Azure Solutions Architect Expert Sample Questions to Prepare for AZ-305 Exam
- CertiMaan
- Oct 10, 2025
- 15 min read
Updated: Jan 23
Master your preparation for the AZ-305 certification with these updated Azure Solutions Architect Expert Sample Questions. Designed to align with the real exam structure, these questions help you assess knowledge across networking, identity, security, business continuity, and data solutions. Explore realistic scenarios with Azure solution architect dumps, targeted exercises, and expert renewal exam questions. Whether you're taking the initial AZ-305 exam or renewing your certification, these practice sets ensure you build the confidence and accuracy needed to pass. Prepare effectively and validate your skills as a Microsoft-certified cloud professional.
Azure Solutions Architect Expert Sample Questions List :
1. A solution uses Azure Cosmos DB (SQL API). Query performance on a large container has degraded. Analysis shows a frequently run query uses `ORDER BY` on a property without an index. What is the most efficient way to improve this query's performance?
Rewrite the query to avoid using `ORDER BY`
Change the partition key to the property used in `ORDER BY`
Increase the RU/s provisioned for the container
Add a Composite Index including the property used in `ORDER BY`
2. You are designing authentication for a legacy on-premises application migrating to Azure VMs. The app uses Windows Integrated Authentication (Kerberos/NTLM) against an on-prem AD. Users will access it over the internet. What solution provides seamless SSO without modifying the application?
Implement Azure AD Domain Services (AAD DS)
Deploy Azure AD Application Proxy connectors on-premises
Use Azure AD Connect to sync users and implement OAuth in the app
Configure a Site-to-Site VPN and join VMs to on-prem AD
3. A mission-critical application uses an Azure SQL Managed Instance. You require an RPO of < 5 seconds and an RTO of < 1 minute during a regional outage, with minimal data loss. What high availability/disaster recovery solution should you implement?
Geo-Restore from backups
Active Geo-Replication with manual failover
Auto-Failover Groups with synchronous replication
Auto-Failover Groups with asynchronous replication
4. A global application uses Azure Front Door for acceleration and WAF. Backends are in multiple regions. You need to ensure users are only directed to backends in regions compliant with their data residency laws. What feature should you configure?
Front Door Health Probes
Front Door Geo-filtering policies
Front Door Routing Rules with Path-based routing
Front Door Session Affinity
5. A company uses Azure AD. You need to implement access control for an internal web app where permissions are defined by complex business rules (e.g., "User must be in Department X AND located in Region Y, OR have Job Title Z"). What is the most maintainable authorization approach?
Assign users directly to Azure AD App Roles
Implement role checks within the application code
Use Azure AD Dynamic Groups based on user attributes
Use Azure AD groups and manage membership manually
6. An IoT solution ingests millions of device telemetry events per minute. Data must be stored for 7 days for real-time dashboards, then moved to cold storage for 5 years for compliance. What is the most cost-effective storage architecture?
Azure IoT Hub -> Azure Table Storage -> Azure Disk Storage Snapshots
Azure Event Hubs -> Azure Data Explorer -> Azure Blob Archive
Azure Event Hubs -> Azure SQL Database -> Azure Blob Archive
Azure Service Bus -> Azure Cosmos DB -> Azure File Storage
7. A globally distributed application uses Azure Cosmos DB (Core SQL API) with strong consistency. Users report high latency for writes in a region geographically distant from the write region. What configuration change can reduce write latency without impacting strong consistency?
Add a read region closer to the users experiencing write latency
Move the write region closer to the users experiencing write latency
Enable Multi-region Writes
Change the default consistency level to Bounded Staleness
8. You need to simulate regional outages for an Azure application to validate resilience and failover procedures, without causing actual downtime for users. What Azure service should you use?
Azure Resource Health
Azure Chaos Studio
Azure Site Recovery Test Failover
Azure Monitor Availability Tests
9. An application uses Azure Cache for Redis. During peak load, the application experiences timeouts connecting to the cache. Metrics show high server load on the Redis instance. What is the most effective way to resolve this without application code changes?
Add more instances of Azure Cache for Redis and update connection strings
Configure Azure Traffic Manager in front of the Redis endpoint
Enable Redis clustering on the existing instance
Increase the size (SKU) of the existing Redis instance (e.g., from C2 to C3)
10. A company uses Azure Policy heavily for governance. You need to identify which policies are non-compliant across all subscriptions within a Management Group hierarchy and estimate remediation effort. What Azure service provides the best overview?
Azure Resource Graph Explorer queries
Azure Policy Compliance Dashboard (in Azure Portal or via API)
Azure Cost Management + Billing
Azure Advisor Recommendations
11. You need to deploy a highly available, zone-redundant API gateway that can apply custom logic (like JWT validation, request transformation) and integrate with an Azure Kubernetes Service (AKS) backend. What Azure service should you use?
NGINX Ingress Controller on AKS
Azure Front Door (Premium Tier)
Azure API Management (Premium Tier)
Azure Application Gateway (v2 WAF SKU)
12. You are designing network connectivity for an Azure VMware Solution (AVS) private cloud. Connectivity must be private, low-latency, and resilient without relying on public internet or VPN. What Azure networking service should you use?
Azure Virtual WAN with ExpressRoute
Azure Front Door
Site-to-Site VPN Gateway
VNet Peering
13. You are designing a highly available order processing system. Orders are ingested via an Azure Function triggered by messages in a queue. Processing each order requires 2-5 seconds and must be exactly once. The system must scale massively during unpredictable spikes. Which compute option should you recommend?
Azure Container Instances (ACI)
Azure Kubernetes Service (AKS) with KEDA autoscaling
Azure App Service Plan (Isolated v3) with auto-scaling
Azure Virtual Machine Scale Sets
14. An application uses Azure Files SMB shares. Users report slow performance when accessing files from Azure VMs in the same region. The share is using the Standard tier. What is the most likely cost-effective solution to improve performance?
Migrate to Azure Files Premium tier
Configure a VPN Gateway
Enable Azure Files large file shares
Increase the size of the Azure VMs
15. You are designing a solution for a stateful microservice requiring low-latency disk access (< 1ms), high IOPS (> 50k), and high throughput (> 1 GB/s) per instance. The service runs on Linux. Which Azure storage and compute combination is optimal?
Azure App Service (Premium v3) with Azure Files Premium
Azure Kubernetes Service (AKS) with Azure Standard SSD Disks
Azure Container Instances (ACI) with Azure Blob Storage
Azure Virtual Machines (Dsv5-series) with Azure Ultra Disks
16. You manage cost governance. A development team has VMs running 24/7 that should only run Monday-Friday, 8 AM-6 PM. What is the most reliable way to ensure they are automatically deallocated outside these hours?
Instruct developers to manually shut down VMs daily
Set Azure Policy to enforce VM shutdown tags
Implement Azure Automation schedules with Start/Stop VM during off-hours solution
Use Azure Advisor cost recommendations
17. A solution stores sensitive customer data in Azure Blob Storage. Regulatory requirements mandate that this data must be encrypted at rest using keys never processed by Microsoft services. What encryption method must you use?
Storage Service Encryption (SSE) with Microsoft Managed Keys
Customer-Provided Keys (CPK) provided on each API call
Service-Managed Keys (Platform-Managed Keys)
Customer-Managed Keys (CMK) stored in Azure Key Vault
18. You need to securely connect an on-premises network to hundreds of Azure VNets across multiple regions and Azure tenants, using private connectivity. What Azure service provides the most scalable and manageable solution?
Use Azure Virtual WAN with an ExpressRoute circuit and Virtual Hub connections
Configure VNet Peering between all VNets and the on-prem network
Implement Azure Private Link for each service
Deploy multiple Site-to-Site VPN Gateways
19. A company has a hub-spoke network topology in Azure. All internet-bound traffic from spokes must egress through a centralized Azure Firewall in the hub for inspection. What routing mechanism ensures this path is followed?
Configure User-Defined Routes (UDRs) on the GatewaySubnet
Enable BGP propagation on the Azure VPN Gateway in the hub
Configure default routes (0.0.0.0/0) in each spoke VNet's route table pointing to the Azure Firewall's private IP
Use Azure Virtual Network Manager security admin rules
20. You need to provide developers with self-service access to deploy approved ARM templates for specific environments (dev/test), while preventing modification of network security groups (NSGs) and Azure Firewall rules. What should you implement?
Azure Managed Identities with RBAC
Azure Lighthouse with custom roles
Azure Blueprints with resource locks
Azure DevOps Pipelines with manual approval gates
21. An application uses Azure SQL Database. A critical query performance has degraded over months. You suspect plan regression due to parameter sniffing. What feature can help automatically stabilize performance without code changes?
Increase the Database DTU/s or vCores
Create a covering index for the query
Rewrite the query using query hints
Enable Automatic Tuning - Force Plan
22. An application requires processing large video files (100s of GB each). Processing is parallelizable but CPU-intensive and can take hours. Compute costs must be minimized. What is the optimal Azure compute service?
Azure Functions (Consumption Plan)
Azure Virtual Machines (Reserved Instances)
Azure App Service
Azure Batch
23. A company needs to deploy identical environments (VNet, VMs, NSG, LB) to 20 different Azure regions for low-latency access. Deployment must be consistent and repeatable. What is the most efficient infrastructure-as-code (IaC) approach?
Create a Bicep module defining the environment and deploy it 20 times with different locations
Create a single ARM template using the `location` parameter and loop deployments
Create separate ARM templates for each region and deploy individually
Use the Azure Portal to deploy once and clone the resource group 19 times
24. An Azure Storage account holds critical diagnostics logs. Regulations require that these logs cannot be modified or deleted for 5 years after creation. How should you configure the storage?
Enable Immutable Blob Storage with a time-based retention policy
Set a Delete Lock on the Storage Account resource
Enable Soft Delete for Blobs
Configure Azure Backup for the Storage Account
25. An application writes millions of small telemetry blobs (< 4KB) per hour to Azure Blob Storage. Storage costs are higher than expected. What change can reduce costs most effectively?
Change the Blob Storage access tier from Hot to Cool
Enable Block Blob Tiering with an automation rule
Enable Hierarchical Namespace (Azure Data Lake Storage Gen2)
Move the blobs to Azure Archive Storage immediately
26. Your company uses Azure AD for identity management. You need to enforce multi-factor authentication (MFA) for all users when accessing Azure Portal from untrusted networks. Which solution provides the LEAST administrative overhead?
Enable Security Defaults in Azure AD
Create a Conditional Access policy requiring MFA for the Azure Portal cloud app
Configure MFA per user in the Azure AD portal
Implement Azure AD Identity Protection risk-based policies
27. You must ensure that only devices compliant with Intune policies can access SharePoint Online. What should you configure?
Conditional Access policy requiring compliant devices
Azure AD Identity Protection
SharePoint Online access policies
Azure AD PIM
28. You manage an Azure environment with resources across multiple subscriptions. How can you centrally enforce a requirement that all resources must have a "CostCenter" tag?
Use Azure Policy with an audit and deny effect
Configure Azure Management Groups
Deploy Azure Blueprints
Enable Azure AD Privileged Identity Management (PIM)
29. To centralize management of 50 Azure subscriptions, you create management groups. Which RBAC role assignments apply to all child subscriptions?
Assignments at the management group root
Assignments in individual subscriptions
Assignments in Azure AD
Assignments in resource groups
30. For regulatory compliance, you must ensure that administrative access to Azure SQL databases is reviewed every 30 days. Which Azure service should you implement?
Azure AD Access Reviews
Azure Policy
Azure Monitor alerts
Azure AD Privileged Identity Management (PIM)
31. You need to audit changes to Azure Key Vault access policies. Which solution provides detailed logs?
Azure Monitor with Key Vault diagnostics enabled
Azure Policy audit mode
Azure AD audit logs
Azure Event Grid
32. Your organization requires all virtual machines in the Production subscription to disable SSH password authentication. Which governance tool can enforce this automatically?
Azure Role-Based Access Control (RBAC)
Azure Policy
Azure Management Groups
Azure AD Conditional Access
33. Which Azure AD feature allows automatic user provisioning to SaaS applications like Salesforce?
Azure AD Connect
Azure AD Application Proxy
Azure AD SCIM (System for Cross-domain Identity Management)
Azure AD B2B
34. You need to provide a contractor with temporary contributor access to a single resource group for 4 hours. The solution must require approval from an administrator. What should you use?
Azure AD B2B collaboration
Azure AD Privileged Identity Management (PIM)
Azure RBAC custom role
Azure AD Access Packages
35. To enforce Azure governance, you need to prevent VMs larger than Standard_D4s_v3 from being deployed. What should you use?
Azure Policy with deny effect
Azure RBAC custom role
Azure Cost Management budgets
Azure Advisor recommendations
36. Which Azure AD feature allows seamless single sign-on (SSO) to on-premises applications without requiring additional federation infrastructure?
Azure AD Application Proxy
Azure AD Connect cloud sync
Azure AD Pass-through Authentication
Azure AD Domain Services
37. Which authentication method provides the highest security for Azure AD user sign-ins without requiring user hardware?
SMS-based MFA
Passwordless phone sign-in
Certificate-based authentication
OATH hardware tokens
38. You need to ensure that any new Azure resource deployed in the Finance management group automatically inherits a "Department: Finance" tag. What is the most efficient method?
Create an Azure Policy with a modify effect
Use Azure Automation runbooks
Configure Azure Blueprints
Enable Azure Cost Management
39. You need to grant an external auditor read-only access to all Azure resources in a subscription for 7 days. What is the most secure approach?
Create a custom RBAC role with read permissions and assign it to the user
Use Azure AD PIM for eligible Reader role assignment
Share the subscription’s read-only management group
Provide the auditor with a shared access signature (SAS)
40. Your company uses Azure AD for authentication. Users report being prompted for MFA too frequently. Which Conditional Access setting can reduce prompts while maintaining security?
Enable "Remember multi-factor authentication"
Set session controls to "Sign-in frequency" of 1 hour
Exclude Azure AD trusted locations
Disable MFA for compliant devices
41. Which Azure service ensures Azure AD group memberships are automatically reviewed every 90 days?
Azure AD Access Reviews
Azure AD Privileged Identity Management
Azure Policy
Azure AD Identity Governance
42. Which component is required to synchronize on-premises Active Directory user objects to Azure AD?
Azure AD Connect
Azure AD Application Proxy
Azure AD Domain Services
Azure AD B2B collaboration
43. To reduce Azure costs, you need to identify untagged resources. What Azure tool provides this?
Azure Cost Management
Azure Policy compliance report
Azure Advisor
Azure Resource Graph
44. You need to grant a user the ability to create Azure Policy assignments but not modify policy definitions. Which built-in RBAC role should you assign?
Policy Contributor
Owner
Contributor
Security Admin
45. Which Azure AD feature allows users to reset their passwords without help desk involvement?
Azure AD self-service password reset (SSPR)
Azure AD Connect writeback
Azure AD Password Protection
Azure AD Authentication Methods
46. For a hybrid identity solution, you require password hash synchronization as a backup authentication method. Which service should be enabled?
Azure AD Connect with password hash sync
Azure AD Pass-through Authentication
Azure AD Federation Services (AD FS)
Azure AD Seamless SSO
47. Which Azure service integrates with Azure AD to provide just-in-time access to Azure VMs?
Azure AD Privileged Identity Management (PIM)
Azure Bastion
Azure AD Conditional Access
Azure AD Domain Services
48. Which Azure tool provides aggregated compliance status across multiple subscriptions?
Azure Policy Compliance dashboard
Azure Advisor
Azure Cost Management
Azure Monitor Workbooks
49. To monitor sign-in risks across Azure AD, you need alerts for suspicious activities. Which service should you enable?
Azure AD Identity Protection
Azure Monitor
Azure Sentinel
Azure Security Center
50. You need to delegate permissions for a team to manage virtual networks but not VMs. Which built-in RBAC role is appropriate?
Network Contributor
Virtual Machine Contributor
Contributor
Owner
51. Which authentication method should be disabled to improve Azure AD security?
Legacy authentication protocols (e.g., IMAP, POP3)
Modern OAuth 2.0
SAML-based SSO
OpenID Connect
52. You need to enforce MFA for Azure AD users when accessing Microsoft 365 apps from unmanaged devices. What should you configure?
Conditional Access policy with device state condition
Azure AD Identity Protection user risk policy
Per-user MFA
Security Defaults
53. To meet compliance, you must ensure all Azure SQL databases have auditing enabled. How can this be automated?
Azure Policy with DeployIfNotExists effect
Azure Automation runbooks
Azure Monitor alerts
Azure Advisor recommendations
54. To secure Azure VM administrator access, you need SSH keys instead of passwords. Which Azure Policy initiative should you assign?
Azure Security Benchmark
NIST SP 800-53
CIS Microsoft Azure Foundations Benchmark
PCI DSS v3.2.1
55. Your organization uses Azure AD and on-premises AD. Users need SSO to both cloud and on-premises resources. Which solution should you deploy?
Azure AD Connect with seamless SSO
Azure AD Application Proxy
Azure AD B2B
Azure AD Domain Services
56. Which Azure AD feature allows restricting guest user access to specific applications?
Conditional Access policies
Azure AD B2B collaboration limits
Azure AD Access Reviews
Azure AD entitlement management
57. Which Azure service provides custom reports on Azure AD sign-ins and audit events?
Azure Monitor Workbooks
Azure AD reporting
Log Analytics
Azure Sentinel
58. You need to provide developers with contributor access to a resource group without allowing them to assign RBAC roles. Which built-in role should you use?
Contributor
Owner
User Access Administrator
Resource Policy Contributor
59. You need to ensure that only specific IP ranges can access the Azure management plane (Azure Portal, ARM API). What should you configure?
Azure AD Conditional Access
NSG rules
Azure Firewall
Azure RBAC
60. To monitor Azure AD conditional access policy failures, which log should you analyze?
SigninLogs
AuditLogs
AzureActivity
AADNonInteractiveUserSignInLogs
61. Which Azure AD feature prevents users from reusing previous passwords?
Azure AD Password Protection
Self-service password reset (SSPR)
Password writeback
Smart lockout
62. Which Azure governance tool packages policies, role assignments, and ARM templates for repeatable deployments?
Azure Blueprints
Azure Resource Manager
Management Groups
Azure Policy initiatives
63. You need to grant an application permissions to read Azure AD user profiles. Which authentication method should you use?
OAuth 2.0 client credentials flow
SAML assertion
ROPC (Resource Owner Password Credentials)
On-behalf-of flow
64. What is the primary purpose of Azure AD Privileged Identity Management (PIM) eligibility for roles?
Grant permanent administrative access
Provide just-in-time privileged access with approval workflows
Automate user provisioning
Enforce MFA for all users
65. Which component is required to extend Azure AD conditional access policies to on-premises applications?
Azure AD Application Proxy
Azure AD Connect Health
Azure AD Pass-through Authentication
Azure AD Domain Services
66. To enforce TLS 1.2 for all Azure Storage accounts, which Azure Policy effect is most efficient?
Deny creation of storage accounts without TLS 1.2
Audit storage accounts using older TLS versions
DeployIfNotExists to modify TLS settings
Disable storage account public access
67. To monitor Azure AD sign-in failures, which Log Analytics table should you query?
SigninLogs
AuditLogs
AzureActivity
SecurityEvent
68. Which Azure AD feature blocks sign-ins from countries where your organization has no operations?
Conditional Access location-based policies
Azure AD Identity Protection geo-blocking
Risk-based policies in Identity Protection
MFA trusted IPs
69. You need to ensure that all new storage accounts block public blob access. Which Azure Policy effect should you assign?
Deny
Audit
Modify
DeployIfNotExists
70. You need to automatically revoke access to SharePoint Online when an employee leaves the company. What must be configured?
Azure AD access reviews
Lifecycle workflows in Azure AD Identity Governance
Conditional Access session controls
SCIM provisioning with HR system integration
71. Which Azure AD feature allows dynamic group membership based on user attributes?
Azure AD dynamic groups
Azure AD access packages
Azure AD administrative units
Azure AD entitlement management
72. Which RBAC permission allows viewing Azure Policy compliance status but not modifying policies?
Reader
Policy Insights Data Writer
Security Reader
Compliance Manager Contributor
73. Which Azure service provides centralized management of multi-subscription compliance with industry standards (e.g., ISO 27001)?
Azure Policy regulatory compliance dashboard
Azure Security Center
Azure Advisor
Azure Cost Management
74. To monitor real-time Azure AD sign-in anomalies, which service streams events to Azure Event Hubs?
Azure AD diagnostic settings
Azure Monitor Log Alerts
Azure Sentinel Data Connectors
Azure Activity Log
75. Which authentication method is NOT supported for Azure AD Multi-Factor Authentication?
FIDO2 security keys
SMS
X.509 certificates
OATH hardware tokens
FAQs
1. What is the Microsoft Certified: Azure Solutions Architect Expert certification?
It’s a globally recognized credential that validates advanced expertise in designing cloud and hybrid solutions on Microsoft Azure.
2. Who should take the Azure Solutions Architect Expert certification?
Cloud professionals with experience in IT operations, networking, security, and Azure administration aiming to become Azure Solution Architects.
3. Is Azure Solutions Architect Expert worth it in 2026?
Yes, it's one of the most respected Azure certifications and is in high demand among employers worldwide.
4. What are the prerequisites for the Azure Solutions Architect Expert certification?
You should have advanced knowledge of Azure services, and it’s recommended to pass AZ-104 (Azure Administrator) before attempting the AZ-305 exam.
5. What is the Azure AZ-305 exam?
AZ-305 is the current exam required to earn the Azure Solutions Architect Expert certification, focused on solution design across Azure workloads.
6. How hard is the Azure Solutions Architect Expert exam?
It’s moderately difficult and tests real-world solution design scenarios across compute, storage, security, and networking.
7. What topics are covered in the AZ-305 exam?
Design governance, data storage, compute solutions, security, business continuity, and infrastructure solutions.
8. What is the format and duration of the AZ-305 exam?
It includes 40–60 multiple-choice and scenario-based questions, and you’ll have 150 minutes to complete the exam.
9. What score is needed to pass the AZ-305 exam?
You need a score of 700 out of 1000 to pass.
10. How do I register for the AZ-305 exam?
You can register directly through the Microsoft Certification portal or Pearson VUE.
11. Can I take the AZ-305 exam online from home?
Yes, Microsoft offers online proctored exams via Pearson VUE that you can take remotely.
12. How much does the Azure Solutions Architect Expert certification cost?
The AZ-305 exam costs $165 USD, but pricing may vary by country.
13. How long is the Azure Solutions Architect Expert certification valid?
It’s valid for 1 year and can be renewed online for free by taking a Microsoft-provided assessment.
14. What is the best way to prepare for the AZ-305 exam?
Use practice tests, review the Microsoft Learn modules, and study with updated materials from CertiMaan and Microsoft’s official site.
15. Where can I find AZ-305 dumps or mock exams?
CertiMaan offers reliable dumps and mock exams aligned with the latest AZ-305 exam objectives.
16. How long does it take to prepare for AZ-305?
On average, 4–6 weeks of focused preparation is sufficient for experienced Azure professionals.
17. What’s the difference between AZ-305 and AZ-104?
AZ-104 is for Azure Administrators, while AZ-305 focuses on designing cloud solutions, which is ideal for architects.
18. What jobs can I get with Azure Solutions Architect certification?
Roles include Azure Solutions Architect, Cloud Consultant, Infrastructure Architect, and Cloud Lead.
19. What is the average salary of Azure Solutions Architects?
Salaries typically range between $120,000 to $160,000 annually, depending on location and experience.
20. Which companies prefer Azure-certified Solutions Architects?
Major employers include Microsoft, Accenture, Infosys, TCS, Capgemini, and Fortune 500 enterprises adopting Azure.
Comments