User Account Shopping Cart
Practice Exams:
View All

AZ-305 Microsoft Practice Test Questions and Exam Dumps


Question No 1:

You have an Azure subscription that contains a custom application named Application1. This application was developed by an external company, Fabrikam, Ltd., and developers at Fabrikam were assigned role-based access control (RBAC) permissions to various components of Application1. All users are licensed for the Microsoft 365 E5 plan.

You need to recommend a solution that meets the following requirements:

  1. Send a monthly email to the manager of the developers, listing the access permissions to Application1.

  2. Automatically revoke permissions for developers if the manager does not verify their access.

  3. Minimize development effort.

What should you recommend?

A. In Azure Active Directory (Azure AD), create an access review of Application1.
B. Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet.
C. In Azure Active Directory (Azure AD) Privileged Identity Management, create a custom role assignment for the Application1 resources.
D. Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet.

Answer: A. In Azure Active Directory (Azure AD), create an access review of Application1.

Explanation:

The best solution for verifying whether the Fabrikam developers still require permissions to Application1 while minimizing development effort is to use Azure AD access reviews. Here’s why Option A is the most appropriate choice:

Azure AD Access Reviews is a feature that enables organizations to review and manage access permissions to resources, such as applications, on a recurring basis. This feature is particularly useful for ensuring that permissions are kept up to date, and it can be automated to send periodic emails to managers to confirm whether access should be retained.

In this scenario, you can configure an access review for Application1, which will automatically generate a report of access permissions. The manager will receive an email to approve or deny access for each developer. If the manager does not respond within a specified time frame, the system can automatically revoke the access.

This solution meets all the requirements:

  1. Monthly Email to Manager: You can schedule monthly access reviews that automatically send notifications to the manager about the permissions.

  2. Automatic Revocation: If the manager does not verify or approve the access, permissions can be automatically revoked, which satisfies the second requirement.

  3. Minimal Development Effort: Setting up an access review in Azure AD is a straightforward, low-code solution that does not require custom scripts or complex configurations.

Why Other Options are Less Optimal:

  • Option B (Azure Automation Runbook with Get-AzRoleAssignment cmdlet): While this cmdlet retrieves role assignments, it doesn't support the automatic review or notification process, and it would require additional effort to automate email notifications and revocation actions.

  • Option C (Azure AD Privileged Identity Management): This tool is primarily used for managing privileged roles and does not provide a simple, automated access review process for regular roles like the one in this scenario.

  • Option D (Azure Automation Runbook with Get-AzureADUserAppRoleAssignment cmdlet): Similar to Option B, this cmdlet retrieves app role assignments but lacks the ability to automate access reviews and notifications efficiently.

Thus, Option A offers a built-in solution within Azure AD for automating access reviews and notifications, making it the most efficient and minimal-effort choice.

Question No 2:

You have an Azure subscription with a blob container that contains multiple blobs. Ten users in the finance department of your company plan to access these blobs during the month of April only.

You need to recommend a security solution that ensures these users can access the blobs only during April.

Which security solution should you include in the recommendation?

  • A. Shared access signatures (SAS)

  • B. Conditional Access policies

  • C. Certificates

  • D. Access keys

Answer: A. Shared access signatures (SAS)

Explanation:

To restrict access to the blobs in the container only during the month of April, the most appropriate security solution is Shared Access Signatures (SAS).

Why Shared Access Signatures (SAS) are Ideal:

Shared Access Signatures (SAS) allow you to grant granular access to specific resources in Azure Storage (such as blobs) for a limited time. A SAS token is a URL that grants temporary access to the resources specified, with permissions you define, such as read or write. This solution fits your requirement of limiting access to the month of April.

  • Time-based Access: With SAS, you can specify an expiration time for the token. In this case, you can set the expiration to April 30th, ensuring the users can only access the blobs until that date.

  • Granular Permissions: You can define the exact permissions required for accessing the blobs (e.g., read or write).

  • Minimal Configuration: SAS tokens can be easily generated and distributed without requiring complex configuration, and they are highly secure because they are valid only for the specified time and scope.

Why Other Options Are Not Ideal:

  • B. Conditional Access Policies: Conditional Access in Azure AD is used to enforce policies based on factors like user location, device state, or risk level. While Conditional Access is powerful for controlling sign-ins, it doesn’t provide the fine-grained access control needed to restrict access to specific Azure resources based on dates.

  • C. Certificates: Certificates are typically used for authentication or establishing secure communication, but they do not offer the time-based, scoped access control required for granting temporary access to blobs.

  • D. Access Keys: Access keys provide full access to the storage account and do not support time-based restrictions or granular permissions. This would give users more access than needed, and the access is not limited to just the month of April.

In summary, SAS is the best option because it allows for time-limited access to resources, making it the perfect fit for the scenario described.

Question No 3:

You have an Azure Active Directory (Azure AD) tenant that is synchronized with an on-premises Active Directory domain. You also have an internal web app (WebApp1) hosted on-premises, which uses Integrated Windows Authentication (IWA). Some users work remotely but do not have VPN access to the on-premises network.

Your goal is to provide remote users with Single Sign-On (SSO) access to WebApp1 without requiring VPN access.

Which two features should you include in the solution?
 Each correct answer presents part of the solution.
 (Note: Each correct selection is worth one point.)

  • A. Azure AD Application Proxy

  • B. Azure AD Privileged Identity Management (PIM)

  • C. Conditional Access policies

  • D. Azure Arc

  • E. Azure AD enterprise applications

  • F. Azure Application Gateway

Answer: A. Azure AD Application Proxy, E. Azure AD enterprise applications

Explanation:

To provide remote users with SSO access to WebApp1, the ideal solution would involve leveraging Azure AD Application Proxy and Azure AD enterprise applications. Here's how they solve the problem:

A. Azure AD Application Proxy:

Azure AD Application Proxy allows you to securely publish on-premises web applications for remote access without the need for a VPN. It works by enabling external users to access internal apps through Azure AD, using SSO for authentication. When users access the application, their credentials are validated against Azure AD, and the application proxy allows them to securely access WebApp1 using Integrated Windows Authentication (IWA), ensuring that users can authenticate seamlessly even from outside the corporate network.

  • Remote Access: Azure AD Application Proxy makes on-premises applications accessible from anywhere without the need for a direct VPN connection.

  • SSO Integration: The service integrates with Azure AD to support SSO, which means remote users can log in once and gain access to WebApp1 without needing to re-enter credentials.

E. Azure AD Enterprise Applications:

Azure AD enterprise applications are used to configure and manage the access to both cloud and on-premises applications from within Azure AD. By using this feature, you can register WebApp1 as an enterprise application in Azure AD and configure SSO. This ensures that users can authenticate through Azure AD without needing a separate login for WebApp1, thus enabling SSO.

  • SSO Configuration: Azure AD enterprise applications allow you to set up SSO for internal apps that are exposed externally using the Azure AD Application Proxy.

  • Centralized Management: You can manage access and permissions centrally through Azure AD for both cloud and on-premises applications.

Why the Other Options Are Not Suitable:

  • B. Azure AD Privileged Identity Management (PIM): PIM is used for managing and controlling privileged identities and access to critical resources. It’s not related to enabling remote access to internal apps.

  • C. Conditional Access policies: Conditional Access is used to enforce security policies based on conditions like device compliance, location, etc. While useful for securing access, it does not directly solve the problem of enabling remote access to on-premises web apps.

  • D. Azure Arc: Azure Arc extends Azure management to on-premises, multi-cloud, and edge environments, but it is not used for providing remote access to web apps.

  • F. Azure Application Gateway: Azure Application Gateway is a web traffic load balancer, and while it can be used for web app delivery, it is not the primary tool for enabling secure remote access with SSO to an on-premises application.

In conclusion, Azure AD Application Proxy and Azure AD enterprise applications provide a seamless and secure solution for remote users to access on-premises applications using SSO, while meeting the requirements for secure, VPN-free remote access to WebApp1.

Question No 4:

You have an Azure Active Directory (Azure AD) tenant named contoso.com. Within this tenant, there is a security group (Group1), which is configured with assigned membership. Group1 contains 50 members, including 20 guest users.
Your task is to recommend a solution to evaluate the membership of Group1, based on the following requirements:

  • The evaluation should occur automatically every three months.

  • Each member should have the ability to report whether they need to be in Group1.

  • Users who report that they no longer need to be in Group1 must be automatically removed from the group.

  • Users who do not report whether they need to remain in the group must also be removed automatically.

What should you recommend?

  • A. Implement Azure AD Identity Protection.

  • B. Change the Membership type of Group1 to Dynamic User.

  • C. Create an access review.

  • D. Implement Azure AD Privileged Identity Management (PIM).

Answer: C. Create an access review.

Explanation:

The correct solution to address the requirements is to create an access review. Let’s break down why this is the most suitable option:

An access review in Azure AD is a built-in feature that helps organizations evaluate and manage user access to resources. With access reviews, you can automate the process of periodically reviewing user memberships in groups or access to applications. In this scenario, creating an access review for Group1 aligns with the requirements perfectly.

  • Automatic Re-evaluation Every Three Months: Access reviews can be configured to run on a recurring basis, such as every three months, which meets the requirement of automatic evaluations.

  • Member Reporting: During the review, users can be asked whether they need to remain in the group. This gives each member the ability to report if they need to stay in Group1.

  • Automatic Removal of Non-Responders or Unnecessary Members: If a user does not respond to the review or reports that they no longer need access, Azure AD can automatically remove them from the group based on the review results.

By setting up the access review in Azure AD, administrators can ensure that the membership is up-to-date and that users are only retained in the group if they actively report needing access.

Why the Other Options Are Not Suitable:

  • A. Implement Azure AD Identity Protection: This is focused on protecting identities through risk detection and remediation (like multi-factor authentication prompts, conditional access policies, etc.). While it's useful for securing accounts, it does not address the task of managing group membership or evaluating whether users need to be part of a group.

  • B. Change the Membership type of Group1 to Dynamic User: This option would automatically assign users to the group based on attributes in their Azure AD profile (e.g., department, role). However, it does not fulfill the requirement of allowing members to report whether they should be part of the group, nor does it automatically remove users based on such feedback.

  • D. Implement Azure AD Privileged Identity Management (PIM): PIM is primarily used to manage and control privileged accounts (such as global admins or privileged roles). It is not designed for regular group membership management and cannot meet the needs of evaluating and adjusting membership in a security group based on user reports.

Thus, creating an access review provides the most efficient and automated solution for ensuring that Group1’s membership is periodically evaluated and adjusted based on user input.

Question No 5:


Your company has deployed several virtual machines (VMs) both on-premises and in Azure. The company is also using ExpressRoute for on-premises to Azure connectivity. Recently, several of the virtual machines are experiencing network connectivity issues.You need to analyze the network traffic to identify whether packets are being allowed or denied to the virtual machines.

Solution: You propose using Azure Traffic Analytics within Azure Network Watcher to analyze the network traffic.

Does this solution meet the goal?

  • A. Yes

  • B. No

Answer: A. Yes

Explanation:

The proposed solution of using Azure Traffic Analytics in Azure Network Watcher does meet the goal of identifying whether packets are being allowed or denied to the virtual machines, and here’s why:

Azure Traffic Analytics in Azure Network Watcher:

Azure Traffic Analytics is a feature of Azure Network Watcher that provides insights into the network traffic patterns in Azure. By using this tool, you can effectively monitor and analyze the flow of traffic between your on-premises resources and your Azure virtual machines.

  • Traffic Flow Monitoring: Traffic Analytics uses network flow logs from Azure Network Security Groups (NSGs) to help you understand whether traffic is allowed or denied, and provides insights on network patterns, such as source and destination of the packets, protocols used, and whether the traffic is being blocked by any firewall or security policies.

  • Automated Traffic Analysis: It helps you detect common issues such as blocked or dropped traffic, misconfigured firewalls, or incorrect routing, making it a valuable tool in diagnosing network connectivity problems like those you're facing with your VMs.

  • Azure Network Watcher Integration: Since Azure Network Watcher is already configured in your environment, Traffic Analytics will leverage the flow logs generated by NSGs (Network Security Groups) and other resources, which enables you to see detailed reports of traffic behavior, highlighting the packets that are either allowed or denied by the system.

Why Not the Other Option?

Azure Traffic Analytics in Azure Network Watcher is a tool explicitly designed to analyze network traffic in scenarios such as the one described. Other solutions such as using Azure Monitor or Azure Advisor are not focused on analyzing network flow at this granular level of allowed/denied traffic, making them less suitable for the current task.

Thus, the proposed solution using Azure Traffic Analytics in Azure Network Watcher is appropriate for diagnosing the connectivity issues and determining whether the packets are allowed or denied. Therefore, Option A (Yes) is the correct choice.

Question No 6:

Your company has deployed several virtual machines (VMs) both on-premises and in Azure. ExpressRoute is configured to provide connectivity between on-premises systems and Azure resources. Recently, you have encountered network connectivity issues with some of the virtual machines.To resolve the issues, you need to analyze the network traffic to determine whether packets are being allowed or denied by network configurations.

Solution: You are considering using Azure Advisor to analyze the network traffic.

Does this solution meet the goal?

  • A. Yes

  • B. No

Answer: B. No

Explanation:

While Azure Advisor is a valuable tool in optimizing the resources and configurations in your Azure environment, it does not provide the detailed traffic analysis needed to diagnose network connectivity issues between on-premises and Azure virtual machines. Here’s why Option B is the correct choice:

Azure Advisor Overview:

Azure Advisor is a service that provides recommendations on best practices for optimizing your Azure environment. It offers suggestions in areas such as:

  • Cost management

  • High availability

  • Security

  • Performance

However, Azure Advisor does not have the capability to monitor or analyze network traffic in terms of whether packets are allowed or denied by security rules, firewalls, or other configurations in your environment.

Why This Solution Doesn't Meet the Goal:

To diagnose network traffic issues such as whether packets are being allowed or denied, Azure Advisor is not the appropriate tool. The solution you're looking for should be able to analyze the flow of network packets at a more granular level. Azure Advisor can recommend configurations for optimizing your environment but does not provide detailed traffic flow logs or traffic analysis.

The Correct Solution:

The appropriate solution would involve using Azure Network Watcher with tools like Traffic Analytics or IP Flow Verify, which specifically focus on monitoring and diagnosing network traffic. These tools allow you to identify whether specific packets are being allowed or denied based on network security group (NSG) rules, firewalls, and routing configurations.

Thus, Azure Advisor cannot meet the goal of analyzing the network traffic to determine if packets are being allowed or denied. The correct answer is Option B (No).

Question No 7:

Your company deploys several virtual machines (VMs) on-premises and in Azure. You have configured ExpressRoute for secure, high-performance connectivity between your on-premises environment and Azure. However, some virtual machines are experiencing network connectivity issues.To diagnose the issue, you need to analyze the network traffic to determine whether packets are being allowed or denied by network security rules, firewalls, or routing configurations.

Solution: You propose using Azure Network Watcher to run the IP flow verify tool to analyze the network traffic and verify whether packets are being allowed or denied.

Does this solution meet the goal?

  • A. Yes

  • B. No

Answer: A. Yes

Explanation:

In this scenario, Azure Network Watcher is the correct tool to analyze network traffic and diagnose connectivity issues between your on-premises systems and Azure. Specifically, IP Flow Verify is a feature within Azure Network Watcher that can help you determine whether specific packets are being allowed or denied by Network Security Groups (NSGs) or other network rules. Here’s why Option A is the correct choice:

Azure Network Watcher Overview:

Azure Network Watcher is a comprehensive set of tools in Azure designed to monitor and diagnose network issues. It includes several capabilities, such as:

  • Network diagnostic tools: For verifying connectivity, checking traffic flow, and monitoring network security.

  • Traffic Analytics: For deeper insights into network flow data.

  • IP Flow Verify: A diagnostic tool that simulates the flow of network traffic and checks whether a specific flow would be allowed or denied based on network security rules.

IP Flow Verify:

The IP Flow Verify tool in Azure Network Watcher specifically checks whether a given network packet would be allowed or denied based on the configured network security rules. By using this tool, you can analyze traffic between your Azure virtual machines (VMs) and the on-premises systems connected via ExpressRoute.

When running IP Flow Verify, you can input the following details:

  • Source IP address

  • Destination IP address

  • Source and destination port numbers

  • Protocol (TCP, UDP, etc.)

The tool simulates the traffic and checks it against any relevant NSG rules, firewall settings, or route tables to verify whether the traffic is being allowed or blocked.

Why This Solution Meets the Goal:

Running IP Flow Verify using Azure Network Watcher will provide the necessary information about whether packets are being permitted or blocked due to network configurations such as NSGs or firewall rules. This allows you to effectively diagnose and resolve network connectivity issues.

Thus, the solution meets the goal, and the correct answer is Option A (Yes).


Avanset - #1 VCE Player & Designer
How to Open VCE Files

Use VCE Exam Simulator to open VCE files

VCE Player for MAC
Sign UpSign Up Learn MoreLearn More Full VersionFull Version
UP

LIMITED OFFER: GET 30% Discount

This is ONE TIME OFFER

ExamSnap Discount Offer
Enter Your Email Address to Receive Your 30% Discount Code

A confirmation link will be sent to this email address to verify your login. *We value your privacy. We will not rent or sell your email address.

Download Free Demo of VCE Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.

Simply submit your e-mail address below to get started with our interactive software demo of your free trial.

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.