Microsoft AZ-305 Exam (page: 6)
Microsoft Designing Azure Infrastructure Solutions
Updated on: 12-Jan-2026

Explanation:

Box 1: Microsoft Entra ID
Grant permissions in Microsoft Entra ID.

Box 2: Azure API Management
Configure a JWT validation policy to pre-authorize requests. Pre-authorize requests in API Management with the Validate JWT policy, by validating the access tokens of each incoming request. If a request does not have a valid token, API Management blocks it.

Reference:

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend- with-aad

Explanation:

Correct:
* Azure Activity Log
* Azure Log Analytics
Incorrect:
* Application Insights
* Azure Advisor
* Azure Analysis Services
* Azure Arc
* Azure Monitor action groups
* Azure Monitor metrics
Note:
* Azure Activity Log
Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn’t more than 90 days in the past.
Through activity logs, you can determine:
what operations were taken on the resources in your subscription who started the operation when the operation occurred the status of the operation the values of other properties that might help you research the operation

* Azure Log Analytics
The Activity log is a platform log in Azure that provides insight into subscription-level events. Activity log includes such information as when a resource is modified or when a virtual machine is started.
Activity log events are retained in Azure for 90 days and then deleted.
For more functionality, you should create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons:
to Azure Monitor Logs for more complex querying and alerting, and longer retention (up to two years) to Azure Event Hubs to forward outside of Azure to Azure Storage for cheaper, long-term archiving
Note: Azure Monitor builds on top of Log Analytics, the platform service that gathers log and metrics data from all your resources. The easiest way to think about it is that Azure Monitor is the marketing name, whereas Log Analytics is the technology that powers it.

Reference:

Explanation:

Correct:
* Use Microsoft Entra entitlement management to govern external users.
* Configure Supported account types in the application registration and update the sign-in endpoint.
Incorrect:
* Configure a Conditional Access policy.
* Configure assignments for the fabrikam.com users by using Microsoft Entra Privileged Identity Management (PIM).
* Configure Microsoft Entra ID Protection.
* Configure Microsoft Entra join.
* Configure the Microsoft Entra provisioning service
* Enable Microsoft Entra pass-through authentication and update the sign-in endpoint.
Note:
* Use Microsoft Entra entitlement management to govern external users.
Govern access for external users in Microsoft Entra entitlement management Microsoft Entra entitlement management uses Microsoft Entra business-to-business (B2B) to share access so you can collaborate with people outside your organization. With Microsoft Entra B2B, external users authenticate to their home directory, but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.
* Configure Supported account types in the application registration and update the sign-in endpoint.
Identity and account types for single- and multi-tenant apps You, as a developer, can choose if your app allows only users from your Microsoft Entra tenant, any Microsoft Entra tenant, or users with personal Microsoft accounts. You can configure your app to be either single tenant or multitenant during app registration in Azure.
Note: A required part of application registration in Microsoft Entra ID is your selection of supported account types.
While IT Pros in administrator roles decide who can consent to apps in their tenant, you, as a developer, specify who can use your app based on account type.
When a tenant doesn’t allow you to register your application in Microsoft Entra ID, administrators will provide you with a way to communicate those details to them through another mechanism.
You’ll choose from the following supported account type options when registering your application.
Accounts in this organizational directory only (O365 only – Single tenant) Accounts in any organizational directory (Any Microsoft Entra directory – Multitenant) Accounts in any organizational directory (Any Microsoft Entra directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
Personal Microsoft accounts only

Incorrect:
* Configure Microsoft Entra ID Protection
Microsoft Entra ID Protection allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to other tools.

Reference:

Explanation:

Azure App Service provides built-in authentication and authorization capabilities (sometimes referred to as “Easy Auth”), so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions.
Azure App Service provides built-in authentication and authorization capabilities (sometimes referred to as “Easy Auth”), so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions.
* Microsoft Identity Platform
* Facebook
* Google
* Twitter
* Any OpenID Connect provider
Note:
A managed identity from Microsoft Entra ID allows your app to easily access other Microsoft Entra-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. For more about managed identities in Microsoft Entra ID, see Managed identities for Azure resources.
Your application can be granted two types of identities:
A system-assigned identity is tied to your application and is deleted if your app is deleted. An app can only have one system-assigned identity.
A user-assigned identity is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned identities.

Reference:

Explanation:

Correct:
* Azure Activity Log
* Azure Log Analytics
Incorrect:
* Application Insights
* Azure Advisor
* Azure Analysis Services
* Azure Arc
* Azure Monitor action groups
* Azure Monitor metrics
Note:
* Azure Activity Log
Activity logs are kept for 90 days. You can query for any range of dates, as long as the starting date isn’t more than 90 days in the past.
Through activity logs, you can determine:
what operations were taken on the resources in your subscription who started the operation when the operation occurred the status of the operation the values of other properties that might help you research the operation

* Azure Log Analytics
The Activity log is a platform log in Azure that provides insight into subscription-level events. Activity log includes such information as when a resource is modified or when a virtual machine is started.
Activity log events are retained in Azure for 90 days and then deleted.
For more functionality, you should create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons:
to Azure Monitor Logs for more complex querying and alerting, and longer retention (up to two years) to Azure Event Hubs to forward outside of Azure to Azure Storage for cheaper, long-term archiving
Note: Azure Monitor builds on top of Log Analytics, the platform service that gathers log and metrics data from all your resources. The easiest way to think about it is that Azure Monitor is the marketing name, whereas Log Analytics is the technology that powers it.

Reference:

Explanation:

Box 1: Client Credentials flow
Client Credentials flow – The only flow that does not require immediate user interaction, usually used when the Oauth client is acting on-behalf of itself, when user-consent doesn’t make sense, or when authorization primitives could be configured out-of-band (for instance via Microsoft Entra ID)

Note: Authenticating to Azure Services
Local machines don’t support managed identities for Azure resources. As a result, the Microsoft.Azure.Services.AppAuthentication library uses your developer credentials to run in your local development environment.
When the solution is deployed to Azure, the library uses a managed identity to switch to an Oauth 2.0 client credential grant flow. This approach means you can test the same code locally and remotely without worry.

Incorrect:
* Authorization code flow – Requires user interaction and consent, typically via the web browser, to get a code which is then used to issue an access token.

* Implicit grant flow – Created for single page web / mobile webview apps, where token creation and handling is done entirely from the front end.

Box 2: Oauth 2.0 access token endpoint of Microsoft Entra ID

Example: Issuing & inspecting our first Oauth token
At this stage, we should be able to issue tokens to Service A, on behalf of Service B – let’s see that in action.

1. In Microsoft Entra application registration blade, go to Service B (as shown in previous steps)
2. In the Overview blade, Click on the `Endpoints’ button at the command bar
3. In the opened Endpoints blade, copy the Oauth 2.0 token endpoint (v2) URL
4. Issue a HTTP POST call for the given URL with the following parameters $> curl -s -XPOST <token-v2-endpoint> \
-d grant_type=client_credentials \
-d client_id=<service-b-app-id> \
-d client_secret=<service-b-client-secret> \
-d scope=<service-a-application-id-uri>/.default

5. Etc.

Reference:

https://medium.com/@dany74q/service-to-service-auth-with-azure-ad-msi-oauth-2-0-step-by-step- a1aed196b1e1
https://learn.microsoft.com/en-us/dotnet/api/overview/azure/service-to-service-authentication

Explanation:

Correct:
* Use Microsoft Entra entitlement management to govern external users.
* Configure Supported account types in the application registration and update the sign-in endpoint.

Incorrect:
* Configure a Conditional Access policy.
* Configure assignments for the fabrikam.com users by using Microsoft Entra Privileged Identity Management (PIM).
* Configure Microsoft Entra ID Protection.
* Configure Microsoft Entra join.
* Configure the Microsoft Entra provisioning service
* Enable Microsoft Entra pass-through authentication and update the sign-in endpoint.
Note:
* Use Microsoft Entra entitlement management to govern external users.
Govern access for external users in Microsoft Entra entitlement management Microsoft Entra entitlement management uses Microsoft Entra business-to-business (B2B) to share access so you can collaborate with people outside your organization. With Microsoft Entra B2B, external users authenticate to their home directory, but have a representation in your directory. The representation in your directory enables the user to be assigned access to your resources.
* Configure Supported account types in the application registration and update the sign-in endpoint.
Identity and account types for single- and multi-tenant apps You, as a developer, can choose if your app allows only users from your Microsoft Entra tenant, any Microsoft Entra tenant, or users with personal Microsoft accounts. You can configure your app to be either single tenant or multitenant during app registration in Azure.
Note: A required part of application registration in Microsoft Entra ID is your selection of supported account types.
While IT Pros in administrator roles decide who can consent to apps in their tenant, you, as a developer, specify who can use your app based on account type.
When a tenant doesn’t allow you to register your application in Microsoft Entra ID, administrators will provide you with a way to communicate those details to them through another mechanism.
You’ll choose from the following supported account type options when registering your application.
Accounts in this organizational directory only (O365 only – Single tenant) Accounts in any organizational directory (Any Microsoft Entra directory – Multitenant) Accounts in any organizational directory (Any Microsoft Entra directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
Personal Microsoft accounts only
Incorrect:
* Configure Microsoft Entra ID Protection
Microsoft Entra ID Protection allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to other tools.

Reference:

Explanation:

Box 1: Application registration in Microsoft Entra ID
To get an access token, your app must be registered with the Microsoft identity platform and be granted Microsoft Graph permissions by a user or administrator.

Note: Register your app with the Microsoft identity platform Before your app can get a token from the Microsoft identity platform, it must be registered in the Azure portal. Registration integrates your app with the Microsoft identity platform and establishes the information that it uses to get tokens, including:

Application ID: A unique identifier assigned by the Microsoft identity platform. Redirect URI/URL: One or more endpoints at which your app will receive responses from the Microsoft identity platform. (For native and mobile apps, the URI is assigned by the Microsoft identity platform.) Client secret: A password or a public/private key pair that your app uses to authenticate with the Microsoft identity platform. (Not needed for native or mobile apps.)

Box 2: Delegated permissions
Access scenarios
The method that an app uses to authenticate with the Microsoft identity platform will depend on how you want the app to access the data. This access can be in one of two ways.

Delegated access, an app acting on behalf of a signed-in user.
App-only access, an app acting with its own identity.

Note: Calendars permissions
Delegated permissions
* Calendars.Read
Read user calendars – Allows the app to read events in user calendars.

* Calendars.ReadWrite
Have full access to user calendars – Allows the app to create, read, update, and delete events in user calendars.

Incorrect:
* Application permissions
Calendar Application permissions
* Calendars.Read
Read calendars in all mailboxes – Allows the app to read events of all calendars without a signed-in user.

* Calendars.ReadWrite
Read and write calendars in all mailboxes – Allows the app to create, read, update, and delete events of all calendars without a signed-in user.

Reference:

https://learn.microsoft.com/en-us/graph/auth/auth-concepts https://learn.microsoft.com/en-us/graph/permissions-reference