the associated ARM template.
  • The scope of the policy assignment and RBAC roles are configured during the policy assignment process, not within the definition itself.
  • This allows for automated enforcement of configurations, such as enabling Transparent Data Encryption (TDE).
Azure Policy with 'DeployIfNotExists' and managed identities automates compliance enforcement, ensuring resources meet security and configuration standards without manual intervention.
To create an Azure policy definition that uses an ARM template to enable TDE for non-compliant Azure SQL databases, set the effect to 'DeployIfNotExists' and include the managed identity required for the remediation task in the definition.
  • Block blob storage is optimized for high throughput and low latency, making it suitable for frequently used data.
  • Azure Blob storage supports object-level immutability policies, allowing data to be protected from modification for a specified period (e.g., one year).
  • The Blob service within a storage account is the appropriate service for this scenario.
  • This combination meets requirements for maximizing throughput, preventing data modification, and minimizing latency.
Choosing the right storage account type and service is crucial for performance, data protection, and cost-effectiveness, especially for demanding workloads.
For an app storing large amounts of frequently used data, requiring maximized throughput, prevention of modification for one year, and minimized latency, recommend Block blob storage with the Blob service.
  • Azure Cosmos DB with the SQL API is suitable for ingesting and querying large volumes of data with low latency and high throughput, supporting 50,000 records per second.
  • Azure Time Series Insights is specifically designed for storing, querying, and visualizing time-series data from IoT devices in near real-time.
  • Both services can handle high injection rates and provide powerful querying capabilities for IoT data.
  • Azure Table Storage is not optimized for real-time querying, and Azure Event Grid is for event routing, not data storage and querying.
Selecting appropriate services for IoT data is key to enabling real-time monitoring, analysis, and visualization of device telemetry.
To store and query data streamed from 50,000 IoT devices at a rate of 50,000 records per second for near real-time visualization, recommend Azure Cosmos DB's SQL API and Azure Time Series Insights.
  • Azure SQL Managed Instance supports server-side distributed transactions across databases hosted on the same instance.
  • This is crucial for applications requiring transactional consistency across multiple databases.
  • Managed instances minimize administrative effort compared to self-managed SQL Server on VMs.
  • Azure SQL Database supports client-side transactions but not server-side distributed transactions across different servers.
Azure SQL Managed Instance is the recommended solution for migrating on-premises SQL Server databases that rely on server-side distributed transactions, ensuring compatibility and minimizing administrative overhead.
To migrate two on-premises SQL Server databases (DB1 and DB2) to Azure, supporting server-side transactions across them and minimizing administrative effort, host them on the same Azure SQL Managed Instance.
  • Azure SQL Database is a fully managed service optimized for Online Transaction Processing (OLTP) workloads.
  • It offers built-in scalability, geo-redundant backups, and supports database sizes up to 100TB with the Hyperscale service tier.
  • SQL Server on Azure VMs is not a managed service and requires significant administrative effort.
  • Azure Synapse Analytics is designed for OLAP workloads (data warehousing), not OLTP.
Azure SQL Database, particularly the Hyperscale tier, provides a robust, scalable, and highly available platform for OLTP databases meeting demanding requirements.
To support scaling up/down, geo-redundant backups, databases up to 75TB, and OLTP workloads, recommend Azure SQL Database with the Hyperscale service tier.
  • Azure Logic Apps can orchestrate workflows, including scheduling tasks, sending notifications, and processing responses.
  • Azure Functions can host and execute code, such as a PowerShell script for identifying and deleting duplicate files.
  • This combination provides a serverless solution for automating the process of identifying, approving, and deleting duplicate files.
  • Logic Apps can trigger Functions, and handle email notifications and approvals.
Combining Logic Apps and Functions creates a powerful, serverless automation solution for routine tasks, improving efficiency and reducing manual effort.
To automate a PowerShell script that runs hourly to find duplicate files, email an operations manager for approval, and delete files upon approval, use a combination of Azure Logic Apps and Azure Functions.
  • Azure Cosmos DB with the SQL API supports SQL-like commands for querying data.
  • It offers multi-master configurations, allowing writes in multiple regions for high availability and low latency.
  • Cosmos DB provides automatic data distribution and configurable read replicas for low-latency global reads.
  • This combination meets requirements for SQL support, multi-master writes, and low-latency reads.
Azure Cosmos DB is a globally distributed, multi-model database service that excels in scenarios requiring high availability, low latency, and flexible data models.
For an application aggregating content that requires SQL commands, multi-master writes, and guaranteed low-latency read operations, recommend Azure Cosmos DB with the SQL API.
  • Azure Files provides a cloud-based SMB file share accessible from any location.
  • Azure File Sync centralizes file shares in Azure and synchronizes them with on-premises VMs.
  • This solution ensures users can access shared files quickly, even if the primary on-premises file server is inaccessible.
  • Caching frequently accessed files locally via File Sync further improves performance.
Azure File Sync and Azure Files provide a resilient and performant solution for accessing shared files across multiple locations, ensuring business continuity.
To ensure users can access shared files quickly if the Toronto branch office file server (VM1) is inaccessible, recommend an Azure fileshare and Azure File Sync.
  • Azure Monitor Data Collection Endpoints (DCE) are used to forward logs from various sources, including VMs, to a Log Analytics workspace.
  • Data Collection Rules (DCR) work with DCE to transform log data before ingestion.
  • Kusto Query Language (KQL) is used within Log Analytics to query, transform, and analyze the collected log data.
  • This setup enables JSON-formatted logs to be forwarded, transformed, and stored in custom tables.
Azure Monitor's data collection and transformation capabilities are essential for ingesting and analyzing log data effectively for monitoring and security purposes.
To forward JSON-formatted logs from 100 Windows Server VMs with the Azure Monitor agent to a Log Analytics workspace, transform them, and store them in a table, use an Azure Monitor Data Collection Endpoint and KQL queries.
  • Azure Cache for Redis stores frequently accessed data in memory, significantly reducing latency for read operations.
  • It offloads read requests from the backend database, improving performance during periods of high utilization.
  • Azure CDN is for static content, Azure Data Factory for data integration, and Azure Synapse Analytics for OLAP, none of which are suitable for caching transactional data.
  • This solution directly addresses the requirement to minimize delays in data retrieval.
Implementing an in-memory cache like Azure Cache for Redis is a common and effective strategy for enhancing application performance and user experience by reducing database load.
To minimize delays for users retrieving data from an Azure SQL database during high utilization periods, use Azure Cache for Redis.

    Turn any lecture into study material

    Paste a YouTube URL, PDF, or article. Get flashcards, quizzes, summaries, and AI chat — in seconds.

    No credit card required

    EP1 - Weekend Exam Cram : AZ-305 | 2026 – Ace the exam with Practice Questions & Expert Tips #az305 | NoteTube | NoteTube